I have an IPA setup with replica which has trust configured with an Active Directory domain. The trust has been configured and it does show correctly when listed, but users cannot authenticate against Active Directory. The only error I see (on IPA server sssd logs) after I enabled debugging is:
[sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server ldap/dccontroller.example.local@IPADEV.EXAMPLE.LOCAL not found in Kerberos database)]
This error is logged for all 8 domain controllers behind Active Directory domain.
Any hint where to look for or check would be really appreciated .
Am Mon, Apr 26, 2021 at 07:25:59AM -0000 schrieb iulian roman via FreeIPA-users:
I have an IPA setup with replica which has trust configured with an Active Directory domain. The trust has been configured and it does show correctly when listed, but users cannot authenticate against Active Directory. The only error I see (on IPA server sssd logs) after I enabled debugging is:
[sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server ldap/dccontroller.example.local@IPADEV.EXAMPLE.LOCAL not found in Kerberos database)]
This error is logged for all 8 domain controllers behind Active Directory domain.
Any hint where to look for or check would be really appreciated .
Hi,
it looks like the KDC of the IPA realm IPADEV.EXAMPLE.LOCAL is asked for a ticket of an AD DC dccontroller.example.local. Can you check /etc/krb5.conf (and all files in the include directories) if in the [domain_realm] section the domain example.local is mapped to the realm IPADEV.EXAMPLE.LOCAL?
bye, Sumit
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
I checked /etc/krb5.conf and it is mapped. I have tried as well the bellow scenario, which might help in troubleshooting:
- If i configure trust with a different AD domain (the one created for test, with only one DC behind AD domain) , the same IPA domain works properly. The only difference is that in sssd logs i do not see any reference to ldap/dccontroller.example.local(a)IPADEV.EXAMPLE.LOCAL and no GSSAPI errors, it seems it does not ask for that ldap service Kerberos ticket at all, or is asking for a different service ticket.
Another difference between the PRD environment and TEST environment is : ipa domain is a subdomain for the main AD domain (IPA domain is ipadev.example.local and the AD domain is example.local) , but for the test AD i have ipa domain ipadev.example.local and AD domain is example.intern (therefore no domain/subdomain relationship between them).
The test AD domain I tried (and which works) does use Windows Server 2012 and the main AD domain (which does not work) uses a mix of Windows Server 2012 and Windows Server 2016 operating systems.
There might be other differences as well, but I do not know exactly where to look into (I do not manage the AD).
Am Mon, Apr 26, 2021 at 08:32:51AM -0000 schrieb iulian roman via FreeIPA-users:
I checked /etc/krb5.conf and it is mapped. I have tried as well the bellow scenario, which might help in troubleshooting:
Hi,
so if you have a line
example.local = IPADEV.EXAMPLE.LOCAL
this is wrong, it should be
example.local = EXAMPLE.LOCAL
i.e. ask a DC from EXAMPLE.LOCAL for services in the example.local DNS domain.
HTH
bye, Sumit
- If i configure trust with a different AD domain (the one created for test, with only one DC behind AD domain) , the same IPA domain works properly. The only difference is that in sssd logs i do not see any reference to ldap/dccontroller.example.local(a)IPADEV.EXAMPLE.LOCAL and no GSSAPI errors, it seems it does not ask for that ldap service Kerberos ticket at all, or is asking for a different service ticket.
Another difference between the PRD environment and TEST environment is : ipa domain is a subdomain for the main AD domain (IPA domain is ipadev.example.local and the AD domain is example.local) , but for the test AD i have ipa domain ipadev.example.local and AD domain is example.intern (therefore no domain/subdomain relationship between them).
The test AD domain I tried (and which works) does use Windows Server 2012 and the main AD domain (which does not work) uses a mix of Windows Server 2012 and Windows Server 2016 operating systems.
There might be other differences as well, but I do not know exactly where to look into (I do not manage the AD). _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
That was it Sumit ! Thank You !
I need to check if that needs to be corrected on all the clients after the client enrolment.
TCP/UDP port 88 not open ? (Kerberos krb5)
-----Message d'origine----- De : iulian roman via FreeIPA-users freeipa-users@lists.fedorahosted.org Envoyé : lundi 26 avril 2021 09:26 À : freeipa-users@lists.fedorahosted.org Cc : iulian roman iroman_2002@yahoo.com Objet : [Freeipa-users] GSSAPI Error with AD trust
I have an IPA setup with replica which has trust configured with an Active Directory domain. The trust has been configured and it does show correctly when listed, but users cannot authenticate against Active Directory. The only error I see (on IPA server sssd logs) after I enabled debugging is:
[sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server ldap/dccontroller.example.local@IPADEV.EXAMPLE.LOCAL not found in Kerberos database)]
This error is logged for all 8 domain controllers behind Active Directory domain.
Any hint where to look for or check would be really appreciated . _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure Ce message transmis par voie électronique ainsi que toutes ses annexes contiennent des informations qui peuvent être confidentielles ou protégées. Ces informations sont uniquement destinées à l’usage des personnes ou des entités précisées dans les champs ‘A’, ‘Cc’ et ‘Cci’. Si vous n’êtes pas l’un de ces destinataires, soyez conscient que toute forme, partielle ou complète, de divulgation, copie, distribution ou utilisation de ces informations est strictement interdite. Si vous avez reçu ce message par erreur, veuillez nous en informer par téléphone ou par message électronique et détruire les informations immédiatement. Ce message n’engage que son signataire et aucunement son employeur.
freeipa-users@lists.fedorahosted.org