On Thu, May 6, 2021 at 2:56 PM Paweł Szafer <pszafer(a)gmail.com> wrote:
Hello,
Today morning I had a bad surprise. Suddenly I cannot login anymore to my PC.
My OS is Arch based, with SSSD 2.4.2, updated yesterday (it was working after update,
last login occurred around 7pm 05.05.2021, today 7am 06.05.2021 cannot login anymore)
Maybe you have any idea what's wrong.
What I see in sssd logs:
2021-05-06 9:49:26): [be[domain.name]] [sasl_bind_send] (0x0100): Executing sasl bind
mech: GSS-SPNEGO, user: PCNAME$
(2021-05-06 9:49:26): [be[domain.name]] [ad_sasl_log] (0x0040): SASL: No worthy mechs
found
(2021-05-06 9:49:26): [be[domain.name]] [sasl_bind_send] (0x0020):
ldap_sasl_interactive_bind_s failed (-6)[Unknown authentication method]
(2021-05-06 9:49:26): [be[domain.name]] [sasl_bind_send] (0x0080): Extended failure
message: [SASL(-4): no mechanism available: No worthy mechs found]
(2021-05-06 9:49:26): [be[domain.name]] [sdap_cli_connect_recv] (0x0040): Unable to
establish connection [1432158227]: Authentication Failed
(2021-05-06 9:49:26): [be[domain.name]] [fo_set_port_status] (0x0100): Marking port 389
of server 'dc1.domain.name' as 'not working'
I tried to rejoin domain with
krb5.conf
allow_weak_crypto = true
permitted_enctypes = aes rc4
then with commands:
KRB5_TRACE=/dev/stdout kinit -V aduser(a)AD.EXAMPLE.COM.
kinit Administrator
net ads join -k
klist -ke
Keytab looks like that:
10 06.05.2021 09:49:09 restrictedkrbhost/pcname.domain.name(a)DOMAIN.NAME
(aes256-cts-hmac-sha1-96)
10 06.05.2021 09:49:09 restrictedkrbhost/PCNAME(a)DOMAIN.NAME (aes256-cts-hmac-sha1-96)
10 06.05.2021 09:49:09 restrictedkrbhost/pcname.domain.name(a)DOMAIN.NAME
(aes128-cts-hmac-sha1-96)
10 06.05.2021 09:49:09 restrictedkrbhost/PCNAME(a)DOMAIN.NAME (aes128-cts-hmac-sha1-96)
10 06.05.2021 09:49:09 restrictedkrbhost/pcname.domain.name(a)DOMAIN.NAME
(DEPRECATED:arcfour-hmac)
10 06.05.2021 09:49:09 restrictedkrbhost/PCNAME(a)DOMAIN.NAME (DEPRECATED:arcfour-hmac)
10 06.05.2021 09:49:10 host/pcname.domain.name(a)DOMAIN.NAME (aes256-cts-hmac-sha1-96)
10 06.05.2021 09:49:10 host/PCNAME(a)DOMAIN.NAME (aes256-cts-hmac-sha1-96)
10 06.05.2021 09:49:10 host/pcname.domain.name(a)DOMAIN.NAME (aes128-cts-hmac-sha1-96)
10 06.05.2021 09:49:10 host/PCNAME(a)DOMAIN.NAME (aes128-cts-hmac-sha1-96)
10 06.05.2021 09:49:10 host/pcname.domain.name(a)DOMAIN.NAME (DEPRECATED:arcfour-hmac)
10 06.05.2021 09:49:10 host/PCNAME(a)DOMAIN.NAME (DEPRECATED:arcfour-hmac)
10 06.05.2021 09:49:10 PCNAME$(a)DOMAIN.NAME (aes256-cts-hmac-sha1-96)
10 06.05.2021 09:49:10 PCNAME$(a)DOMAIN.NAME (aes128-cts-hmac-sha1-96)
10 06.05.2021 09:49:10 PCNAME$(a)DOMAIN.NAME (DEPRECATED:arcfour-hmac)
Both kinit and ldapsearch are working properly.
I think `kinit` can't be used for a test as it uses different
protocol. Does SASL bind work with ldapsearch?
I'm not sure what is used as a sasl lib, probably 'cyrus-sasl*'. Are
those packages up to date on your machine?