On Tue, Dec 11, 2018 at 01:42:39PM +0000, Chris J wrote:
Hi Sumit,
On 2018-12-11 12:32, Sumit Bose wrote:
> >
> > Now in /var/log/syslog, when I tail -f during sssctl user-checks, I
> > get the
> > error:
> >
> > Dec 11 10:59:20 hs-svn-02 [sssd[krb5_child[20446]]]: Server not
> > found in
> > Kerberos database
> > Dec 11 10:59:20 hs-svn-02 [sssd[krb5_child[20446]]]: Server not
> > found in
> > Kerberos database
>
> This might be related to Kerberos ticket validation. Please try to add
>
> krb5_validate = False
>
> to the [domain/...] section of sssd.conf, restart SSSD and try again.
>
Yep - that did the trick.
> Even if this works it would be good to see the output of
>
> klist -k
>
> as well to see what can be done to make ticket validation work.
>
This gives:
root@hs-svn-02:/var/log/sssd# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
2 HS-SVN-02$(a)DEVELOPMENT.CSESERV.COM
2 HS-SVN-02$(a)DEVELOPMENT.CSESERV.COM
2 HS-SVN-02$(a)DEVELOPMENT.CSESERV.COM
2 HS-SVN-02$(a)DEVELOPMENT.CSESERV.COM
2 HS-SVN-02$(a)DEVELOPMENT.CSESERV.COM
2 HS-SVN-02$(a)DEVELOPMENT.CSESERV.COM
2 host/HS-SVN-02(a)DEVELOPMENT.CSESERV.COM
2 host/HS-SVN-02(a)DEVELOPMENT.CSESERV.COM
2 host/HS-SVN-02(a)DEVELOPMENT.CSESERV.COM
2 host/HS-SVN-02(a)DEVELOPMENT.CSESERV.COM
2 host/HS-SVN-02(a)DEVELOPMENT.CSESERV.COM
2 host/HS-SVN-02(a)DEVELOPMENT.CSESERV.COM
2 host/hs-svn-02(a)DEVELOPMENT.CSESERV.COM
2 host/hs-svn-02(a)DEVELOPMENT.CSESERV.COM
2 host/hs-svn-02(a)DEVELOPMENT.CSESERV.COM
2 host/hs-svn-02(a)DEVELOPMENT.CSESERV.COM
2 host/hs-svn-02(a)DEVELOPMENT.CSESERV.COM
2 host/hs-svn-02(a)DEVELOPMENT.CSESERV.COM
It looks like your hostname was set to the short name during the join,
i.e. hostname just returned 'hs-svn-02'. There are some issues in adcli
if a short hostname is used and as a result the AD host object might not
have been created properly. Especially the servicePrincipalName
attribute might be empty or missing at all.
2 RestrictedKrbHost/HS-SVN-02(a)DEVELOPMENT.CSESERV.COM
2 RestrictedKrbHost/HS-SVN-02(a)DEVELOPMENT.CSESERV.COM
2 RestrictedKrbHost/HS-SVN-02(a)DEVELOPMENT.CSESERV.COM
2 RestrictedKrbHost/HS-SVN-02(a)DEVELOPMENT.CSESERV.COM
2 RestrictedKrbHost/HS-SVN-02(a)DEVELOPMENT.CSESERV.COM
2 RestrictedKrbHost/HS-SVN-02(a)DEVELOPMENT.CSESERV.COM
2 RestrictedKrbHost/hs-svn-02(a)DEVELOPMENT.CSESERV.COM
2 RestrictedKrbHost/hs-svn-02(a)DEVELOPMENT.CSESERV.COM
2 RestrictedKrbHost/hs-svn-02(a)DEVELOPMENT.CSESERV.COM
2 RestrictedKrbHost/hs-svn-02(a)DEVELOPMENT.CSESERV.COM
2 RestrictedKrbHost/hs-svn-02(a)DEVELOPMENT.CSESERV.COM
2 RestrictedKrbHost/hs-svn-02(a)DEVELOPMENT.CSESERV.COM
I would expect that for users from the parent domain
'RestrictedKrbHost/hs-svn-02(a)DEVELOPMENT.CSESERV.COM' is used for
validation. You can check this by inspecting krb5_child.log is
debug_level=9 is set in the [domain/...] section of sssd.conf and you
look for the string 'validate'. If you check the host entry on AD I
would expect that this entry is missing and that validation will start
to work if you add it to servicePrincipalName.
HTH
bye,
Sumit
>
>
> Cheers,
>
> Chris