On Mon, Feb 22, 2016 at 09:47:49PM -0000, Patrice Peterson wrote:
> On Mon, Feb 22, 2016 at 08:04:42PM -0000, Patrice Peterson
wrote:
>
> Please note that the principal you give with the --user-principal option
> is not a SPN (service principal name) but a UPN (user principal names).
> Only UPNs can be used to get a Kerberos TGT, i.e. can be used with
> kinit.
>
> As you can see form the logs SSSD tries to use host/fqdn(a)XD.UNI-HALLE.DE
> to get a TGT. Since AD handles principal case-insensitive
> HOST/fqdn(a)XD.UNI-HALLE.DE will work as well as long as it is defined as
> UPN (I would expect that it will work the same if you use
> '--user-principal=host/fqdn@REALM'.
Yes, I just tried that and you were right. My mental model of host authentication was
apparently completely wrong—I knew computers were basically "users" in AD, but I
didn't apply this knowledge to this situation…
> In general the default UPN is NetBIOSName$@REALM and SSSD will use it if
> a matching entry is in the keytab. But there are some restrictions to
> the NetBIOS name, e.g. only 15 characters are allowed and only a few
> special characters. Do you have and entry '...$@REALM' in the keytab?
> Does the name before the $ match the first part of the fully qualified
> host name of the client or is it truncated or special characters
> removed?
I do have 'Netbiosname$@REALM', but I had to make it different from the first
part of the FQDN (i.e. it is 'HPC-login001' while the first part of the FQDN is
'login001', without the 'HPC'). I didn't even know that this could be
a problem, so thanks again for putting me on the right path!
> If you have a '...$@REALM' entry in the keytab which differs somehow
> from the hostname you can try to add this principal to sssd.conf with
>
> ldap_sasl_authid = NetBIOSName$@REALM
>
> where NetBIOSName$@REALM matches the entry in the keytab to tell SSSD to
> use this principal for kinit.
That did the trick!
Great, good to know that it is working for you now.
However, I still don't understand why setting this is necessary: Shouldn't SSSD
'see' that the account ending with '$@REALM' is the only computer account
in the keytab and use it for obtaining a TGT? I know that MS requires the first part of
the FQDN to be equal to the NETBIOS name [0], but it still seems weird to me that SSSD
apparently doesn't infer the NETBIOS name automatically.
I see your point. Currently the idea is that SSSD will work if tools
like adcli or 'net ads join' will be used in the default mode where the
NetBIOS name is based on the first component of the FQDN. If you want
to join with a different NetBIOS name you have to tell the tool and SSSD
explicitly about it. But I agree that for SSSD's AD provider using a
'$@REALM' principal, if there is only one, from the keytab would be a
better fallback to try than the current 'home/FQDN@REALM' fallback.
Feel free to open a RFE ticket on
https://fedorahosted.org/sssd/ about
this.
In any case, thanks for your explanations! This thread has definitely improved my
understanding so far.
Glad I could help.
bye,
Sumit
>
> -Patrice
>
> [0]
https://msdn.microsoft.com/en-us/library/cc246064.aspx
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org