On Tue, Feb 05, 2019 at 04:29:23PM +0100, Jeremy Monnet wrote:
On Tue, Feb 5, 2019 at 3:35 PM Jeremy Monnet jmonnet@gmail.com wrote:
Hello,
On Tue, Feb 5, 2019 at 10:29 AM Jakub Hrozek jhrozek@redhat.com wrote:
Now, everything is OK with the main domain, AFAIK, I can login, sudo based on groups, etc. But for the child domain, most work, I can id a user@child (that resolves the user and the groups associated), I can "su - user@child" from root, BUT I can not login with that user@child. Sanitized logs follow :
It's hard to say from the trimmed log, but I assume this happens during the TGT validation phase? If yes, then you could work around that temporarily by setting: krb5_validate = false in the domain section, but please read the sssd-krb5 manual page to see what security implications this have
I have tried that, and yes, it works. Though because of the security implications I would rather set it up without it...
kvno RestrictedKrbHost/ubuntu@EXAMPLE.COM
kvno: Server not found in Kerberos database while getting credentials for RestrictedKrbHost/UBUNTU@EXAMPLE.COM
Is the principal really lower-case and shortname? I would have expected either lower-case FQDN or an upper-case shortname..
I am not sure precisely what to look for principals...
I followed that lead, and found that no SPN were registered at all in the AD object. I edited it with ADSI, and could login with all domains...
I looked at other objects an dit seems none have had the same SPN registered, and I don't know at all how the object is created (other that it is created when I "realm" the server). I will look at it a bit !
There is an issue if realmd uses adcli to join the domain if 'hostname' only returns the short name and not the fully-qualified DNS name. In this case adcli tries to add the same SPN twice which causes an error and as a result no SPN is added.
HTH
bye, Sumit
Jérémy _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...