Am Thu, Aug 12, 2021 at 02:55:17PM -0000 schrieb Jovan Quinones-Morales: > Hello! > > I put the pac option in the sssd config which seemed to help in the logs and > in the long run. Although taking a look at the domain logs I have this. The > main issue with "Server not found in kerberos databse" was remediated by > setting dyndns_update = false being that we are not using dyndns. > > Here are the logs when dyndns is set to false. > > ***DOMAIN LOGS*** > > (2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [orderly_shutdown] (0x0010): > SIGTERM: killing children > (2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [orderly_shutdown] (0x0040): > Shutting down (status = 0)(2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] > [server_setup] (0x0040): Starting with debug level = 0x0070 > (2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [sdap_cli_connect_recv] > (0x0040): Unable to establish connection [13]: Permission denied > (2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [sdap_cli_connect_recv] > (0x0040): Unable to establish connection [13]: Permission denied > (2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [sdap_cli_connect_recv] > (0x0040): Unable to establish connection [13]: Permission denied > (2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [sdap_cli_connect_recv] > (0x0040): Unable to establish connection [13]: Permission denied > (2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [sdap_cli_connect_recv] > (0x0040): Unable to establish connection [13]: Permission denied > (2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [fo_resolve_service_send] > (0x0020): No available servers for service 'sd_domain.com' > (2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] > [ad_get_slave_domain_connect_done] (0x0020): Unable to connect to LDAP [5]: > Input/output error > (2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [ad_subdomains_refresh_done] > (0x0040): Unable to get subdomains [5]: Input/output error > (2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [be_ptask_done] (0x0040): > Task [Subdomains Refresh]: failed with [5]: Input/output error > (2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] > [ad_get_slave_domain_connect_done] (0x0020): Unable to connect to LDAP [5]: > Input/output error > (2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [ad_subdomains_refresh_done] > (0x0040): Unable to get subdomains [5]: Input/output error
Hi, can you run SSSD with 'debug_level = 9' in the [domain/...] section for this case as well? For dyndns SSSD should reuse the Kerberos credentials used for the LDAP connection. bye, Sumit > > ***LDAP_CHILD LOGS*** > > (2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] > (0x2000): got realm_name: [EXAMPLE.DOMAIN.COM] > (2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] > (0x0100): Principal name is: [MYSERVER$@EXAMPLE.DOMAIN.COM] > (2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] > (0x0100): Using keytab [MEMORY:/etc/krb5.keytab] > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018940: Getting initial credentials for > MYSERVER$@EXAMPLE.DOMAIN.COM > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018941: Unrecognized enctype name in > default_tkt_enctypes: des-cbc-crc > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018942: Unrecognized enctype name in > default_tkt_enctypes: des-cbc-md5 > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018943: Looked up etypes in keytab: rc4-hmac, > aes256-cts > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018945: Sending unauthenticated request > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018946: Sending request (205 bytes) to > EXAMPLE.DOMAIN.COM > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018947: Sending initial UDP request to dgram > 192.172.2.5:88 > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018948: Received answer (228 bytes) from dgram > 192.172.2.5:88 > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018949: Response was from master KDC > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018950: Received error from KDC: > -1765328359/Additional pre-authentication required > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018953: Preauthenticating using KDC method data > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018954: Processing preauth types: PA-PK-AS-REQ > (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2) > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018955: Selected etype info: etype aes256-cts, > salt "EXAMPLE.DOMAIN.COMhostmyserver.example.domain.com", params "" > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018956: Retrieving > MYSERVER$@EXAMPLE.DOMAIN.COM from MEMORY:/etc/krb5.keytab (vno 0, enctype > aes256-cts) with result: 0/Success > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018957: AS key obtained for encrypted > timestamp: aes256-cts/D0B6 > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018959: Encrypted timestamp (for > 1628777855.139844): plain > 301AA011180F32303231303831323134313733355AA1050203022244, encrypted > 7E3F423BDB4DC1D927079C7D0E47E4AF671FC5255391F8812547A862034C5F3BEF53F551A9544A3BB7CE65201DF22772A9B0A3A2440ED2E2 > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018960: Preauth module encrypted_timestamp (2) > (real) returned: 0/Success > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018961: Produced preauth for next request: > PA-ENC-TIMESTAMP (2) > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018962: Sending request (285 bytes) to > EXAMPLE.DOMAIN.COM > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018963: Sending initial UDP request to dgram > 192.172.2.5:88 > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018964: Received answer (104 bytes) from dgram > 192.172.2.5:88 > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018965: Response was from master KDC > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018966: Received error from KDC: > -1765328332/Response too big for UDP, retry with TCP > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018967: Request or response is too big for > UDP; retrying with TCP > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018968: Sending request (285 bytes) to > EXAMPLE.DOMAIN.COM (tcp only) > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018969: Initiating TCP connection to stream > 192.172.2.5:88 > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018970: Sending TCP request to stream > 192.172.2.5:88 > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018971: Received answer (1627 bytes) from > stream 192.172.2.5:88 > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018972: Terminating TCP connection to stream > 192.172.2.5:88 > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018973: Response was from master KDC > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018974: Processing preauth types: > PA-ETYPE-INFO2 (19) > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018975: Selected etype info: etype aes256-cts, > salt "EXAMPLE.DOMAIN.COMhostmyserver.example.domain.com", params "" > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018976: Produced preauth for next request: > (empty) > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018977: AS key determined by preauth: > aes256-cts/D0B6 > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018978: Decrypted AS reply; session key is: > aes256-cts/D18C > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018979: FAST negotiation: unavailable > > (2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] > (0x2000): credentials initialized > (2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] > (0x2000): keytab ccname: > [FILE:/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM_mgQNA9] > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018980: Initializing > FILE:/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM_mgQNA9 with default princ > MYSERVER$@EXAMPLE.DOMAIN.COM > > (2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] > (0x4000): [4054178] 1628777855.018981: Storing MYSERVER$@EXAMPLE.DOMAIN.COM > -> krbtgt/example.domain....@example.domain.com in > FILE:/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM_mgQNA9 > > (2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] > (0x2000): credentials stored > (2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] > (0x2000): Got KDC time offset > (2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] > (0x2000): Renaming [/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM_mgQNA9] to > [/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM] > (2021-08-12 10:17:35): [ldap_child[4054178]] [unique_filename_destructor] > (0x2000): Unlinking [/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM_mgQNA9] > (2021-08-12 10:17:35): [ldap_child[4054178]] [unlink_dbg] (0x2000): File > already removed: [/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM_mgQNA9] > (2021-08-12 10:17:35): [ldap_child[4054178]] [prepare_response] (0x0400): > Building response for result [0] > (2021-08-12 10:17:35): [ldap_child[4054178]] [pack_buffer] (0x2000): response > size: 64 > (2021-08-12 10:17:35): [ldap_child[4054178]] [pack_buffer] (0x1000): result > [0] krberr [0] msgsize [44] msg > [FILE:/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM] > (2021-08-12 10:17:35): [ldap_child[4054178]] [main] (0x0400): ldap_child > completed successfully > > (2021-08-12 10:32:12): [ldap_child[4057811]] [main] (0x0020): > ldap_child_get_tgt_sync failed. > (2021-08-12 10:32:12): [ldap_child[4057812]] [ldap_child_get_tgt_sync] > (0x0040): krb5_get_init_creds_keytab() failed: -1765328378 > (2021-08-12 10:32:12): [ldap_child[4057812]] [ldap_child_get_tgt_sync] > (0x0010): Failed to initialize credentials using keytab > [MEMORY:/etc/krb5.keytab]: Client 'host/example.cc.cc....@example.domain.com' > not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP > connection. > (2021-08-12 10:32:12): [ldap_child[4057812]] [main] (0x0020): > ldap_child_get_tgt_sync failed. > > Thank you! > > Jovan > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure