Sumit,

Thank you so much for responding.  I believe you're saying this.

You tested this by putting in:

                ldap_sasl_authid = ewfk@FWEF.ED

 

on your test server called “client.samba.test”.    It failed to find “ewfk@FWEF.ED” or “host/ewfk@FWEF.ED” in /etc/krb5.keytab file, so it tried (in order):

 

>                hostname@REALM
>                netbiosname$@REALM
>                host/hostname@REALM
                       ...

 

It found host/client.samba.test@SAMBA.TEST in /etc/krb5.keytab file and it used that.


That's why you see in the sssd logs these lines:


    [sdap_set_sasl_options] (0x0080): Configured SASL auth ID not found in keytab. Requested ewfk, found host/client.samba.test
    [sdap_set_sasl_options] (0x0080): Configured SASL realm not found in keytab. Requested FWEF.ED, found SAMBA.TEST

Have I stated that all correctly?

Spike


On Wed, Jan 31, 2024 at 8:01 AM Sumit Bose <sbose@redhat.com> wrote:
Am Mon, Jan 22, 2024 at 03:08:30PM -0600 schrieb Spike White:
> All,
>
>
> We’re auditing for successful & healthy AD join of our 32K+ servers.  Our
> check is basically this:
>
>
> AUTHID=$(grep ldap_sasl_authid /etc/sssd/sssd.conf | awk '{print $3}')
>
> [[ $AUTHID != host/* ]]  && AUTHID=host/$AUTHID
>
> kinit -k $AUTHID
>
>
>
> i.e., kinit with the same service principal that sssd uses (prepending the
> "host/" prefix if not already existing).
>
>
> We’ve identified about 200 “failing” servers, but upon closer inspection
> only about 30 of them are really failing.
>
>
> The other 170 are failing the above naïve check, but sssd is properly
> working.  Here’s an example:
>
>
> Server ddlplhdc4036.us.company.com has
>
>
> ldap_sasl_authid = ddlplhdc4034.us.company.com@AMER.COMPANY.COM
> <.us.dell.com@AMER.DELL.COM>
>
>
> but in /etc/krb5.keytab file ii has:
>
>
> host/ddlplhdc4036.us.company.com@AMER.COMPANY.COM
> <host/ddlplhdc4036.us.dell.com@AMER.DELL.COM>
>
>
> If you look at the sssd-ldap man page, it states:
>
>        ldap_sasl_authid (string)
>            Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO
> are used, this represents the Kerberos principal used for authentication to
> the directory. This option can
>            either contain the full principal (for example host/
> myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By
> default, the value is not set and the
>            following principals are used:
>
>                hostname@REALM
>                netbiosname$@REALM
>                host/hostname@REALM
>                *$@REALM
>                host/*@REALM
>                host/*
>
>            If none of them are found, the first principal in keytab is
> returned.
>
>            Default: host/hostname@REALM
>
> If we have ldap_sasl_authid defined in /etc/sssd/sssd.conf file and it
> fails, does it try those other permutations above?
>
> I'm guessing so, based on these 170 servers that are allegedly failing, but
> sssd is truly succeeding.

Hi,

yes, SSSD is trying best-effort here and ignores the principal from the
ldap_sasl_authid if it is not in the keytab. You should see messages
like:

    [sdap_set_sasl_options] (0x0080): Configured SASL auth ID not found in keytab. Requested ewfk, found host/client.samba.test
    [sdap_set_sasl_options] (0x0080): Configured SASL realm not found in keytab. Requested FWEF.ED, found SAMBA.TEST

in the SSSD backend logs if this happens.

HTH

bye,
Sumit

>
> Spike White

> --
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue