Hi, On Fri, Dec 24, 2021 at 6:17 AM Aram Akhavan <[email protected]> wrote:
> Thanks Alexey! That github issue solved my problem. Do you know if this > will get backported to Debian bullseye? > You should check with Debian maintainers of the SSSD package. https://salsa.debian.org/sssd-team/sssd/-/commits/master > Aram > On 12/23/2021 2:07 PM, Alexey Tikhonov wrote: > > Hello, > > (sorry if this my comments will be non-relevant) > > On Fri, Dec 17, 2021 at 8:35 AM Aram Akhavan <[email protected]> wrote: > >> Hi all, >> >> I'm new to sssd and am working on deploying it in my homelab on a test VM. >> >> So far, I've successfully joined my host to my very basic/vanilla Active >> Directory domain using *realm join*. I can log in via console and ssh >> using AD credentials, and sudo works great too. >> >> I can't for the life of me get GSSAPI to work on ssh, though. >> > Please check if this might be similar to > https://github.com/SSSD/sssd/issues/5893 > > >> My relevant sshd_config options are: >> >> # GSSAPI options >> GSSAPIAuthentication yes >> #GSSAPICleanupCredentials yes >> #GSSAPIStrictAcceptorCheck yes >> GSSAPIKeyExchange yes >> >> I turned on debug logging on the ssh server and client and the only thing >> I can see that would suggest any issues are: >> >> Dec 16 23:09:55 test sshd[6068]: debug3: userauth_finish: failure >> partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password" >> [preauth] >> >> I do see this in the syslog when sssd is restarted, though everything >> else does still work: >> >> Dec 16 23:10:20 test sssd[6102]: tkey query failed: GSSAPI error: Major = >> Unspecified GSS failure. Minor code may provide more information, Minor = >> Server not found in Kerberos database. >> > This email thread - > > https://lists.fedorahosted.org/archives/list/[email protected]/thread/H24WBE7QG3XAWLAIXYPDXIYKBJBURMVF/ > - mentions similar error message. > > > >> In my sssd_nub.lan.log file I have a few errors but from what I can tell >> they're all related to dynamic dns updates: >> >> (2021-12-16 23:10:10): [be[nub.lan]] [ad_disable_gc] (0x0040): POSIX >> attributes were requested but are not present on the server side. Global >> Catalog lookups will be disabled >> (2021-12-16 23:10:20): [be[nub.lan]] [child_sig_handler] (0x0020): child >> [6102] failed with status [2]. >> (2021-12-16 23:10:20): [be[nub.lan]] [nsupdate_child_handler] (0x0040): >> Dynamic DNS child failed with status [512] >> (2021-12-16 23:10:20): [be[nub.lan]] [be_nsupdate_done] (0x0040): >> nsupdate child execution failed [1432158240]: Dynamic DNS update failed >> (2021-12-16 23:10:20): [be[nub.lan]] [child_sig_handler] (0x0020): child >> [6106] failed with status [2]. >> (2021-12-16 23:10:20): [be[nub.lan]] [nsupdate_child_handler] (0x0040): >> Dynamic DNS child failed with status [512] >> (2021-12-16 23:10:20): [be[nub.lan]] [be_nsupdate_done] (0x0040): >> nsupdate child execution failed [1432158240]: Dynamic DNS update failed >> (2021-12-16 23:10:20): [be[nub.lan]] [ad_dyndns_sdap_update_done] >> (0x0040): Dynamic DNS update failed [1432158240]: Dynamic DNS update failed >> (2021-12-16 23:10:20): [be[nub.lan]] [be_ptask_done] (0x0040): Task >> [Dyndns update]: failed with [1432158240]: Dynamic DNS update failed >> (2021-12-16 23:25:20): [be[nub.lan]] [sss_ldap_init_sys_connect_done] >> (0x0020): ldap_init_fd failed: Bad parameter to an ldap routine. >> [23][cldap://arbiter.nub.lan:389] >> (2021-12-16 23:25:20): [be[nub.lan]] [sdap_sys_connect_done] (0x0020): >> sdap_async_connect_call request failed: [5]: Input/output error. >> (2021-12-16 23:25:20): [be[nub.lan]] [sss_ldap_init_sys_connect_done] >> (0x0020): ldap_init_fd failed: Bad parameter to an ldap routine. >> [24][cldap://ARBITER.nub.lan:389] >> (2021-12-16 23:25:20): [be[nub.lan]] [sdap_sys_connect_done] (0x0020): >> sdap_async_connect_call request failed: [5]: Input/output error. >> (2021-12-16 23:25:20): [be[nub.lan]] [ad_cldap_ping_done] (0x0040): >> Unable to get site and forest information [2]: No such file or directory >> >> I noticed the sssd troubleshooting basics mention to use *kinit* for >> debug, which I did, and *klist* shows: >> >> Ticket cache: FILE:/tmp/krb5cc_7000_MM3M16 >> Default principal: [email protected] >> >> Valid starting Expires Service principal >> 12/16/2021 23:28:30 12/17/2021 09:28:30 krbtgt/[email protected] >> renew until 12/17/2021 23:28:27 >> >> I'm guessing my issue may be related to the service principal name used >> for sshd, but despite my best searching efforts, I couldn't find anything >> that tells me what it should be or how I might add it to AD. >> >> I'm stuck! Any pointers or guidance would be greatly appreciated. >> >> Thanks, >> >> Aram >> >> >> > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
