Jakub, thankyou for your reply. > If your configuration is using id_provider=ad I would have expected sssd to prefer the netbiosname$ principal,
Indeed. My reading of kinit is that it should take the first principal in the list returned by klist. In my case thsi should be ibis$ # klist -k 11 [email protected] 11 [email protected] 11 [email protected] 11 [email protected] 11 [email protected] 11 host/[email protected] 11 host/[email protected] 11 [email protected] 11 host/[email protected] On 19 July 2018 at 11:09, Jakub Hrozek <[email protected]> wrote: > > > > On 16 Jul 2018, at 11:48, John Hearns <[email protected]> wrote: > > > > I have had my head inside the ldap_child.c source code all morning. > > I am getting these errors logged: > > > > [ldap_child_get_tgt_sync] (0x0100): Using keytab > [MEMORY:/etc/krb5.keytab] > > [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client > 'host/ > > [email protected]' not found in Kerberos database > > This is expected, in AD the host/fqdn principal cannot be used to get a > TGT. As you can see below, you are using the netbiosname$@realm principal > to kinit which works fine. > > If your configuration is using id_provider=ad I would have expected sssd > to prefer the netbiosname$ principal, but if the selection fails or you are > using the ldap provider, you can help sssd with the ldap_sasl_authid > parameter. > > > > > However the dialy ksktutil cron job I have running completes OK, and > msktutil --auto-update tells me the machine password was renewed two days > ago. > > > > Here is what happens when I run kinit from the command line. > > My workstation is called ibis. Please someone hit me with a clue stick. > > > > # kinit -k > > kinit: Client 'host/[email protected]' not found in Kerberos > database while getting initial credentials > > > > # kinit -V -k ibis$ > > Using default cache: /tmp/krb5cc_0 > > Using principal: [email protected] > > Authenticated to Kerberos v5 > > > > # kinit -V -k IBIS\[email protected] > > Using default cache: /tmp/krb5cc_0 > > Using principal: [email protected] > > Authenticated to Kerberos v5 > > > > > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@ > lists.fedorahosted.org/message/4DY3TSRSJBV5AU2P3CQH2UHH7GHXLOLV/ > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@ > lists.fedorahosted.org/message/BPEL355LXLAJ4ZI7UVSFHJ5ZG6CUJIWI/ >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]/message/JMD7PMTGOQAGYKXDANGWFI72X3I6S3DY/
