On Mon, Mar 05, 2018 at 08:40:19AM -0500, Justin Stephenson wrote: > On 03/05/2018 08:25 AM, Roger Martensson wrote: > > Sorry about that.. Bleeping send-button-shortcut. > > > > Let me continue. > > > > Command I use to test: ssh userid@subdomain2@localhost > > > > The krb5_child.log contains these error messages: > > [[sssd[krb5_child[5720]]]] [get_and_save_tgt] (0x0400): Attempting kinit > > for realm [SUBDOMAIN1] > > [[sssd[krb5_child[5720]]]] [sss_krb5_expire_callback_func] (0x2000): > > exp_time: [5621224] > > [[sssd[krb5_child[5720]]]] [validate_tgt] (0x2000): Keytab entry with the > > realm of the credential not found in keytab. Using the last entry. > > [[sssd[krb5_child[5720]]]] [validate_tgt] (0x0020): TGT failed verification > > using key for [RestrictedKrbHost/myclient@SUBDOMAIN1]. > > [[sssd[krb5_child[5720]]]] [get_and_save_tgt] (0x0020): 1581: > > [-1765328377][Server not found in Kerberos database] > > [[sssd[krb5_child[5720]]]] [map_krb5_error] (0x0020): 1657: > > [-1765328377][Server not found in Kerberos database] > > > > I can get it to work using 'krb5_validate = false' but that disables some > > nice security measure. > > > > So.. Anyone that can help me back on track? AKA What did I do wrong this > > time? > > Can you make sure your hostname is fully-qualified? > > If it is not currently then you will need to leave the domain, make sure the > /etc/krb5.keytab is removed, set the fully-qualified name and rejoin the > domain.
If validation still fails after joining with the fully qualified name please run SSSD with debug_level=9 in the [domain/...] section. This will add the full Kerberos trace output to the krb5_child.log files which will help to identify which step during validation fails. bye, Sumit > > -Justin > > > > > > > > > 2018-03-05 14:13 GMT+01:00 Roger Martensson <[email protected]>: > > > > > Hi! > > > > > > It's me again with multiple domain problems. :) > > > > > > I have once again problems with multiple domain. This time with login. > > > Maybe some one of you could explain to me what I did wrong this time. > > > > > > OS: Ubuntu 17.10 > > > SSSD: 1.15.3 > > > > > > Domain setup. two subdomain both connected to the same parent domain Both > > > subdomains contains users. Most of them only contains one domain but some > > > is found in both. > > > > > > Client is connected to subdomain1. I can login with a user on subdomain 1. > > > When login in to subdomain2 (both using 'su-with-password-prompt' and > > > 'ssh-to-localhost') I get a System Error 4. > > > > > > The log krb_child.log (which sssd_domain.log points to) I see these logs. > > > (altered some names) > > > > > > > > > > > > > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
