Hello,
On Tue, Feb 5, 2019 at 10:29 AM Jakub Hrozek jhrozek@redhat.com wrote:
Now, everything is OK with the main domain, AFAIK, I can login, sudo based on groups, etc. But for the child domain, most work, I can id a user@child (that resolves the user and the groups associated), I can "su - user@child" from root, BUT I can not login with that user@child. Sanitized logs follow :
It's hard to say from the trimmed log, but I assume this happens during the TGT validation phase? If yes, then you could work around that temporarily by setting: krb5_validate = false in the domain section, but please read the sssd-krb5 manual page to see what security implications this have
I have tried that, and yes, it works. Though because of the security implications I would rather set it up without it...
Does it work to request this principal from the command line? kinit user@EXAMPLE.COM
I have tried that with my AD user, and yes I receive no error and return code is 0
kvno RestrictedKrbHost/ubuntu@EXAMPLE.COM
kvno: Server not found in Kerberos database while getting credentials for RestrictedKrbHost/UBUNTU@EXAMPLE.COM
Is the principal really lower-case and shortname? I would have expected either lower-case FQDN or an upper-case shortname..
root@ubuntu:~# kvno ubuntu ubuntu@EXAMPLE.COM: kvno = 2
I am not sure precisely what to look for principals...
root@ubuntu:~# klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 UBUNTU$@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 2 UBUNTU$@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 2 UBUNTU$@EXAMPLE.COM (des3-cbc-sha1) 2 UBUNTU$@EXAMPLE.COM (arcfour-hmac) 2 UBUNTU$@EXAMPLE.COM (des-cbc-md5) 2 UBUNTU$@EXAMPLE.COM (des-cbc-crc) 2 host/UBUNTU@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 2 host/UBUNTU@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 2 host/UBUNTU@EXAMPLE.COM (des3-cbc-sha1) 2 host/UBUNTU@EXAMPLE.COM (arcfour-hmac) 2 host/UBUNTU@EXAMPLE.COM (des-cbc-md5) 2 host/UBUNTU@EXAMPLE.COM (des-cbc-crc) 2 host/ubuntu@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 2 host/ubuntu@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 2 host/ubuntu@EXAMPLE.COM (des3-cbc-sha1) 2 host/ubuntu@EXAMPLE.COM (arcfour-hmac) 2 host/ubuntu@EXAMPLE.COM (des-cbc-md5) 2 host/ubuntu@EXAMPLE.COM (des-cbc-crc) 2 RestrictedKrbHost/UBUNTU@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 2 RestrictedKrbHost/UBUNTU@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 2 RestrictedKrbHost/UBUNTU@EXAMPLE.COM (des3-cbc-sha1) 2 RestrictedKrbHost/UBUNTU@EXAMPLE.COM (arcfour-hmac) 2 RestrictedKrbHost/UBUNTU@EXAMPLE.COM (des-cbc-md5) 2 RestrictedKrbHost/UBUNTU@EXAMPLE.COM (des-cbc-crc) 2 RestrictedKrbHost/ubuntu@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 2 RestrictedKrbHost/ubuntu@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 2 RestrictedKrbHost/ubuntu@EXAMPLE.COM (des3-cbc-sha1) 2 RestrictedKrbHost/ubuntu@EXAMPLE.COM (arcfour-hmac) 2 RestrictedKrbHost/ubuntu@EXAMPLE.COM (des-cbc-md5) 2 RestrictedKrbHost/ubuntu@EXAMPLE.COM (des-cbc-crc)
None of these are ok with kvno except 'UBUNTU$@EXAMPLE.COM'
root@ubuntu:~# kvno ubuntu ubuntu@EXAMPLE.COM: kvno = 2 root@ubuntu:~# kvno ubuntu@EXAMPLE.COM ubuntu@EXAMPLE.COM: kvno = 2 root@ubuntu:~# kvno UBUNTU UBUNTU@EXAMPLE.COM: kvno = 2 root@ubuntu:~# kvno UBUNTU@EXAMPLE.COM UBUNTU@EXAMPLE.COM: kvno = 2 root@ubuntu:~# kvno UBUNTU@example.com kvno: KDC reply did not match expectations while getting credentials for UBUNTU@example.com
What is in the file /var/lib/sss/pubconf/krb5.include.d/domain_realm_$domain?
[domain_realm] .child.example.com = CHILD.EXAMPLE.COM child.example.com = CHILD.EXAMPLE.COM [capaths] CHILD.EXAMPLE.COM = { EXAMPLE.COM = EXAMPLE.COM } EXAMPLE.COM = { CHILD.EXAMPLE.COM = EXAMPLE.COM }
Thanks for youe time !
Jeremy