Thanks a lot.
I was more suspicious about the differences in joining AD between ‘msktutil’ and
‘realm’.
With ‘realm’ there are more encryption types, and there is one more principal entry of
host/CLIENT(a)DOMAIN.ORG
Do I miss something in getting point here:
If there is a key for the principal 'host/client.domain.org(a)DOMAIN.ORG' in local
/etc/krb5.keytab -
why there are no credentials in Kerberos database?
There are principals with short names as well
CLIENT$@DOMAIN.ORG<mailto:CLIENT$@DOMAIN.ORG>
host/CLIENT@DOMAIN.ORG<mailto:host/CLIENT@DOMAIN.ORG>
Is this because for NFS4 service machine asks, there is need for credentials for machine
principal, the one ending with “$”, and rpc.gssd
asks about CLIENT.DOMAIN.ORG$@DOMAIN.ORG<mailto:CLIENT.DOMAIN.ORG$@DOMAIN.ORG>
instead of CLIENT$(a)DOMAIN.ORG
and that question depends on what ‘hostname’ returns?
=====
Feb 11 16:00:39 client rpc.gssd[708]: Success getting keytab entry for
'host/client.domain.org(a)DOMAIN.ORG'
Feb 11 16:00:39 client rpc.gssd[708]: WARNING: Client not found in Kerberos database while
getting initial ticket for principal 'host/client.domain.org(a)DOMAIN.ORG' using
keytab 'FILE:/etc/krb5.keytab'
Feb 11 16:00:39 client rpc.gssd[708]: ERROR: No credentials found for connection to server
server.domain.org
host 10.80.8.54
Host 54.8.80.10.in-addr.arpa. not found: 3(NXDOMAIN)
Best
Longina
From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej Valousek
Sent: 11. februar 2014 22:34
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] sssd-1.11.1 Saucy automount(nfs4+krb problem)
Strange,
I am always using short hostnames and I did not come across any problems so far.
But in general I agree that nfs-utils should handle FQDN hostnames better.
Ondrej
Odesláno ze Samsung Mobile
-------- Původní zpráva --------
Od: Simo Sorce
Datum:11. 02. 2014 20:59 (GMT+01:00)
Komu: End-user discussions about the System Security Services Daemon
Předmět: Re: [SSSD-users] sssd-1.11.1 Saucy automount(nfs4+krb problem)
On Tue, 2014-02-11 at 17:27 +0000, Ondrej Valousek wrote:
Got it.
You need to use short hostname - i.e. hostname should return only "client", not
"client.domain.org".
O.
This normally breaks other things, you should probably instead open a
bug against nfs-utils so that they try to split the hostname along '.'
before appending the $
I will ping Steve Dickson (mainatiner of nfs-utils) shortly about this,
but filing a bug would help anyway.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users