On Tue, Feb 05, 2019 at 04:29:23PM +0100, Jeremy Monnet wrote: > On Tue, Feb 5, 2019 at 3:35 PM Jeremy Monnet <[email protected]> wrote: > > > > Hello, > > > > On Tue, Feb 5, 2019 at 10:29 AM Jakub Hrozek <[email protected]> wrote: > > > > > > > Now, everything is OK with the main domain, AFAIK, I can login, sudo > > > > based on groups, etc. But for the child domain, most work, I can id a > > > > user@child (that resolves the user and the groups associated), I can > > > > "su - user@child" from root, BUT I can not login with that user@child. > > > > Sanitized logs follow : > > > > > > > > > > It's hard to say from the trimmed log, but I assume this happens during > > > the TGT validation phase? If yes, then you could work around that > > > temporarily by setting: > > > krb5_validate = false > > > in the domain section, but please read the sssd-krb5 manual page to see > > > what security implications this have > > > > I have tried that, and yes, it works. Though because of the security > > implications I would rather set it up without it... > > > > > > > kvno RestrictedKrbHost/[email protected] > > kvno: Server not found in Kerberos database while getting credentials > > for RestrictedKrbHost/[email protected] > > > > > > > > > > Is the principal really lower-case and shortname? I would have expected > > > either lower-case FQDN or an upper-case shortname.. > > > > > > I am not sure precisely what to look for principals... > > > > I followed that lead, and found that no SPN were registered at all in > the AD object. I edited it with ADSI, and could login with all > domains... > > I looked at other objects an dit seems none have had the same SPN > registered, and I don't know at all how the object is created (other > that it is created when I "realm" the server). I will look at it a bit > !
There is an issue if realmd uses adcli to join the domain if 'hostname' only returns the short name and not the fully-qualified DNS name. In this case adcli tries to add the same SPN twice which causes an error and as a result no SPN is added. HTH bye, Sumit > > Jérémy > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
