[SSSD-users] Re: SSSD kerberos problem in multiple AD domains

Mon, 05 Mar 2018 05:41:28 -0800 

On 03/05/2018 08:25 AM, Roger Martensson wrote:

Sorry about that.. Bleeping send-button-shortcut.

Let me continue.

Command I use to test: ssh userid@subdomain2@localhost

The krb5_child.log contains these error messages:
[[sssd[krb5_child[5720]]]] [get_and_save_tgt] (0x0400): Attempting kinit
for realm [SUBDOMAIN1]
[[sssd[krb5_child[5720]]]] [sss_krb5_expire_callback_func] (0x2000):
exp_time: [5621224]
[[sssd[krb5_child[5720]]]] [validate_tgt] (0x2000): Keytab entry with the
realm of the credential not found in keytab. Using the last entry.
[[sssd[krb5_child[5720]]]] [validate_tgt] (0x0020): TGT failed verification
using key for [RestrictedKrbHost/myclient@SUBDOMAIN1].
[[sssd[krb5_child[5720]]]] [get_and_save_tgt] (0x0020): 1581:
[-1765328377][Server not found in Kerberos database]
[[sssd[krb5_child[5720]]]] [map_krb5_error] (0x0020): 1657:
[-1765328377][Server not found in Kerberos database]

I can get it to work using 'krb5_validate = false' but that disables some
nice security measure.

So.. Anyone that can help me back on track? AKA What did I do wrong this
time?


Can you make sure your hostname is fully-qualified?
If it is not currently then you will need to leave the domain, make sure the /etc/krb5.keytab is removed, set the fully-qualified name and rejoin the domain. 

-Justin





2018-03-05 14:13 GMT+01:00 Roger Martensson <[email protected]>:


Hi!

It's me again with multiple domain problems. :)

I have once again problems with multiple domain. This time with login.
Maybe some one of you could explain to me what I did wrong this time.

OS: Ubuntu 17.10
SSSD: 1.15.3

Domain setup. two subdomain both connected to the same parent domain Both
subdomains contains users. Most of them only contains one domain but some
is found in both.

Client is connected to subdomain1. I can login with a user on subdomain 1.
When login in to subdomain2 (both using 'su-with-password-prompt' and
'ssh-to-localhost') I get a System Error 4.

The log krb_child.log (which sssd_domain.log points to) I see these logs.
(altered some names)






_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]


_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to