Hi,

I had to add
ldap_sasl_mech=GSSAPI
to domain part of my sssd.conf
But honestly I don't understand why SPNEGO is not working, any ideas?


czw., 6 maj 2021 o 09:59 Paweł Szafer <pszafer@gmail.com> napisał(a):
Hello,

Today morning I had a bad surprise. Suddenly I cannot login anymore to my PC.
My OS is Arch based, with SSSD 2.4.2, updated yesterday (it was working after update, last login occurred around 7pm 05.05.2021, today 7am 06.05.2021 cannot login anymore)
Maybe you have any idea what's wrong.
What I see in sssd logs:
2021-05-06  9:49:26): [be[domain.name]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSS-SPNEGO, user: PCNAME$
(2021-05-06  9:49:26): [be[domain.name]] [ad_sasl_log] (0x0040): SASL: No worthy mechs found
(2021-05-06  9:49:26): [be[domain.name]] [sasl_bind_send] (0x0020): ldap_sasl_interactive_bind_s failed (-6)[Unknown authentication method]
(2021-05-06  9:49:26): [be[domain.name]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-4): no mechanism available: No worthy mechs found]
(2021-05-06  9:49:26): [be[domain.name]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [1432158227]: Authentication Failed
(2021-05-06  9:49:26): [be[domain.name]] [fo_set_port_status] (0x0100): Marking port 389 of server 'dc1.domain.name' as 'not working'
I tried to rejoin domain with

krb5.conf
 allow_weak_crypto = true
 permitted_enctypes = aes rc4
then with commands:
KRB5_TRACE=/dev/stdout kinit -V aduser@AD.EXAMPLE.COM.
kinit Administrator
net ads join -k
klist -ke
Keytab looks like that:
  10 06.05.2021 09:49:09 restrictedkrbhost/pcname.domain.name@DOMAIN.NAME (aes256-cts-hmac-sha1-96)
  10 06.05.2021 09:49:09 restrictedkrbhost/PCNAME@DOMAIN.NAME (aes256-cts-hmac-sha1-96)
  10 06.05.2021 09:49:09 restrictedkrbhost/pcname.domain.name@DOMAIN.NAME (aes128-cts-hmac-sha1-96)
  10 06.05.2021 09:49:09 restrictedkrbhost/PCNAME@DOMAIN.NAME (aes128-cts-hmac-sha1-96)
  10 06.05.2021 09:49:09 restrictedkrbhost/pcname.domain.name@DOMAIN.NAME (DEPRECATED:arcfour-hmac)
  10 06.05.2021 09:49:09 restrictedkrbhost/PCNAME@DOMAIN.NAME (DEPRECATED:arcfour-hmac)
  10 06.05.2021 09:49:10 host/pcname.domain.name@DOMAIN.NAME (aes256-cts-hmac-sha1-96)
  10 06.05.2021 09:49:10 host/PCNAME@DOMAIN.NAME (aes256-cts-hmac-sha1-96)
  10 06.05.2021 09:49:10 host/pcname.domain.name@DOMAIN.NAME (aes128-cts-hmac-sha1-96)
  10 06.05.2021 09:49:10 host/PCNAME@DOMAIN.NAME (aes128-cts-hmac-sha1-96)
  10 06.05.2021 09:49:10 host/pcname.domain.name@DOMAIN.NAME (DEPRECATED:arcfour-hmac)
  10 06.05.2021 09:49:10 host/PCNAME@DOMAIN.NAME (DEPRECATED:arcfour-hmac)
  10 06.05.2021 09:49:10 PCNAME$@DOMAIN.NAME (aes256-cts-hmac-sha1-96)
  10 06.05.2021 09:49:10 PCNAME$@DOMAIN.NAME (aes128-cts-hmac-sha1-96)
  10 06.05.2021 09:49:10 PCNAME$@DOMAIN.NAME (DEPRECATED:arcfour-hmac)

Both kinit and ldapsearch are working properly.
Thanks for help!


-----
Pawel