On Mon, Aug 06, 2018 at 08:34:04AM +0000, Ondrej Valousek wrote: > Also, yes, setting ldap_sasl_authid does help, but it's bit awkward as right > now I am using general sssd.conf for all machines. > Having to include ldap_sasl_authid parameter means the configuration file is > different for every machine :-(
Can you share your sssd.conf? Are you using the AD or LDAP provider? Please note there are different defaults for the principal for the two providers, AD will use “hostname$@REALM” while LDAP will use “host/hostname@REALM”. With two domains I'd always recommend to use two different keytab files and use krb5_keytab and ldap_krb5_keytab to point at least one domain to the non-default keytab file. HTH bye, Sumit > Ondrej > > -----Original Message----- > From: Ondrej Valousek [mailto:[email protected]] > Sent: Monday, August 06, 2018 9:40 AM > To: End-user discussions about the System Security Services Daemon > <[email protected]> > Subject: [SSSD-users] Re: sssd connecting to two AD domains > > Hi, > No, these are different forests, but a two way trust is established between > these two. > Ondrej > > -----Original Message----- > From: Jakub Hrozek [mailto:[email protected]] > Sent: Monday, August 06, 2018 9:36 AM > To: End-user discussions about the System Security Services Daemon > <[email protected]> > Subject: [SSSD-users] Re: sssd connecting to two AD domains > > Are mydomain and mydomain2 coming from a different forest? > > with id_provider=ad sssd should work fine with domains from the same forest > and it should pick the right principal. If it doesn’t and setting > ldap_sasl_authid to shortname$@realm, then there must be a bug in the > principal selection logic. > > > On 30 Jul 2018, at 11:25, Ondrej Valousek <[email protected]> > > wrote: > > > > Ok, I see that it’s probably not supported: > > https://pagure.io/SSSD/sssd/issue/2078 > > right? > > Ondrej > > > > From: Ondrej Valousek [mailto:[email protected]] > > Sent: Monday, July 30, 2018 10:45 AM > > To: End-user discussions about the System Security Services Daemon > > <[email protected]> > > Subject: [SSSD-users] sssd connecting to two AD domains > > > > Hi all, > > > > I have a machine joined to AD domain “mydomain.com” and there is also > > domain “mydomain2.com”. The two are connected with full two way trust. > > > > SSSD can happily recognize users from “mydomain.com”, but fails with users > > from “mydomain2.com” - sssd complains that: > > > > (Mon Jul 30 08:26:38 2018) [sssd[be[adesto]]] [get_port_status] (0x1000): > > Port status of port 389 for server 'server.mydomain2.com' is 'not working' > > (Mon Jul 30 08:26:38 2018) [sssd[be[adesto]]] [get_port_status] (0x0080): > > SSSD is unable to complete the full connection request, this internal > > status does not necessarily indicate network port issues. > > > > But I can connect to that server with ldapsearch just fine (using a TGT > > obtained with kinit –k hostname$). > > > > Earlier in the logs I spotted that SSSD is trying to obtain TGT with a > > wrong principal “host/hostname@REALM” instead of “hostname$@REALM”: > > > > > > (Mon Jul 30 08:32:34 2018) [sssd[be[adesto]]] [sdap_get_tgt_recv] > > (0x0400): Child responded: 14 [Client 'host/[email protected]' not > > found in Kerberos database], expired on [0] (Mon Jul 30 08:32:34 2018) > > [sssd[be[adesto]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 > > [Bad address] (Mon Jul 30 08:32:34 2018) [sssd[be[adesto]]] > > [sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret > > [1432158226](Authentication Failed) > > > > > > I am wondering why is SSSD trying now, all of sudden, to obtain a TGT using > > wrong principal? > > Using RHEL-7. > > Thanks, > > > > Ondrej > > ----- > > > > The information contained in this e-mail and in any attachments is > > confidential and is designated solely for the attention of the intended > > recipient(s). If you are not an intended recipient, you must not use, > > disclose, copy, distribute or retain this e-mail or any part thereof. If > > you have received this e-mail in error, please notify the sender by return > > e-mail and delete all copies of this e-mail from your computer system(s). > > Please direct any additional queries to: [email protected]. Thank > > You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland > > no. 378073. Registered Office: South County Business Park, Leopardstown, > > Dublin 18. > > > > ----- > > > > The information contained in this e-mail and in any attachments is > > confidential and is designated solely for the attention of the intended > > recipient(s). If you are not an intended recipient, you must not use, > > disclose, copy, distribute or retain this e-mail or any part thereof. If > > you have received this e-mail in error, please notify the sender by return > > e-mail and delete all copies of this e-mail from your computer system(s). > > Please direct any additional queries to: > > [email protected]. Thank You. Silicon and Software Systems Limited > > (S3 Group). Registered in Ireland no. 378073. Registered Office: South > > County Business Park, Leopardstown, Dublin 18. > > _______________________________________________ > > sssd-users mailing list -- [email protected] To > > unsubscribe send an email to [email protected] > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedoraproject.org/archives/list/[email protected] > > osted.org/message/5AR2PPJ3ARQDVDTLPWPLN5PSB75HVO6V/ > _______________________________________________ > sssd-users mailing list -- [email protected] To unsubscribe > send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected]/message/Z6H27YNJRSOZE6735CWXMKAHAH4STNNG/ > > ----- > > The information contained in this e-mail and in any attachments is > confidential and is designated solely for the attention of the intended > recipient(s). If you are not an intended recipient, you must not use, > disclose, copy, distribute or retain this e-mail or any part thereof. If you > have received this e-mail in error, please notify the sender by return e-mail > and delete all copies of this e-mail from your computer system(s). Please > direct any additional queries to: [email protected]. Thank You. > Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. > 378073. Registered Office: South County Business Park, Leopardstown, Dublin > 18. > _______________________________________________ > sssd-users mailing list -- [email protected] To unsubscribe > send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected]/message/UGEJ6IDFIDIVUJB3TC6CW7UTZ66WYMTZ/ > > ----- > > The information contained in this e-mail and in any attachments is > confidential and is designated solely for the attention of the intended > recipient(s). If you are not an intended recipient, you must not use, > disclose, copy, distribute or retain this e-mail or any part thereof. If you > have received this e-mail in error, please notify the sender by return e-mail > and delete all copies of this e-mail from your computer system(s). Please > direct any additional queries to: [email protected]. Thank You. > Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. > 378073. Registered Office: South County Business Park, Leopardstown, Dublin > 18. > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected]/message/7ZBUNYK6K7ZAVFEUTQXRO4ZTK6CFQSF7/ _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]/message/A6CDHPRUSOVNJZDTCMZ4EN46ZDA5GSX7/
