8:29 a.m.
On 22 Nov 2022, at 15:22, Sumit Bose <sbose(a)redhat.com> wrote:
Am Tue, Nov 22, 2022 at 02:21:13PM +0100 schrieb Francis Augusto Medeiros-Logeay:
> Hi,
>
> After the latest updates coming from Red Hat on RHEL 8.7, we can't
> authenticate on AD. The logs show this:
>
> Nov 22 14:15:53 ic-rhel8-t001.c.domain.no sshd[6275]: pam_sss(sshd:auth):
> received for user ec-franciaa: 4 (System error)
> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sshd[6275]: Failed password for
> ec-franciaa from ::1 port 51406 ssh2
> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6280]: tkey query failed:
> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more
> information, Minor = Server not found in Kerberos database.
> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6280]: tkey query failed:
> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more
> information, Minor = Server not found in Kerberos database.
> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6284]: tkey query failed:
> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more
> information, Minor = Server not found in Kerberos database.
> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6284]: tkey query failed:
> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more
> information, Minor = Server not found in Kerberos database.
> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6288]: tkey query failed:
> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more
> information, Minor = Server not found in Kerberos database.
> Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6288]: tkey query failed:
> GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more
> information, Minor = Server not found in Kerberos database.
> Nov 22 14:15:56 ic-rhel8-t001.c.domain.no sshd[6275]: Connection closed by
> authenticating user francis ::1 port 51406 [preauth]
>
>
> I've deleted the computer account and rejoined the machine to the domain. I
> can check users existence using id, it seems the machine is well joined, but
> somehow authentication doesn't work.
>
>
> [domain/DOMAIN.NO]
> id_provider = ad
> auth_provider = ad
> autofs_provider = ad
> chpass_provider = ad
> access_provider = ad
> ldap_id_mapping = false
> ldap_user_principal = nosuchattribute
Hi,
there is a fair chance that the line above will make the PAC validation
fail which was added in the latest version. Do you really need this
option? If not, please remove it and try again. If it is really needed
adding
krb5_validate = false
to the [domain/...] section of sssd.conf and restarting SSSD might help
until a better fix is available. The issue is tracked in
https://bugzilla.redhat.com/show_bug.cgi?id=2144491.
HTH
bye,
Sumit
Thanks a lot, Sumit!
Removing `ldap_user_princilap = nosuchattribute` didn’t work, but adding the
`krb5_validate = false` did.
Is there an upcoming fix coming for this, by any chance?
Best,
Francis