[SSSD-users] Re: Cannot authenticate user from parent domain in a child-domain joined server

[Chris J]

Hi Sumit,

On 2018-12-11 12:32, Sumit Bose wrote:

Now in /var/log/syslog, when I tail -f during sssctl user-checks, I 
get the
error:

	Dec 11 10:59:20 hs-svn-02 [sssd[krb5_child[20446]]]: Server not found 
in
Kerberos database
	Dec 11 10:59:20 hs-svn-02 [sssd[krb5_child[20446]]]: Server not found 
in
Kerberos database

This might be related to Kerberos ticket validation. Please try to add

    krb5_validate = False

to the [domain/...] section of sssd.conf, restart SSSD and try again.


Yep - that did the trick.

Even if this works it would be good to see the output of

    klist -k

as well to see what can be done to make ticket validation work.


This gives:

        root@hs-svn-02:/var/log/sssd# klist -k
        Keytab name: FILE:/etc/krb5.keytab
        KVNO Principal
	---- 
--------------------------------------------------------------------------
           2 HS-SVN-02$@DEVELOPMENT.CSESERV.COM
           2 HS-SVN-02$@DEVELOPMENT.CSESERV.COM
           2 HS-SVN-02$@DEVELOPMENT.CSESERV.COM
           2 HS-SVN-02$@DEVELOPMENT.CSESERV.COM
           2 HS-SVN-02$@DEVELOPMENT.CSESERV.COM
           2 HS-SVN-02$@DEVELOPMENT.CSESERV.COM
           2 host/hs-svn...@development.cseserv.com
           2 host/hs-svn...@development.cseserv.com
           2 host/hs-svn...@development.cseserv.com
           2 host/hs-svn...@development.cseserv.com
           2 host/hs-svn...@development.cseserv.com
           2 host/hs-svn...@development.cseserv.com
           2 host/hs-svn...@development.cseserv.com
           2 host/hs-svn...@development.cseserv.com
           2 host/hs-svn...@development.cseserv.com
           2 host/hs-svn...@development.cseserv.com
           2 host/hs-svn...@development.cseserv.com
           2 host/hs-svn...@development.cseserv.com
           2 RestrictedKrbHost/hs-svn...@development.cseserv.com
           2 RestrictedKrbHost/hs-svn...@development.cseserv.com
           2 RestrictedKrbHost/hs-svn...@development.cseserv.com
           2 RestrictedKrbHost/hs-svn...@development.cseserv.com
           2 RestrictedKrbHost/hs-svn...@development.cseserv.com
           2 RestrictedKrbHost/hs-svn...@development.cseserv.com
           2 RestrictedKrbHost/hs-svn...@development.cseserv.com
           2 RestrictedKrbHost/hs-svn...@development.cseserv.com
           2 RestrictedKrbHost/hs-svn...@development.cseserv.com
           2 RestrictedKrbHost/hs-svn...@development.cseserv.com
           2 RestrictedKrbHost/hs-svn...@development.cseserv.com
           2 RestrictedKrbHost/hs-svn...@development.cseserv.com


Cheers,

Chris
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org