NOTE: My email was blocked due to size being >40k. I put my logs on pastebin to get the email to go through, hope it's okay. I didn't cancel my other submission, so I it may eventually go through.
On May 30, 2013, at 10:06 AM, Jakub Hrozek <jhrozek@redhat.com> wrote:
On Thu, May 30, 2013 at 02:36:08PM +0000, Harris, Bryan L. wrote:
>
> ldap_child.log: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP
> ldap_child.log: Received error from KDC: -1765328359/Additional pre-authentication required ...
This is interesting, do these occur after every sssd startup or was it
just some artifact from before? The ldap_child is used to authenticate
with GSSAPI to the LDAP server, if the authentication wouldn't succeed,
the SSSD would go offline.
Yes, I always do a ( service sssd stop ; rm /var/lib/sss/db/* ; service sssd start ) every time I make a change to anything.
Here are the lines from that file when I do a stop / start of sssd.
http://pastebin.com/8Hne9z4P
Also typically the host/fqdn@REALM principal is not user, but rather
shortname$@REALM, in your case linux$@MY.GREAT.DOMAIN
I'm not exactly 100% sure I understand, I thought from the page [3] above that:
1. If my server name is "linux-server" (without quotes)
2. If my 2008 AD domain is MY.GREAT.DOMAIN
3. Then I should use the text "host/linux-server@MY.GREAT.DOMAIN" (without quote marks) when I do my ktpass.exe on Windows.
Did I do it wrong?
> sssd_nss.log: Got reply from Data Provider - DP error code: 3 errno: 19 error message: Subdomains back end target is not configured
> sssd_nss.log: Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success ...
> sssd_MY.GREAT.DOMAIN.log: Could not get fully qualified name for host name linux-server.my.great.domain error [2]: No such file or directory, resolver returned: [4]: Domain name not found
are you sure the new password meets the complexity requirements imposed
by AD? Currently SSSD doesn't really report those in a meaningful way.
My test was to set the password in the Windows server itself by clicking Start > Security > Change Password as the user in question. When I did it in Windows, it was successful. Now that I have that in my previous 24 passwords, Windows doesn't accept that exact same password again. So I came up with another one of a similar pattern/style and same length etc. Maybe I'm doing something wrong here...?
Also, are there any interesting information in the krb5_child.log ? With
debug level as high as yours, I would expect all the trace information
present.
Oh that file is completely empty until I go to my user and run the passwd command. Here is the resulting log when I run passwd as my user.
http://pastebin.com/EPYg4ijW
Bryan