Thanks Alexey! That github issue solved my problem. Do you know if this
will get backported to Debian bullseye?
Aram
On 12/23/2021 2:07 PM, Alexey Tikhonov wrote:
Hello,
(sorry if this my comments will be non-relevant)
On Fri, Dec 17, 2021 at 8:35 AM Aram Akhavan <[email protected]> wrote:
Hi all,
I'm new to sssd and am working on deploying it in my homelab on a
test VM.
So far, I've successfully joined my host to my very basic/vanilla
Active Directory domain using *realm join*. I can log in via
console and ssh using AD credentials, and sudo works great too.
I can't for the life of me get GSSAPI to work on ssh, though.
Please check if this might be similar to
https://github.com/SSSD/sssd/issues/5893
My relevant sshd_config options are:
# GSSAPI options
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange yes
I turned on debug logging on the ssh server and client and the
only thing I can see that would suggest any issues are:
Dec 16 23:09:55 test sshd[6068]: debug3: userauth_finish: failure
partial=0 next
methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth]
I do see this in the syslog when sssd is restarted, though
everything else does still work:
Dec 16 23:10:20 test sssd[6102]: tkey query failed: GSSAPI error:
Major = Unspecified GSS failure. Minor code may provide more
information, Minor = Server not found in Kerberos database.
This email thread -
https://lists.fedorahosted.org/archives/list/[email protected]/thread/H24WBE7QG3XAWLAIXYPDXIYKBJBURMVF/
- mentions similar error message.
In my sssd_nub.lan.log file I have a few errors but from what I
can tell they're all related to dynamic dns updates:
(2021-12-16 23:10:10): [be[nub.lan]] [ad_disable_gc] (0x0040):
POSIX attributes were requested but are not present on the server
side. Global Catalog lookups will be disabled
(2021-12-16 23:10:20): [be[nub.lan]] [child_sig_handler] (0x0020):
child [6102] failed with status [2].
(2021-12-16 23:10:20): [be[nub.lan]] [nsupdate_child_handler]
(0x0040): Dynamic DNS child failed with status [512]
(2021-12-16 23:10:20): [be[nub.lan]] [be_nsupdate_done] (0x0040):
nsupdate child execution failed [1432158240]: Dynamic DNS update
failed
(2021-12-16 23:10:20): [be[nub.lan]] [child_sig_handler] (0x0020):
child [6106] failed with status [2].
(2021-12-16 23:10:20): [be[nub.lan]] [nsupdate_child_handler]
(0x0040): Dynamic DNS child failed with status [512]
(2021-12-16 23:10:20): [be[nub.lan]] [be_nsupdate_done] (0x0040):
nsupdate child execution failed [1432158240]: Dynamic DNS update
failed
(2021-12-16 23:10:20): [be[nub.lan]] [ad_dyndns_sdap_update_done]
(0x0040): Dynamic DNS update failed [1432158240]: Dynamic DNS
update failed
(2021-12-16 23:10:20): [be[nub.lan]] [be_ptask_done] (0x0040):
Task [Dyndns update]: failed with [1432158240]: Dynamic DNS update
failed
(2021-12-16 23:25:20): [be[nub.lan]]
[sss_ldap_init_sys_connect_done] (0x0020): ldap_init_fd failed:
Bad parameter to an ldap routine. [23][cldap://arbiter.nub.lan:389]
(2021-12-16 23:25:20): [be[nub.lan]] [sdap_sys_connect_done]
(0x0020): sdap_async_connect_call request failed: [5]:
Input/output error.
(2021-12-16 23:25:20): [be[nub.lan]]
[sss_ldap_init_sys_connect_done] (0x0020): ldap_init_fd failed:
Bad parameter to an ldap routine. [24][cldap://ARBITER.nub.lan:389]
(2021-12-16 23:25:20): [be[nub.lan]] [sdap_sys_connect_done]
(0x0020): sdap_async_connect_call request failed: [5]:
Input/output error.
(2021-12-16 23:25:20): [be[nub.lan]] [ad_cldap_ping_done]
(0x0040): Unable to get site and forest information [2]: No such
file or directory
I noticed the sssd troubleshooting basics mention to use *kinit*
for debug, which I did, and *klist* shows:
Ticket cache: FILE:/tmp/krb5cc_7000_MM3M16
Default principal: [email protected]
Valid starting Expires Service principal
12/16/2021 23:28:30 12/17/2021 09:28:30 krbtgt/[email protected]
renew until 12/17/2021 23:28:27
I'm guessing my issue may be related to the service principal name
used for sshd, but despite my best searching efforts, I couldn't
find anything that tells me what it should be or how I might add
it to AD.
I'm stuck! Any pointers or guidance would be greatly appreciated.
Thanks,
Aram
_______________________________________________
sssd-users mailing list [email protected]
To unsubscribe send an email [email protected]
Fedora Code of
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
List
Archives:https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report
it:https://pagure.io/fedora-infrastructure
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
