Jakub, thankyou for your reply. Client OS is Ubuntu Xenial. Yes, I know... pats favourite labrador goodbye. Sound of drawer opening and service revolver being loaded...
I did realise that the option p_auth_disable_tls_never_use_in_production = true the problem I have is that there is a CA cert on the Active Directory controller. But I cannot see if there is an SSL certificate. I may well be misunderstanding things. >Please don’t use this, not only it is very insecure, but also it doesn’t make any sense, this option is only useful if you use auth_provider=ldap. With id_provider/auth_provider=ad, TLS is not used, but GSSAPI is. Aha. Thankyou for that information. I then have to ask the assembled choir (as I am not at the pearly gates) - does AD in the default configuration have SSL certificate capability? I have installed the Active Directory Certificate Services role On 3 May 2018 at 09:43, Jakub Hrozek <[email protected]> wrote: > > > > On 2 May 2018, at 17:54, JOHE (John Hearns) <[email protected]> wrote: > > > > I would appreciate some pointers. > > I have a sandbox setup running on VMs. There is an AD controller using > the VM image which Microsoft has available for testing. > > I have created a domain called ad.test > > > > On my client machine I am continually getting this error: > > [sssd[be[adtest.private]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: > Unspecified GSS failure. Minor code may provide more information (Server > not found in Kerberos database) > > > > I find it easier to debug this kind of an issue with: > KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -H ldap://your.ad.dc -s base > -b “” > > Also, what version and on what OS are you running? > > > > > On the client klist-k | uniq returns > > > > KVNO Principal > > ---- ------------------------------------------------------------ > -------------- > > 3 [email protected] > > 3 host/[email protected] > > 3 host/[email protected] > > 3 RestrictedKrbHost/[email protected] > > 3 RestrictedKrbHost/[email protected] > > > > The funny thing is ONLY kinit -k CLIENT1$\@ADTEST.PRIVATE will work. > > This is expected, only the client$@realm principal is a user/computer > principal, the rest are service principals. > > > I do get a tgt: > > Ticket cache: FILE:/tmp/krb5cc_0 > > Default principal: [email protected] > > > > Just in the sandbox I am also setting: > > ldap_auth_disable_tls_never_use_in_production = true > > Please don’t use this, not only it is very insecure, but also it doesn’t > make any sense, this option is only useful if you use auth_provider=ldap. > With id_provider/auth_provider=ad, TLS is not used, but GSSAPI is. > > > > > Any pointers please? I have cranked debug up to 8 and this error > message seems to be the crucial one. > > > > By the way, why does the debug level not go up to 11? > > Because 9 is the highest? > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]/message/CI2AURT3VFBLEUH7MGFMNO3CVSARLL25/
