All, Never mind; I found it myself. (compared it to a good deployment). I was not passing in ldap_sasl_authid to each child domain. So the default (if you don't set) is "host/HOSTNAME@REALM". That default works -- for the local child domain.
Example: host/[email protected] However, that default does not work for the remote child domain. Example: host/[email protected] <[email protected]> Still -- this error message is cryptic! host/[email protected] is the one auth_sasl_authid that can be found (by the local AMER.EXAMPLE.COM child domain). It's in the /etc/krb5.keytab file. It's the other auth_sasl_authid's that the other respective child domains can't find: host/[email protected] <[email protected]> host/[email protected] <[email protected]> etc. Anyway, all good now. Spike On Mon, Jul 8, 2019 at 12:10 PM Spike White <[email protected]> wrote: > sssd experts, > > We have a “nuisance-level” problem with RHEL8 physical builds after > AD-integrating via sssd. How do I stop certain annoying messages in > /var/log/messages? > > This RHEL8 physical build properly creates an /etc/krb5.keytab file with > the expected host entries. Here’s the snippet from kutil: > > > > [root@austgcore25 log]# cd /etc > > [root@austgcore25 etc]# ktutil > > ktutil: read_kt /etc/krb5.keytab > > ktutil: list -t -e -k > > slot KVNO Timestamp Principal > > ---- ---- ----------------- > --------------------------------------------------- > > … > > 6 16 07/03/2019 21:31 host/[email protected] > (des-cbc-crc) (0xbf3d37462967e65e) > > 7 16 07/03/2019 21:31 host/[email protected] > (des-cbc-md5) (0xbf3d37462967e65e) > > 8 16 07/03/2019 21:31 host/[email protected] > (arcfour-hmac) (0xa21feefac524db9e82f3e38e73551c28) > > 9 16 07/03/2019 21:31 host/[email protected] > (aes128-cts-hmac-sha1-96) (0x196ff6a33ef6284bb432f97cf36e737c) > > 10 16 07/03/2019 21:31 host/[email protected] > (aes256-cts-hmac-sha1-96) > (0xadd866228352701a94f5cd40d76ed886a7fe084b2f7a90981b16d19f14962e3b) > > … > > > > The AD integration seems to work fine. I can log in with my AD account no > problem. Even after reboots. (cross domain authentication temporarily not > working on this build, likely unrelated.) > > > > However, we continue to get the complaints in /var/log/messages: > > > > Jul 8 11:38:25 austgcore25 [sssd[ldap_child[1816]]][1816]: Failed to > initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/ > [email protected]' not found in Kerberos database. Unable to > create GSSAPI-encrypted LDAP connection. > > Jul 8 11:38:26 austgcore25 [sssd[ldap_child[1817]]][1817]: Failed to > initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/ > [email protected]' not found in Kerberos database. Unable to > create GSSAPI-encrypted LDAP connection. > > > > I notice it’s attempting to use MEMORY:/etc/krb5.keytab. > > How do I stop this annoying messages in /var/log/messages? We have > multiple AD domains defined in our sssd.conf file for this cross-domain > auth. (Usually, cross-domain auth works fine for us.) > > > > Spike >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
