On Mon, Feb 22, 2016 at 08:04:42PM -0000, Patrice Peterson wrote:
Please note that the principal you give with the --user-principal option
is not a SPN (service principal name) but a UPN (user principal names).
Only UPNs can be used to get a Kerberos TGT, i.e. can be used with
kinit.
As you can see form the logs SSSD tries to use host/fqdn(a)XD.UNI-HALLE.DE
to get a TGT. Since AD handles principal case-insensitive
HOST/fqdn(a)XD.UNI-HALLE.DE will work as well as long as it is defined as
UPN (I would expect that it will work the same if you use
'--user-principal=host/fqdn@REALM'.
Yes, I just tried that and you were right. My mental model of host authentication was
apparently completely wrong—I knew computers were basically "users" in AD, but I
didn't apply this knowledge to this situation…
In general the default UPN is NetBIOSName$@REALM and SSSD will use it
if
a matching entry is in the keytab. But there are some restrictions to
the NetBIOS name, e.g. only 15 characters are allowed and only a few
special characters. Do you have and entry '...$@REALM' in the keytab?
Does the name before the $ match the first part of the fully qualified
host name of the client or is it truncated or special characters
removed?
I do have 'Netbiosname$@REALM', but I had to make it different from the first part
of the FQDN (i.e. it is 'HPC-login001' while the first part of the FQDN is
'login001', without the 'HPC'). I didn't even know that this could be
a problem, so thanks again for putting me on the right path!
If you have a '...$@REALM' entry in the keytab which differs
somehow
from the hostname you can try to add this principal to sssd.conf with
ldap_sasl_authid = NetBIOSName$@REALM
where NetBIOSName$@REALM matches the entry in the keytab to tell SSSD to
use this principal for kinit.
That did the trick!
However, I still don't understand why setting this is necessary: Shouldn't SSSD
'see' that the account ending with '$@REALM' is the only computer account
in the keytab and use it for obtaining a TGT? I know that MS requires the first part of
the FQDN to be equal to the NETBIOS name [0], but it still seems weird to me that SSSD
apparently doesn't infer the NETBIOS name automatically.
In any case, thanks for your explanations! This thread has definitely improved my
understanding so far.
-Patrice
[0]
https://msdn.microsoft.com/en-us/library/cc246064.aspx