2:25 a.m.
I have an IPA setup with replica which has trust configured with an Active Directory
domain. The trust has been configured and it does show correctly when listed, but users
cannot authenticate against Active Directory. The only error I see (on IPA server sssd
logs) after I enabled debugging is:
[sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more information (Server
ldap/dccontroller.example.local(a)IPADEV.EXAMPLE.LOCAL not found in Kerberos database)]
This error is logged for all 8 domain controllers behind Active Directory domain.
Any hint where to look for or check would be really appreciated .
2:53 a.m.
Am Mon, Apr 26, 2021 at 07:25:59AM -0000 schrieb iulian roman via FreeIPA-users:
I have an IPA setup with replica which has trust configured with an
Active Directory domain. The trust has been configured and it does show correctly when
listed, but users cannot authenticate against Active Directory. The only error I see (on
IPA server sssd logs) after I enabled debugging is:
[sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more information (Server
ldap/dccontroller.example.local(a)IPADEV.EXAMPLE.LOCAL not found in Kerberos database)]
This error is logged for all 8 domain controllers behind Active Directory domain.
Any hint where to look for or check would be really appreciated .
Hi,
it looks like the KDC of the IPA realm IPADEV.EXAMPLE.LOCAL is asked for
a ticket of an AD DC dccontroller.example.local. Can you check
/etc/krb5.conf (and all files in the include directories) if in the
[domain_realm] section the domain example.local is mapped to the realm
IPADEV.EXAMPLE.LOCAL?
bye,
Sumit
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
3:32 a.m.
I checked /etc/krb5.conf and it is mapped. I have tried as well the bellow scenario,
which might help in troubleshooting:
- If i configure trust with a different AD domain (the one created for test, with only
one DC behind AD domain) , the same IPA domain works properly. The only difference is that
in sssd logs i do not see any reference to
ldap/dccontroller.example.local(a)IPADEV.EXAMPLE.LOCAL and no GSSAPI errors, it seems it
does not ask for that ldap service Kerberos ticket at all, or is asking for a different
service ticket.
Another difference between the PRD environment and TEST environment is : ipa domain is a
subdomain for the main AD domain (IPA domain is ipadev.example.local and the AD domain
is example.local) , but for the test AD i have ipa domain ipadev.example.local and AD
domain is example.intern (therefore no domain/subdomain relationship between them).
The test AD domain I tried (and which works) does use Windows Server 2012 and the main AD
domain (which does not work) uses a mix of Windows Server 2012 and Windows Server 2016
operating systems.
There might be other differences as well, but I do not know exactly where to look into (I
do not manage the AD).
4:38 a.m.
Am Mon, Apr 26, 2021 at 08:32:51AM -0000 schrieb iulian roman via FreeIPA-users:
I checked /etc/krb5.conf and it is mapped. I have tried as well the
bellow scenario, which might help in troubleshooting:
Hi,
so if you have a line
example.local = IPADEV.EXAMPLE.LOCAL
this is wrong, it should be
example.local = EXAMPLE.LOCAL
i.e. ask a DC from EXAMPLE.LOCAL for services in the example.local DNS
domain.
HTH
bye,
Sumit
- If i configure trust with a different AD domain (the one created for test, with only
one DC behind AD domain) , the same IPA domain works properly. The only difference is that
in sssd logs i do not see any reference to
ldap/dccontroller.example.local(a)IPADEV.EXAMPLE.LOCAL and no GSSAPI errors, it seems it
does not ask for that ldap service Kerberos ticket at all, or is asking for a different
service ticket.
Another difference between the PRD environment and TEST environment is : ipa domain is
a subdomain for the main AD domain (IPA domain is ipadev.example.local and the AD domain
is example.local) , but for the test AD i have ipa domain ipadev.example.local and AD
domain is example.intern (therefore no domain/subdomain relationship between them).
The test AD domain I tried (and which works) does use Windows Server 2012 and the main AD
domain (which does not work) uses a mix of Windows Server 2012 and Windows Server 2016
operating systems.
There might be other differences as well, but I do not know exactly where to look into (I
do not manage the AD).
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
9:05 a.m.
That was it Sumit ! Thank You !
I need to check if that needs to be corrected on all the clients after the client
enrolment.
2:54 a.m.
TCP/UDP port 88 not open ? (Kerberos krb5)
-----Message d'origine-----
De : iulian roman via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Envoyé : lundi 26 avril 2021 09:26
À : freeipa-users(a)lists.fedorahosted.org
Cc : iulian roman <iroman_2002(a)yahoo.com>
Objet : [Freeipa-users] GSSAPI Error with AD trust
I have an IPA setup with replica which has trust configured with an Active Directory
domain. The trust has been configured and it does show correctly when listed, but users
cannot authenticate against Active Directory. The only error I see (on IPA server sssd
logs) after I enabled debugging is:
[sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more information (Server
ldap/dccontroller.example.local(a)IPADEV.EXAMPLE.LOCAL not found in Kerberos database)]
This error is logged for all 8 domain controllers behind Active Directory domain.
Any hint where to look for or check would be really appreciated .
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Ce message transmis par voie électronique ainsi que toutes ses annexes contiennent des
informations qui peuvent être confidentielles ou protégées. Ces informations sont
uniquement destinées à l’usage des personnes ou des entités précisées dans les champs ‘A’,
‘Cc’ et ‘Cci’. Si vous n’êtes pas l’un de ces destinataires, soyez conscient que toute
forme, partielle ou complète, de divulgation, copie, distribution ou utilisation de ces
informations est strictement interdite. Si vous avez reçu ce message par erreur, veuillez
nous en informer par téléphone ou par message électronique et détruire les informations
immédiatement. Ce message n’engage que son signataire et aucunement son employeur.
1094
days inactive
1094
days old
freeipa-users@lists.fedorahosted.org
5 comments
3 participants
participants (3)
-
iulian roman -
LHEUREUX Bernard -
Sumit Bose