Am Tue, Nov 22, 2022 at 02:21:13PM +0100 schrieb Francis Augusto
Medeiros-Logeay:
> Hi,
>
> After the latest updates coming from Red Hat on RHEL 8.7, we can't
> authenticate on AD. The logs show this:
>
> Nov 22 14:15:53 ic-rhel8-t001.c.domain.no sshd[6275]: pam_sss(sshd:auth):
> received for user ec-franciaa: 4 (System error)
> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sshd[6275]: Failed password for
> ec-franciaa from ::1 port 51406 ssh2
> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6280]: tkey query failed:
> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more
> information, Minor = Server not found in Kerberos database.
> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6280]: tkey query failed:
> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more
> information, Minor = Server not found in Kerberos database.
> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6284]: tkey query failed:
> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more
> information, Minor = Server not found in Kerberos database.
> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6284]: tkey query failed:
> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more
> information, Minor = Server not found in Kerberos database.
> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6288]: tkey query failed:
> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more
> information, Minor = Server not found in Kerberos database.
> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6288]: tkey query failed:
> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more
> information, Minor = Server not found in Kerberos database.
> Nov 22 14:15:56 ic-rhel8-t001.c.domain.no sshd[6275]: Connection closed by
> authenticating user francis ::1 port 51406 [preauth]
>
>
> I've deleted the computer account and rejoined the machine to the domain. I
> can check users existence using id, it seems the machine is well joined, but
> somehow authentication doesn't work.
>
>
> [domain/DOMAIN.NO]
> id_provider = ad
> auth_provider = ad
> autofs_provider = ad
> chpass_provider = ad
> access_provider = ad
> ldap_id_mapping = false
> ldap_user_principal = nosuchattribute
Hi,
there is a fair chance that the line above will make the PAC validation
fail which was added in the latest version. Do you really need this
option? If not, please remove it and try again. If it is really needed
adding
krb5_validate = false
to the [domain/...] section of sssd.conf and restarting SSSD might help
until a better fix is available. The issue is tracked in
https://bugzilla.redhat.com/show_bug.cgi?id=2144491.
HTH
bye,
Sumit
> ad_server = dc.domain.no
>
> ldap_id_mapping = false
>
> # getent on users with more -- results in a lot of noise
> enumerate = false
> cache_credentials = true
>
> # Setup schema, rfc2307 is for OpenLDAP, rfc2307bis is A/D-close, and ad is
> A/D
> dns_discovery_domain = dc.domain.no
>
>
> krb5_realm = AD.FP.EDUCLOUD.NO
> # how long including renewals may a ticket be valid for
> krb5_renewable_lifetime = 14d
> # time in seconds between checking if a ticket must be renewed
> krb5_renew_interval = 3600
> # template used for placing kerberos tickets by default
> ad_gpo_map_interactive = +gdm-vmwcred
> use_fully_qualified_names = False
>
> [kcm]
> tgt_renewal = true
> tgt_renewal_inherit = DOMAIN.NO
> krb5_renew_interval = 60m
> debug_level = 10
> socket_path = /var/run/.heim_org.h5l.kcm-socket
>
>
> We have a machine built two weeks ago with the same sssd.conf, and it just
> works.
>
> Any hints?
>
> Best,
>
> Francis
>
> --
> Francis Augusto Medeiros-Logeay
> Oslo, Norway
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
