Am Tue, Nov 22, 2022 at 03:29:18PM +0100 schrieb Francis Augusto Medeiros-Logeay:
> On 22 Nov 2022, at 15:22, Sumit Bose <sbose(a)redhat.com> wrote:
>
> Am Tue, Nov 22, 2022 at 02:21:13PM +0100 schrieb Francis Augusto Medeiros-Logeay:
>> Hi,
>>
>> After the latest updates coming from Red Hat on RHEL 8.7, we can't
>> authenticate on AD. The logs show this:
>>
>> Nov 22 14:15:53 ic-rhel8-t001.c.domain.no sshd[6275]: pam_sss(sshd:auth):
>> received for user ec-franciaa: 4 (System error)
>> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sshd[6275]: Failed password for
>> ec-franciaa from ::1 port 51406 ssh2
>> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6280]: tkey query failed:
>> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more
>> information, Minor = Server not found in Kerberos database.
>> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6280]: tkey query failed:
>> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more
>> information, Minor = Server not found in Kerberos database.
>> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6284]: tkey query failed:
>> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more
>> information, Minor = Server not found in Kerberos database.
>> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6284]: tkey query failed:
>> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more
>> information, Minor = Server not found in Kerberos database.
>> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6288]: tkey query failed:
>> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more
>> information, Minor = Server not found in Kerberos database.
>> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6288]: tkey query failed:
>> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more
>> information, Minor = Server not found in Kerberos database.
>> Nov 22 14:15:56 ic-rhel8-t001.c.domain.no sshd[6275]: Connection closed by
>> authenticating user francis ::1 port 51406 [preauth]
>>
>>
>> I've deleted the computer account and rejoined the machine to the domain. I
>> can check users existence using id, it seems the machine is well joined, but
>> somehow authentication doesn't work.
>>
>>
>> [domain/DOMAIN.NO]
>> id_provider = ad
>> auth_provider = ad
>> autofs_provider = ad
>> chpass_provider = ad
>> access_provider = ad
>> ldap_id_mapping = false
>> ldap_user_principal = nosuchattribute
>
> Hi,
>
> there is a fair chance that the line above will make the PAC validation
> fail which was added in the latest version. Do you really need this
> option? If not, please remove it and try again. If it is really needed
> adding
>
> krb5_validate = false
>
> to the [domain/...] section of sssd.conf and restarting SSSD might help
> until a better fix is available. The issue is tracked in
>
https://bugzilla.redhat.com/show_bug.cgi?id=2144491.
>
> HTH
>
> bye,
> Sumit
Thanks a lot, Sumit!
Removing `ldap_user_princilap = nosuchattribute` didn’t work, but adding the
`krb5_validate = false` did.
Hi,
would it be possible to send me debug logs with 'debug_level = 9' in the
[domain/...] and [pac] sections of sssd.conf where neither
ldap_user_principal nor 'krb5_validate = false' is set?
Is there an upcoming fix coming for this, by any chance?
Yes, please watch the bugzilla ticket.
bye,
Sumit
Best,
Francis
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue