On 03/30/2015 12:41 PM, YVAN MASSON wrote:

Hi everybody,

 

First, thanks for this great tool !

With a very simple setup, it allows me to use dozens of *Ubuntu 14.04 (sssd version 1.11.5-1ubuntu3) computers in the AD environment of my school, where I have two 2003 servers.

 

I tried to help a collegue to do the same in another school (where there is a mix of 2003 and 2008 servers), but I failed : the problem seems to come from Kerberos, because I found messages of this type in the sssd logs : "... has no support for encryption type". The enrollment of the computer in the realm was OK, but users login sometimes fails.


The key is to understand why it fails.
Can you define which authentication fail? What is the scenario?
Does it happen on the same client some users are ok and some not?
Users that are failing do they fail on other clients?
Which DC they are in 2003 or 2008 (I assume they are different domains in the same forest)?



In some blog I can't find anymore, it was written that old encryption types (DES) was not supported anymore on 2008 servers, so I tried to force some Kerberos options ("krb5_use_kdcinfo = false" in sssd.conf and "allow_weak_crypto = 1" in /etc/krb5.conf).

The sssd logs let think that /etc/krb5.conf is looked, but the result is the same.

 

The only thing "working" was to prevent the computer to talk with the 2003 server with iptables, but this is a horrible and annoying hack.

 

So my question are :

 - Does anyone alredy managed to use sssd in this type of environment ?

 - Would you have any idea where to look for better debugging ?

 

Thanks very much,

Yvan Masson



_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.