Ethel,
Also be careful with sssd and one-way trusts.
We find that sssd discovers and reports *ALL* one-way trusts, even ones that go the wrong way. That is, in our company there's a lot of test and lab AD domains that trust the main domain -- but the main AD domain doesn't trust these "cowboy" AD domains. (and rightly so.)
As a consequence, we have to put the following line in our sssd.conf file:
ad_enabled_domains = amer.company.com, apac.company.com, emea.company.com, japn.company.com company.com
That line is basically saying -- "I don't care what yahoo AD domains you discover -- only deal with these specific AD domains."
And then later in the domain section, we'll put in a domain_resolution_order line. In order to tell sssd in which order to search these AD domains (for users and groups).
Spike.
On Mon, Feb 17, 2025 at 1:54 PM Ethel Andino via sssd-users < sssd-users@lists.fedorahosted.org> wrote:
I ran into a problem trying to set up GSSAPI authentication. Everything went smoothly on the test bench, but when we moved it to production, I hit an “Unspecified GSS failure” error.
I spent nearly two days trying to debug it without any luck. It turned out that the client was trying to authenticate through Samba while the accounts were in a Windows domain. I went through a bunch of standard fixes like checking DNS and reconfiguring services, but nothing did the trick.
Then, out of nowhere, I found a helpful resource ( andersenlab.com/services/artificial-intelligence/consulting ), which had some great info on integrating these kinds of systems. The spinics.net forum (https://www.spinics.net/lists/samba/msg183234.html) was also a lifesaver; they had a similar case where someone suggested I check the SSSD logs. I noticed a weird pattern in the errors and, after some tweaks with the two-way trust setup, everything finally worked!
So it's my ready-made checklist for such situations:
- Check out the SSSD logs to get more info on the error. This will help
you figure out why the authorization isn't working. 2) Make sure your DNS settings are set up right to resolve the domain controller names. 3) Think about setting up a temporary two-way trust relationship to see if that helps with authorization. -- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue