Hello, On Tue, Feb 5, 2019 at 10:29 AM Jakub Hrozek <[email protected]> wrote: > > > Now, everything is OK with the main domain, AFAIK, I can login, sudo > > based on groups, etc. But for the child domain, most work, I can id a > > user@child (that resolves the user and the groups associated), I can > > "su - user@child" from root, BUT I can not login with that user@child. > > Sanitized logs follow : > > > > It's hard to say from the trimmed log, but I assume this happens during > the TGT validation phase? If yes, then you could work around that > temporarily by setting: > krb5_validate = false > in the domain section, but please read the sssd-krb5 manual page to see > what security implications this have
I have tried that, and yes, it works. Though because of the security implications I would rather set it up without it... > > Does it work to request this principal from the command line? > kinit [email protected] I have tried that with my AD user, and yes I receive no error and return code is 0 > kvno RestrictedKrbHost/[email protected] kvno: Server not found in Kerberos database while getting credentials for RestrictedKrbHost/[email protected] > > Is the principal really lower-case and shortname? I would have expected > either lower-case FQDN or an upper-case shortname.. root@ubuntu:~# kvno ubuntu [email protected]: kvno = 2 I am not sure precisely what to look for principals... root@ubuntu:~# klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 [email protected] (aes256-cts-hmac-sha1-96) 2 [email protected] (aes128-cts-hmac-sha1-96) 2 [email protected] (des3-cbc-sha1) 2 [email protected] (arcfour-hmac) 2 [email protected] (des-cbc-md5) 2 [email protected] (des-cbc-crc) 2 host/[email protected] (aes256-cts-hmac-sha1-96) 2 host/[email protected] (aes128-cts-hmac-sha1-96) 2 host/[email protected] (des3-cbc-sha1) 2 host/[email protected] (arcfour-hmac) 2 host/[email protected] (des-cbc-md5) 2 host/[email protected] (des-cbc-crc) 2 host/[email protected] (aes256-cts-hmac-sha1-96) 2 host/[email protected] (aes128-cts-hmac-sha1-96) 2 host/[email protected] (des3-cbc-sha1) 2 host/[email protected] (arcfour-hmac) 2 host/[email protected] (des-cbc-md5) 2 host/[email protected] (des-cbc-crc) 2 RestrictedKrbHost/[email protected] (aes256-cts-hmac-sha1-96) 2 RestrictedKrbHost/[email protected] (aes128-cts-hmac-sha1-96) 2 RestrictedKrbHost/[email protected] (des3-cbc-sha1) 2 RestrictedKrbHost/[email protected] (arcfour-hmac) 2 RestrictedKrbHost/[email protected] (des-cbc-md5) 2 RestrictedKrbHost/[email protected] (des-cbc-crc) 2 RestrictedKrbHost/[email protected] (aes256-cts-hmac-sha1-96) 2 RestrictedKrbHost/[email protected] (aes128-cts-hmac-sha1-96) 2 RestrictedKrbHost/[email protected] (des3-cbc-sha1) 2 RestrictedKrbHost/[email protected] (arcfour-hmac) 2 RestrictedKrbHost/[email protected] (des-cbc-md5) 2 RestrictedKrbHost/[email protected] (des-cbc-crc) None of these are ok with kvno except '[email protected]' root@ubuntu:~# kvno ubuntu [email protected]: kvno = 2 root@ubuntu:~# kvno [email protected] [email protected]: kvno = 2 root@ubuntu:~# kvno UBUNTU [email protected]: kvno = 2 root@ubuntu:~# kvno [email protected] [email protected]: kvno = 2 root@ubuntu:~# kvno [email protected] kvno: KDC reply did not match expectations while getting credentials for [email protected] > > What is in the file > /var/lib/sss/pubconf/krb5.include.d/domain_realm_$domain? > [domain_realm] .child.example.com = CHILD.EXAMPLE.COM child.example.com = CHILD.EXAMPLE.COM [capaths] CHILD.EXAMPLE.COM = { EXAMPLE.COM = EXAMPLE.COM } EXAMPLE.COM = { CHILD.EXAMPLE.COM = EXAMPLE.COM } Thanks for youe time ! Jeremy _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
