[SSSD-users] Tickets with and without REALM

Hello everyone I see a strange behaviour in the ticket listing of my users:

I always have a ticket with the REALM and without the realm. This could fit to other problem I have like nonworking kerberos login via ssh and access issues.

Any ideas where this could come from?

my klist output:

Ticket cache: FILE:/tmp/krb5cc_59123 Default principal: User1@DOMAIN.NET

Valid starting Expires Service principal 03/09/16 14:39:41 03/12/16 14:39:41 krbtgt/DOMAIN.NET@DOMAIN.NET renew until 04/06/16 15:39:41 03/09/16 14:39:50 03/10/16 00:39:50 host/anotherserver.domain.net@ renew until 04/06/16 15:39:41 03/09/16 14:39:50 03/10/16 00:39:50 host/anotherserver.domain.net@DOMAIN.NET renew until 04/06/16 15:39:41 03/10/16 12:31:52 03/10/16 22:31:52 nfs/fileserver.domain.net@ renew until 04/06/16 15:39:41 03/10/16 12:31:52 03/10/16 22:31:52 nfs/fileserver.domain.net@DOMAIN.NET renew until 04/06/16 15:39:41

My keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 2 10/30/15 18:47:15 host/thisserver.domain.net@DOMAIN.NET (des-cbc-crc) 2 10/30/15 18:47:15 host/thisserver.domain.net@DOMAIN.NET (des-cbc-md5) 2 10/30/15 18:47:15 host/thisserver.domain.net@DOMAIN.NET (aes128-cts-hmac-sha1-96) 2 10/30/15 18:47:15 host/thisserver.domain.net@DOMAIN.NET (aes256-cts-hmac-sha1-96) 2 10/30/15 18:47:15 host/thisserver.domain.net@DOMAIN.NET (arcfour-hmac) 2 10/30/15 18:47:15 host/THISSERVER@DOMAIN.NET (des-cbc-crc) 2 10/30/15 18:47:15 host/THISSERVER@DOMAIN.NET (des-cbc-md5) 2 10/30/15 18:47:15 host/THISSERVER@DOMAIN.NET (aes128-cts-hmac-sha1-96) 2 10/30/15 18:47:15 host/THISSERVER@DOMAIN.NET (aes256-cts-hmac-sha1-96) 2 10/30/15 18:47:15 host/THISSERVER@DOMAIN.NET (arcfour-hmac) 2 10/30/15 18:47:15 THISSERVER$@DOMAIN.NET (des-cbc-crc) 2 10/30/15 18:47:15 THISSERVER$@DOMAIN.NET (des-cbc-md5) 2 10/30/15 18:47:15 THISSERVER$@DOMAIN.NET (aes128-cts-hmac-sha1-96) 2 10/30/15 18:47:15 THISSERVER$@DOMAIN.NET (aes256-cts-hmac-sha1-96) 2 10/30/15 18:47:15 THISSERVER$@DOMAIN.NET (arcfour-hmac) 2 10/30/15 18:47:15 nfs/thisserver.domain.net@DOMAIN.NET (des-cbc-crc) 2 10/30/15 18:47:15 nfs/thisserver.domain.net@DOMAIN.NET (des-cbc-md5) 2 10/30/15 18:47:15 nfs/thisserver.domain.net@DOMAIN.NET (aes128-cts-hmac-sha1-96) 2 10/30/15 18:47:15 nfs/thisserver.domain.net@DOMAIN.NET (aes256-cts-hmac-sha1-96) 2 10/30/15 18:47:15 nfs/thisserver.domain.net@DOMAIN.NET (arcfour-hmac) 2 10/30/15 18:47:15 nfs/THISSERVER@DOMAIN.NET (des-cbc-crc) 2 10/30/15 18:47:15 nfs/THISSERVER@DOMAIN.NET (des-cbc-md5) 2 10/30/15 18:47:15 nfs/THISSERVER@DOMAIN.NET (aes128-cts-hmac-sha1-96) 2 10/30/15 18:47:15 nfs/THISSERVER@DOMAIN.NET (aes256-cts-hmac-sha1-96) 2 10/30/15 18:47:15 nfs/THISSERVER@DOMAIN.NET (arcfour-hmac) 3 12/18/15 16:04:42 nfs/thisserver.domain.net@DOMAIN.NET (des-cbc-crc) 3 12/18/15 16:04:42 nfs/thisserver.domain.net@DOMAIN.NET (des-cbc-md5) 3 12/18/15 16:04:42 nfs/thisserver.domain.net@DOMAIN.NET (aes128-cts-hmac-sha1-96) 3 12/18/15 16:04:42 nfs/thisserver.domain.net@DOMAIN.NET (aes256-cts-hmac-sha1-96) 3 12/18/15 16:04:42 nfs/thisserver.domain.net@DOMAIN.NET (arcfour-hmac) 3 12/18/15 16:04:42 nfs/THISSERVER@DOMAIN.NET (des-cbc-crc) 3 12/18/15 16:04:42 nfs/THISSERVER@DOMAIN.NET (des-cbc-md5) 3 12/18/15 16:04:42 nfs/THISSERVER@DOMAIN.NET (aes128-cts-hmac-sha1-96) 3 12/18/15 16:04:42 nfs/THISSERVER@DOMAIN.NET (aes256-cts-hmac-sha1-96) 3 12/18/15 16:04:42 nfs/THISSERVER@DOMAIN.NET (arcfour-hmac) 3 12/18/15 16:04:41 host/thisserver.domain.net@DOMAIN.NET (des-cbc-crc) 3 12/18/15 16:04:41 host/thisserver.domain.net@DOMAIN.NET (des-cbc-md5) 3 12/18/15 16:04:41 host/thisserver.domain.net@DOMAIN.NET (aes128-cts-hmac-sha1-96) 3 12/18/15 16:04:41 host/thisserver.domain.net@DOMAIN.NET (aes256-cts-hmac-sha1-96) 3 12/18/15 16:04:41 host/thisserver.domain.net@DOMAIN.NET (arcfour-hmac) 3 12/18/15 16:04:41 host/THISSERVER@DOMAIN.NET (des-cbc-crc) 3 12/18/15 16:04:41 host/THISSERVER@DOMAIN.NET (des-cbc-md5) 3 12/18/15 16:04:41 host/THISSERVER@DOMAIN.NET (aes128-cts-hmac-sha1-96) 3 12/18/15 16:04:41 host/THISSERVER@DOMAIN.NET (aes256-cts-hmac-sha1-96) 3 12/18/15 16:04:41 host/THISSERVER@DOMAIN.NET (arcfour-hmac) 3 12/18/15 16:04:41 THISSERVER$@DOMAIN.NET (des-cbc-crc) 3 12/18/15 16:04:41 THISSERVER$@DOMAIN.NET (des-cbc-md5) 3 12/18/15 16:04:41 THISSERVER$@DOMAIN.NET (aes128-cts-hmac-sha1-96) 3 12/18/15 16:04:41 THISSERVER$@DOMAIN.NET (aes256-cts-hmac-sha1-96) 3 12/18/15 16:04:41 THISSERVER$@DOMAIN.NET (arcfour-hmac)

My krb5.conf:

[logging] default = FILE:/var/log/krb5libs.log

[libdefaults] default_realm = DOMAIN.NET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 4d renew_lifetime = 28d forwardable = true rdns = false default_ccache_name = /tmp/krb5cc_%{uid} canonicalize = yes

allow_weak_crypto = true

[realms] DOMAIN.NET = { kdc = LINDC2.DOMAIN.NET master_kdc = LINDC2.DOMAIN.NET admin_server = LINDC2.DOMAIN.NET }

[domain_realm] .DOMAIN.NET = DOMAIN.NET DOMAIN.NET = DOMAIN.NET

my sssd.conf: [sssd] config_file_version = 2 domains = DOMAIN.NET

services = nss, pam, ssh [ssh]

[domain/DOMAIN.NET]

id_provider = ad auth_provider = ad access_provider = ad

ad_server = dc2.roseninspection.net

# Uncomment if you want to use POSIX UIDs and GIDs set on the AD side ldap_id_mapping = False

# Comment out if the users have the shell and home dir set on the AD side default_shell = /bin/bash fallback_homedir = /home/DOMAIN/%u krb5_renewable_lifetime = 3d krb5_renew_interval = 3600 krb5_lifetime = 28d krb5_ccachedir = /tmp krb5_ccname_template = FILE:%d/krb5cc_%U

canonicalize = yes debug_level = 3 #case_sensitive = preserving case_sensitive = false ad_gpo_access_control = permissive #krb5_realm = DOMAIN.NET