On Tue, Dec 11, 2018 at 01:42:39PM +0000, Chris J wrote: > Hi Sumit, > > On 2018-12-11 12:32, Sumit Bose wrote: > > > > > > Now in /var/log/syslog, when I tail -f during sssctl user-checks, I > > > get the > > > error: > > > > > > Dec 11 10:59:20 hs-svn-02 [sssd[krb5_child[20446]]]: Server not > > > found in > > > Kerberos database > > > Dec 11 10:59:20 hs-svn-02 [sssd[krb5_child[20446]]]: Server not > > > found in > > > Kerberos database > > > > This might be related to Kerberos ticket validation. Please try to add > > > > krb5_validate = False > > > > to the [domain/...] section of sssd.conf, restart SSSD and try again. > > > > Yep - that did the trick. > > > Even if this works it would be good to see the output of > > > > klist -k > > > > as well to see what can be done to make ticket validation work. > > > > This gives: > > root@hs-svn-02:/var/log/sssd# klist -k > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 2 [email protected] > 2 [email protected] > 2 [email protected] > 2 [email protected] > 2 [email protected] > 2 [email protected] > 2 host/[email protected] > 2 host/[email protected] > 2 host/[email protected] > 2 host/[email protected] > 2 host/[email protected] > 2 host/[email protected] > 2 host/[email protected] > 2 host/[email protected] > 2 host/[email protected] > 2 host/[email protected] > 2 host/[email protected] > 2 host/[email protected]
It looks like your hostname was set to the short name during the join, i.e. hostname just returned 'hs-svn-02'. There are some issues in adcli if a short hostname is used and as a result the AD host object might not have been created properly. Especially the servicePrincipalName attribute might be empty or missing at all. > 2 RestrictedKrbHost/[email protected] > 2 RestrictedKrbHost/[email protected] > 2 RestrictedKrbHost/[email protected] > 2 RestrictedKrbHost/[email protected] > 2 RestrictedKrbHost/[email protected] > 2 RestrictedKrbHost/[email protected] > 2 RestrictedKrbHost/[email protected] > 2 RestrictedKrbHost/[email protected] > 2 RestrictedKrbHost/[email protected] > 2 RestrictedKrbHost/[email protected] > 2 RestrictedKrbHost/[email protected] > 2 RestrictedKrbHost/[email protected] I would expect that for users from the parent domain 'RestrictedKrbHost/[email protected]' is used for validation. You can check this by inspecting krb5_child.log is debug_level=9 is set in the [domain/...] section of sssd.conf and you look for the string 'validate'. If you check the host entry on AD I would expect that this entry is missing and that validation will start to work if you add it to servicePrincipalName. HTH bye, Sumit > > > Cheers, > > Chris _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
