On Thu, May 03, 2018 at 10:08:34AM +0200, John Hearns wrote:
To explain, I just sent a reply from my personal Googlemail.
I am now getting this logged:
May 03 10:05:02 client1 [sssd[ldap_child[2481]: Failed to initialize
credentials using keytab [MEMORY:/etc/krb5.keytab]: Client
'host/client1(a)ADTEST.PRIVATE' not
May 03 10:05:02 client1 [sssd[ldap_child[2481]: Client
'host/client1(a)ADTEST.PRIVATE' not found in Kerberos database
I know the case is important in Kerberos, but client1 is certainly in the
Computers section of the adtest.private AD domain.
Ad makes a distinction between user and server principals. The former
can be used with kinit the latter not as you already have seen below.
The AD provider will use the keytab entry with the '$' by default, but
the LDAP provider will use the host name and add 'host/' in the
beginning and the realm at the end.
Please try to set 'ldap_sasl_authid = CLIENT1$(a)ADTEST.PRIVATE' to use
'CLIENT1$(a)ADTEST.PRIVATE' when requesting a TGT from AD.
HTH
bye,
Sumit
On 3 May 2018 at 09:59, John Hearns <hearnsj(a)googlemail.com> wrote:
> Jakub, thankyou for your reply.
>
> Client OS is Ubuntu Xenial. Yes, I know... pats favourite labrador
> goodbye. Sound of drawer opening and service revolver being loaded...
>
> I did realise that the option p_auth_disable_tls_never_use_in_production
> = true
> the problem I have is that there is a CA cert on the Active Directory
> controller. But I cannot see if there is an SSL certificate.
> I may well be misunderstanding things.
>
> >Please don’t use this, not only it is very insecure, but also it doesn’t
> make any sense, this option is only useful if you use auth_provider=ldap.
> With id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.
>
> Aha. Thankyou for that information.
> I then have to ask the assembled choir (as I am not at the pearly gates) -
> does AD in the default configuration have SSL certificate capability?
> I have installed the Active Directory Certificate Services role
>
>
>
>
>
>
>
>
> On 3 May 2018 at 09:43, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
>
>>
>>
>> > On 2 May 2018, at 17:54, JOHE (John Hearns) <JOHE(a)novozymes.com>
wrote:
>> >
>> > I would appreciate some pointers.
>> > I have a sandbox setup running on VMs. There is an AD controller using
>> the VM image which Microsoft has available for testing.
>> > I have created a domain called ad.test
>> >
>> > On my client machine I am continually getting this error:
>> > [sssd[be[adtest.private]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error:
>> Unspecified GSS failure. Minor code may provide more information (Server
>> not found in Kerberos database)
>> >
>>
>> I find it easier to debug this kind of an issue with:
>> KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -H ldap://your.ad.dc -s base
>> -b “”
>>
>> Also, what version and on what OS are you running?
>>
>> >
>> > On the client klist-k | uniq returns
>> >
>> > KVNO Principal
>> > ---- ------------------------------------------------------------
>> --------------
>> > 3 CLIENT1$(a)ADTEST.PRIVATE
>> > 3 host/CLIENT1(a)ADTEST.PRIVATE
>> > 3 host/client1(a)ADTEST.PRIVATE
>> > 3 RestrictedKrbHost/CLIENT1(a)ADTEST.PRIVATE
>> > 3 RestrictedKrbHost/client1(a)ADTEST.PRIVATE
>> >
>> > The funny thing is ONLY kinit -k CLIENT1$\(a)ADTEST.PRIVATE will work.
>>
>> This is expected, only the client$@realm principal is a user/computer
>> principal, the rest are service principals.
>>
>> > I do get a tgt:
>> > Ticket cache: FILE:/tmp/krb5cc_0
>> > Default principal: CLIENT1$(a)ADTEST.PRIVATE
>> >
>> > Just in the sandbox I am also setting:
>> > ldap_auth_disable_tls_never_use_in_production = true
>>
>> Please don’t use this, not only it is very insecure, but also it doesn’t
>> make any sense, this option is only useful if you use auth_provider=ldap.
>> With id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.
>>
>> >
>> > Any pointers please? I have cranked debug up to 8 and this error
>> message seems to be the crucial one.
>> >
>> > By the way, why does the debug level not go up to 11?
>>
>> Because 9 is the highest?
>> _______________________________________________
>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>>
>
>
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahost...