Am Tue, Nov 22, 2022 at 03:29:18PM +0100 schrieb Francis Augusto Medeiros-Logeay: > > > > On 22 Nov 2022, at 15:22, Sumit Bose <[email protected]> wrote: > > > > Am Tue, Nov 22, 2022 at 02:21:13PM +0100 schrieb Francis Augusto > > Medeiros-Logeay: > >> Hi, > >> > >> After the latest updates coming from Red Hat on RHEL 8.7, we can't > >> authenticate on AD. The logs show this: > >> > >> Nov 22 14:15:53 ic-rhel8-t001.c.domain.no sshd[6275]: pam_sss(sshd:auth): > >> received for user ec-franciaa: 4 (System error) > >> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sshd[6275]: Failed password for > >> ec-franciaa from ::1 port 51406 ssh2 > >> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6280]: tkey query failed: > >> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more > >> information, Minor = Server not found in Kerberos database. > >> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6280]: tkey query failed: > >> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more > >> information, Minor = Server not found in Kerberos database. > >> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6284]: tkey query failed: > >> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more > >> information, Minor = Server not found in Kerberos database. > >> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6284]: tkey query failed: > >> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more > >> information, Minor = Server not found in Kerberos database. > >> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6288]: tkey query failed: > >> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more > >> information, Minor = Server not found in Kerberos database. > >> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6288]: tkey query failed: > >> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more > >> information, Minor = Server not found in Kerberos database. > >> Nov 22 14:15:56 ic-rhel8-t001.c.domain.no sshd[6275]: Connection closed by > >> authenticating user francis ::1 port 51406 [preauth] > >> > >> > >> I've deleted the computer account and rejoined the machine to the domain. I > >> can check users existence using id, it seems the machine is well joined, > >> but > >> somehow authentication doesn't work. > >> > >> > >> [domain/DOMAIN.NO] > >> id_provider = ad > >> auth_provider = ad > >> autofs_provider = ad > >> chpass_provider = ad > >> access_provider = ad > >> ldap_id_mapping = false > >> ldap_user_principal = nosuchattribute > > > > Hi, > > > > there is a fair chance that the line above will make the PAC validation > > fail which was added in the latest version. Do you really need this > > option? If not, please remove it and try again. If it is really needed > > adding > > > > krb5_validate = false > > > > to the [domain/...] section of sssd.conf and restarting SSSD might help > > until a better fix is available. The issue is tracked in > > https://bugzilla.redhat.com/show_bug.cgi?id=2144491. > > > > HTH > > > > bye, > > Sumit > > > Thanks a lot, Sumit! > > Removing `ldap_user_princilap = nosuchattribute` didn’t work, but adding the > `krb5_validate = false` did.
Hi, would it be possible to send me debug logs with 'debug_level = 9' in the [domain/...] and [pac] sections of sssd.conf where neither ldap_user_principal nor 'krb5_validate = false' is set? > > Is there an upcoming fix coming for this, by any chance? Yes, please watch the bugzilla ticket. bye, Sumit > > Best, > > Francis > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
