On 03/30/2015 12:41 PM, YVAN MASSON wrote:
First, thanks for this great tool !
With a very simple setup, it allows me to use dozens of *Ubuntu 14.04
(sssd version 1.11.5-1ubuntu3) computers in the AD environment of my
school, where I have two 2003 servers.
I tried to help a collegue to do the same in another school (where
there is a mix of 2003 and 2008 servers), but I failed : the problem
seems to come from Kerberos, because I found messages of this type in
the sssd logs : "... has no support for encryption type". The
enrollment of the computer in the realm was OK, but users login
The key is to understand why it fails.
Can you define which authentication fail? What is the scenario?
Does it happen on the same client some users are ok and some not?
Users that are failing do they fail on other clients?
Which DC they are in 2003 or 2008 (I assume they are different domains
in the same forest)?
In some blog I can't find anymore, it was written that old
types (DES) was not supported anymore on 2008 servers, so I tried to
force some Kerberos options ("krb5_use_kdcinfo = false" in sssd.conf
and "allow_weak_crypto = 1" in /etc/krb5.conf).
The sssd logs let think that /etc/krb5.conf is looked, but the result
is the same.
The only thing "working" was to prevent the computer to talk with the
2003 server with iptables, but this is a horrible and annoying hack.
So my question are :
- Does anyone alredy managed to use sssd in this type of environment ?
- Would you have any idea where to look for better debugging ?
Thanks very much,
sssd-users mailing list
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.