On Mon, Feb 22, 2016 at 08:04:42PM -0000, Patrice Peterson wrote:
Hi, thanks for replying!
While you're correct in that neither of the SPNs work, I can literally not do
username lookups unless I have a SPN that starts with HOST/.
I just tried the following:
1. Using older adcli (which by default produces HOST/ SPNs) to re-join the host ->
lookups are not working
2. Using newer adcli (which produces host/) to re-join the host -> lookups are not
working, client exhibits error described in my initial e-mail
3. Using newer adcli to re-join, but add the "--user-principal=HOST/fqdn@REALM"
option so that *both* SPNs are in the keytab) -> lookups are working
Please note that the principal you give with the --user-principal option
is not a SPN (service principal name) but a UPN (user principal names).
Only UPNs can be used to get a Kerberos TGT, i.e. can be used with
kinit.
As you can see form the logs SSSD tries to use host/fqdn(a)XD.UNI-HALLE.DE
to get a TGT. Since AD handles principal case-insensitive
HOST/fqdn(a)XD.UNI-HALLE.DE will work as well as long as it is defined as
UPN (I would expect that it will work the same if you use
'--user-principal=host/fqdn@REALM'.
In general the default UPN is NetBIOSName$@REALM and SSSD will use it if
a matching entry is in the keytab. But there are some restrictions to
the NetBIOS name, e.g. only 15 characters are allowed and only a few
special characters. Do you have and entry '...$@REALM' in the keytab?
Does the name before the $ match the first part of the fully qualified
host name of the client or is it truncated or special characters
removed?
You you have a '...$@REALM' entry in the keytab which differs somehow
from the hostname you can try to add this principal to sssd.conf with
ldap_sasl_authid = NetBIOSName$@REALM
where NetBIOSName$@REALM matches the entry in the keytab to tell SSSD to
use this principal for kinit.
HTH
bye,
Sumit
>
> Every time, I made sure to stop SSSD before making any modifications, deleted
/var/lib/sss/{db,mc}/*, and restarted SSSD afterwards. I will try to up the debug level
and see what I can find, and I'll post my logfiles in reply to another mail in this
thread.
>
> In any case, thanks for telling me about kinit -k <NETBIOSname>!
>
> -Patrice
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org