On Thu, May 03, 2018 at 10:08:34AM +0200, John Hearns wrote: > To explain, I just sent a reply from my personal Googlemail. > > I am now getting this logged: > May 03 10:05:02 client1 [sssd[ldap_child[2481]: Failed to initialize > credentials using keytab [MEMORY:/etc/krb5.keytab]: Client > 'host/[email protected]' not > May 03 10:05:02 client1 [sssd[ldap_child[2481]: Client > 'host/[email protected]' not found in Kerberos database > > > I know the case is important in Kerberos, but client1 is certainly in the > Computers section of the adtest.private AD domain.
Ad makes a distinction between user and server principals. The former can be used with kinit the latter not as you already have seen below. The AD provider will use the keytab entry with the '$' by default, but the LDAP provider will use the host name and add 'host/' in the beginning and the realm at the end. Please try to set 'ldap_sasl_authid = [email protected]' to use '[email protected]' when requesting a TGT from AD. HTH bye, Sumit > > > > On 3 May 2018 at 09:59, John Hearns <[email protected]> wrote: > > > Jakub, thankyou for your reply. > > > > Client OS is Ubuntu Xenial. Yes, I know... pats favourite labrador > > goodbye. Sound of drawer opening and service revolver being loaded... > > > > I did realise that the option p_auth_disable_tls_never_use_in_production > > = true > > the problem I have is that there is a CA cert on the Active Directory > > controller. But I cannot see if there is an SSL certificate. > > I may well be misunderstanding things. > > > > >Please don’t use this, not only it is very insecure, but also it doesn’t > > make any sense, this option is only useful if you use auth_provider=ldap. > > With id_provider/auth_provider=ad, TLS is not used, but GSSAPI is. > > > > Aha. Thankyou for that information. > > I then have to ask the assembled choir (as I am not at the pearly gates) - > > does AD in the default configuration have SSL certificate capability? > > I have installed the Active Directory Certificate Services role > > > > > > > > > > > > > > > > > > On 3 May 2018 at 09:43, Jakub Hrozek <[email protected]> wrote: > > > >> > >> > >> > On 2 May 2018, at 17:54, JOHE (John Hearns) <[email protected]> wrote: > >> > > >> > I would appreciate some pointers. > >> > I have a sandbox setup running on VMs. There is an AD controller using > >> the VM image which Microsoft has available for testing. > >> > I have created a domain called ad.test > >> > > >> > On my client machine I am continually getting this error: > >> > [sssd[be[adtest.private]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: > >> Unspecified GSS failure. Minor code may provide more information (Server > >> not found in Kerberos database) > >> > > >> > >> I find it easier to debug this kind of an issue with: > >> KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -H ldap://your.ad.dc -s base > >> -b “” > >> > >> Also, what version and on what OS are you running? > >> > >> > > >> > On the client klist-k | uniq returns > >> > > >> > KVNO Principal > >> > ---- ------------------------------------------------------------ > >> -------------- > >> > 3 [email protected] > >> > 3 host/[email protected] > >> > 3 host/[email protected] > >> > 3 RestrictedKrbHost/[email protected] > >> > 3 RestrictedKrbHost/[email protected] > >> > > >> > The funny thing is ONLY kinit -k CLIENT1$\@ADTEST.PRIVATE will work. > >> > >> This is expected, only the client$@realm principal is a user/computer > >> principal, the rest are service principals. > >> > >> > I do get a tgt: > >> > Ticket cache: FILE:/tmp/krb5cc_0 > >> > Default principal: [email protected] > >> > > >> > Just in the sandbox I am also setting: > >> > ldap_auth_disable_tls_never_use_in_production = true > >> > >> Please don’t use this, not only it is very insecure, but also it doesn’t > >> make any sense, this option is only useful if you use auth_provider=ldap. > >> With id_provider/auth_provider=ad, TLS is not used, but GSSAPI is. > >> > >> > > >> > Any pointers please? I have cranked debug up to 8 and this error > >> message seems to be the crucial one. > >> > > >> > By the way, why does the debug level not go up to 11? > >> > >> Because 9 is the highest? > >> _______________________________________________ > >> sssd-users mailing list -- [email protected] > >> To unsubscribe send an email to [email protected] > >> > > > > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected]/message/OBY2O2WE4BXXKZTHJEVLTPZVZBAYUMCG/ _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]/message/N6R6KQKLQI4FWLFL5OYPUJZTUGFLPF6N/
