OK, that could have been DC replication at play, said error has gone away
and I can see AD users, phew.
John
On 7 May 2015 at 14:37, John Beranek <john(a)redux.org.uk> wrote:
Although perhaps I spoke too soon. sssd starts up but throws log
entries:
May 7 14:36:04 paixlab-rhel67 [sssd[ldap_child[24887]]]: Failed to
initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
May 7 14:36:04 paixlab-rhel67 [sssd[ldap_child[24887]]]:
Preauthentication failed
John
On 7 May 2015 at 14:34, John Beranek <john(a)redux.org.uk> wrote:
> Sumit, many thanks - you hit the nail on the head! My smb.conf was
> missing the line:
>
> kerberos method = secrets and keytab
>
> so had not created the keytab. Added the line, rejoined and sssd starts
> as expected.
>
> Cheers,
>
> John
>
> On 7 May 2015 at 11:45, Sumit Bose <sbose(a)redhat.com> wrote:
>
>> On Thu, May 07, 2015 at 11:35:21AM +0100, John Beranek wrote:
>> > Hi all,
>> >
>> > I've just built a RHEL 6.7 Beta VM to test the new SSSD release, and
>> have
>> > come across a strange issue.
>> >
>> > I can successfully kinit and join our AD domain with "net ads join
-k"
>> but
>> > sssd won't start. The logs contain:
>>
>> you have to make sure that net ads join really creates a keytab. Please
>> check 'kerberos method' in the smb.conf man page. By default the keys
>> are written only to samba's internal secrets.tdb.
>>
>> As an alternative you might want to consider using the realm command to
>> join the AD domain.
>>
>> HTH
>>
>> bye,
>> Sumit
>>
>> >
>> > [ad_set_ad_id_options] (0x0100): Option krb5_realm set to
EXAMPLE.COM
>> > [sdap_set_sasl_options] (0x0100): Will look for
>> > rhel67.example.com(a)EXAMPLE.COM in default keytab
>> > [select_principal_from_keytab] (0x0200): trying to select the most
>> > appropriate principal from keytab
>> > [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
>> > [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
>> > [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
>> > [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
>> > [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
>> > [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
>> > [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
>> > [select_principal_from_keytab] (0x0080): No suitable principal found in
>> > keytab
>> > [select_principal_from_keytab] (0x0010): Failed to read keytab
>> [default]:
>> > No such file or directory
>> > [ad_set_ad_id_options] (0x0040): Cannot set the SASL-related options
>> > [load_backend_module] (0x0010): Error (2) in module (ad) initialization
>> > (sssm_ad_id_init)!
>> > [be_process_init] (0x0010): fatal error initializing data providers
>> >
>> > Had a little feedback from Lukas, who suggested I ran "klist -kt".
This
>> > gives:
>> >
>> > # klist -kt
>> > Keytab name: FILE:/etc/krb5.keytab
>> > klist: No such file or directory while starting keytab scan
>> >
>> > Any ideas?
>> >
>> > John
>> >
>> > --
>> > John Beranek To generalise is to be an idiot.
>> >
http://redux.org.uk/ -- William Blake
>>
>> > _______________________________________________
>> > sssd-users mailing list
>> > sssd-users(a)lists.fedorahosted.org
>> >
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>>
>> _______________________________________________
>> sssd-users mailing list
>> sssd-users(a)lists.fedorahosted.org
>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>>
>
>
>
> --
> John Beranek To generalise is to be an idiot.
>
http://redux.org.uk/ -- William Blake
>
>
--
John Beranek To generalise is to be an idiot.
http://redux.org.uk/ -- William Blake
--
John Beranek To generalise is to be an idiot.