Hi,
Where I work I've just spent a fair amount of time tracing down an issue we were having with Linux servers (CentOS 6) which authenticate against the company Active Directory domain.
We found that SSSD 1.12.4-46.el6 clients were failing to work correctly against a particular DC in one of our sites. Looking in the SSSD logs I discovered it was a Kerberos "TGS-REQ" issue, whereby it would do a request and get back "Principal unknown".
I captured the conversation with tcpdump, and compared it with a conversation with a working DC, and found that the "Prinical unknown" response came back with the Kerberos server listed as:
and in the working case was instead the name of the DC, let's say:
Looking further at the DNS records for the affected DC, I found that the DC's IP had 4 PTR records:
Given we didn't believe the 3 extra PTRs were performing any useful function, we deleted them, and started SSSD again. SSSD now happily connected to the DC, and is functional.
So, is there any reason why these PTRs would have upset SSSD like they appear to have?
I can supply SSSD logs and/or pcap files off-list if helpful...
Cheers,