> On 22 Nov 2022, at 15:22, Sumit Bose <[email protected]> wrote: > > Am Tue, Nov 22, 2022 at 02:21:13PM +0100 schrieb Francis Augusto > Medeiros-Logeay: >> Hi, >> >> After the latest updates coming from Red Hat on RHEL 8.7, we can't >> authenticate on AD. The logs show this: >> >> Nov 22 14:15:53 ic-rhel8-t001.c.domain.no sshd[6275]: pam_sss(sshd:auth): >> received for user ec-franciaa: 4 (System error) >> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sshd[6275]: Failed password for >> ec-franciaa from ::1 port 51406 ssh2 >> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6280]: tkey query failed: >> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more >> information, Minor = Server not found in Kerberos database. >> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6280]: tkey query failed: >> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more >> information, Minor = Server not found in Kerberos database. >> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6284]: tkey query failed: >> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more >> information, Minor = Server not found in Kerberos database. >> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6284]: tkey query failed: >> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more >> information, Minor = Server not found in Kerberos database. >> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6288]: tkey query failed: >> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more >> information, Minor = Server not found in Kerberos database. >> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6288]: tkey query failed: >> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more >> information, Minor = Server not found in Kerberos database. >> Nov 22 14:15:56 ic-rhel8-t001.c.domain.no sshd[6275]: Connection closed by >> authenticating user francis ::1 port 51406 [preauth] >> >> >> I've deleted the computer account and rejoined the machine to the domain. I >> can check users existence using id, it seems the machine is well joined, but >> somehow authentication doesn't work. >> >> >> [domain/DOMAIN.NO] >> id_provider = ad >> auth_provider = ad >> autofs_provider = ad >> chpass_provider = ad >> access_provider = ad >> ldap_id_mapping = false >> ldap_user_principal = nosuchattribute > > Hi, > > there is a fair chance that the line above will make the PAC validation > fail which was added in the latest version. Do you really need this > option? If not, please remove it and try again. If it is really needed > adding > > krb5_validate = false > > to the [domain/...] section of sssd.conf and restarting SSSD might help > until a better fix is available. The issue is tracked in > https://bugzilla.redhat.com/show_bug.cgi?id=2144491. > > HTH > > bye, > Sumit
Thanks a lot, Sumit! Removing `ldap_user_princilap = nosuchattribute` didn’t work, but adding the `krb5_validate = false` did. Is there an upcoming fix coming for this, by any chance? Best, Francis _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
