Hi,
I'm having an issue with IPA/sssd (RHEL 7.1) when accessing resources through an AD
trust. The following is logged in ldap_child.log (debug_level=10):
(Tue Mar 10 12:31:12 2015) [sssd[be[unix.domain.com]]] [sasl_bind_send] (0x0080): Extended
failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor
code may provide more information (KDC has no support for encryption type)]
This error seems to occur randomly. We have over 40+ DC's in our HUB site for active
directory forest/domain. All of these DC's are running either Windows 2008 R2/Windows
2012/Windows 2012 R2. The domain/forest level is still Windows 2003. The trust is
established between IPA (
unix.domain.com) and the forest root AD domain (
domain.com). The
AD users actually exist in a child domain (
ad.domain.com).
I conducted a test where I deleted the sssd server cache (in /var/lib/sss/db/), restarted
sssd, and then did a 'getent passwd user(a)domain.com.' There were several
instances where sssd was successfully using one of the AD DC's, and then after
clearing the cache and restarting failed on the same AD DC with the "KDC has no
support for encryption type" error. Nothing is being logged to
/var/log/sssd/krb5_child.log.
We are running the following versions:
ipa-server-4.1.0-18.el7.x86_64
ipa-server-trust-ad-4.1.0-18.el7.x86_64
sssd-1.12.2-58.el7.x86_64
Does anyone have an idea of what may be happening here?
Thanks,
Josh