Am Thu, May 06, 2021 at 09:59:45AM +0200 schrieb Paweł Szafer:
Hello,
Today morning I had a bad surprise. Suddenly I cannot login anymore to my
PC.
My OS is Arch based, with SSSD 2.4.2, updated yesterday (it was working
after update, last login occurred around 7pm 05.05.2021, today 7am
Hi,
is the cyrus-sasl-gssapi package still installed?
06.05.2021 cannot login anymore)
Maybe you have any idea what's wrong.
What I see in sssd logs:
2021-05-06 9:49:26): [be[domain.name]] [sasl_bind_send] (0x0100):
Executing sasl bind mech: GSS-SPNEGO, user: PCNAME$
(2021-05-06 9:49:26): [be[domain.name]] [ad_sasl_log] (0x0040): SASL: No
worthy mechs found
(2021-05-06 9:49:26): [be[domain.name]] [sasl_bind_send] (0x0020):
ldap_sasl_interactive_bind_s failed (-6)[Unknown authentication method]
(2021-05-06 9:49:26): [be[domain.name]] [sasl_bind_send] (0x0080):
Extended failure message: [SASL(-4): no mechanism available: No worthy
mechs found]
(2021-05-06 9:49:26): [be[domain.name]] [sdap_cli_connect_recv] (0x0040):
Unable to establish connection [1432158227]: Authentication Failed
(2021-05-06 9:49:26): [be[domain.name]] [fo_set_port_status] (0x0100):
Marking port 389 of server 'dc1.domain.name' as 'not working'
I tried to rejoin domain with
krb5.conf
allow_weak_crypto = true
permitted_enctypes = aes rc4
then with commands:
KRB5_TRACE=/dev/stdout kinit -V aduser(a)AD.EXAMPLE.COM.
kinit Administrator
net ads join -k
klist -ke
Keytab looks like that:
10 06.05.2021 09:49:09 restrictedkrbhost/pcname.domain.name(a)DOMAIN.NAME
(aes256-cts-hmac-sha1-96)
10 06.05.2021 09:49:09 restrictedkrbhost/PCNAME(a)DOMAIN.NAME
(aes256-cts-hmac-sha1-96)
10 06.05.2021 09:49:09 restrictedkrbhost/pcname.domain.name(a)DOMAIN.NAME
(aes128-cts-hmac-sha1-96)
10 06.05.2021 09:49:09 restrictedkrbhost/PCNAME(a)DOMAIN.NAME
(aes128-cts-hmac-sha1-96)
10 06.05.2021 09:49:09 restrictedkrbhost/pcname.domain.name(a)DOMAIN.NAME
(DEPRECATED:arcfour-hmac)
10 06.05.2021 09:49:09 restrictedkrbhost/PCNAME(a)DOMAIN.NAME
(DEPRECATED:arcfour-hmac)
10 06.05.2021 09:49:10 host/pcname.domain.name(a)DOMAIN.NAME
(aes256-cts-hmac-sha1-96)
10 06.05.2021 09:49:10 host/PCNAME(a)DOMAIN.NAME (aes256-cts-hmac-sha1-96)
10 06.05.2021 09:49:10 host/pcname.domain.name(a)DOMAIN.NAME
(aes128-cts-hmac-sha1-96)
10 06.05.2021 09:49:10 host/PCNAME(a)DOMAIN.NAME (aes128-cts-hmac-sha1-96)
10 06.05.2021 09:49:10 host/pcname.domain.name(a)DOMAIN.NAME
(DEPRECATED:arcfour-hmac)
10 06.05.2021 09:49:10 host/PCNAME(a)DOMAIN.NAME (DEPRECATED:arcfour-hmac)
10 06.05.2021 09:49:10 PCNAME$(a)DOMAIN.NAME (aes256-cts-hmac-sha1-96)
10 06.05.2021 09:49:10 PCNAME$(a)DOMAIN.NAME (aes128-cts-hmac-sha1-96)
10 06.05.2021 09:49:10 PCNAME$(a)DOMAIN.NAME (DEPRECATED:arcfour-hmac)
Both kinit and ldapsearch are working properly.
Did you try ldapsearch with the '-Y GSS-SPNEGO' option?
bye,
Sumit
Thanks for help!
-----
Pawel
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure