Jakub, thankyou for your reply. I have (almost!) got things working now.
I have removed the ldap parameters in the sssd.conf I had a mixup with the AD controller hostname - it is ad.adtest.private and I think this was significant. Now I am retrieving the user information from AD. Still having problems with PAM, so I am sure I will be back (sorry!) ________________________________ From: JOHE (John Hearns) Sent: 03 May 2018 11:06:02 To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] Re: Server not found in Kerberos database and debug level 11 >> By the way, why does the debug level not go up to 11? > Because 9 is the highest? http://knowyourmeme.com/memes/these-go-to-11-spinal-tap [http://i0.kym-cdn.com/entries/icons/facebook/000/003/182/Spinal_Tap_05.jpg]<http://knowyourmeme.com/memes/these-go-to-11-spinal-tap> These go to 11 / Spinal Tap | Know Your Meme<http://knowyourmeme.com/memes/these-go-to-11-spinal-tap> knowyourmeme.com Origin Background The movie This Is Spinal Tap was made to be a humorous mockumentary of rock n’ roll culture. To this day it is considered to be one of ________________________________ From: Jakub Hrozek <[email protected]> Sent: 03 May 2018 09:43:33 To: End-user discussions about the System Security Services Daemon Subject: [SSSD-users] Re: Server not found in Kerberos database and debug level 11 > On 2 May 2018, at 17:54, JOHE (John Hearns) <[email protected]> wrote: > > I would appreciate some pointers. > I have a sandbox setup running on VMs. There is an AD controller using the > VM image which Microsoft has available for testing. > I have created a domain called ad.test > > On my client machine I am continually getting this error: > [sssd[be[adtest.private]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: > Unspecified GSS failure. Minor code may provide more information (Server not > found in Kerberos database) > I find it easier to debug this kind of an issue with: KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -H ldap://your.ad.dc -s base -b “” Also, what version and on what OS are you running? > > On the client klist-k | uniq returns > > KVNO Principal > ---- > -------------------------------------------------------------------------- > 3 [email protected] > 3 host/[email protected] > 3 host/[email protected] > 3 RestrictedKrbHost/[email protected] > 3 RestrictedKrbHost/[email protected] > > The funny thing is ONLY kinit -k CLIENT1$\@ADTEST.PRIVATE will work. This is expected, only the client$@realm principal is a user/computer principal, the rest are service principals. > I do get a tgt: > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: [email protected] > > Just in the sandbox I am also setting: > ldap_auth_disable_tls_never_use_in_production = true Please don’t use this, not only it is very insecure, but also it doesn’t make any sense, this option is only useful if you use auth_provider=ldap. With id_provider/auth_provider=ad, TLS is not used, but GSSAPI is. > > Any pointers please? I have cranked debug up to 8 and this error message > seems to be the crucial one. > > By the way, why does the debug level not go up to 11? Because 9 is the highest? _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
