Hi,
After the latest updates coming from Red Hat on RHEL 8.7, we can't authenticate on AD. The logs show this:
Nov 22 14:15:53 ic-rhel8-t001.c.domain.no sshd[6275]: pam_sss(sshd:auth): received for user ec-franciaa: 4 (System error) Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sshd[6275]: Failed password for ec-franciaa from ::1 port 51406 ssh2 Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6280]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6280]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6284]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6284]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6288]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. Nov 22 14:15:55 ic-rhel8-t001.c.domain.no sssd[6288]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. Nov 22 14:15:56 ic-rhel8-t001.c.domain.no sshd[6275]: Connection closed by authenticating user francis ::1 port 51406 [preauth]
I've deleted the computer account and rejoined the machine to the domain. I can check users existence using id, it seems the machine is well joined, but somehow authentication doesn't work.
[domain/DOMAIN.NO] id_provider = ad auth_provider = ad autofs_provider = ad chpass_provider = ad access_provider = ad ldap_id_mapping = false ldap_user_principal = nosuchattribute ad_server = dc.domain.no
ldap_id_mapping = false
# getent on users with more -- results in a lot of noise enumerate = false cache_credentials = true
# Setup schema, rfc2307 is for OpenLDAP, rfc2307bis is A/D-close, and ad is A/D dns_discovery_domain = dc.domain.no
krb5_realm = AD.FP.EDUCLOUD.NO # how long including renewals may a ticket be valid for krb5_renewable_lifetime = 14d # time in seconds between checking if a ticket must be renewed krb5_renew_interval = 3600 # template used for placing kerberos tickets by default ad_gpo_map_interactive = +gdm-vmwcred use_fully_qualified_names = False
[kcm] tgt_renewal = true tgt_renewal_inherit = DOMAIN.NO krb5_renew_interval = 60m debug_level = 10 socket_path = /var/run/.heim_org.h5l.kcm-socket
We have a machine built two weeks ago with the same sssd.conf, and it just works.
Any hints?
Best,
Francis