Jakub,
thankyou for your reply. I have (almost!) got things working now.
I have removed the ldap parameters in the sssd.conf
I had a mixup with the AD controller hostname - it is ad.adtest.private and I think this
was significant.
Now I am retrieving the user information from AD.
Still having problems with PAM, so I am sure I will be back (sorry!)
________________________________
From: JOHE (John Hearns)
Sent: 03 May 2018 11:06:02
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] Re: Server not found in Kerberos database and debug level 11
> By the way, why does the debug level not go up to 11?
Because 9 is the highest?
http://knowyourmeme.com/memes/these-go-to-11-spinal-tap
[
http://i0.kym-cdn.com/entries/icons/facebook/000/003/182/Spinal_Tap_05.jp...
These go to 11 / Spinal Tap | Know Your
Meme<http://knowyourmeme.com/memes/these-go-to-11-spinal-tap>
knowyourmeme.com
Origin Background The movie This Is Spinal Tap was made to be a humorous mockumentary of
rock n’ roll culture. To this day it is considered to be one of
________________________________
From: Jakub Hrozek <jhrozek(a)redhat.com>
Sent: 03 May 2018 09:43:33
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] Re: Server not found in Kerberos database and debug level 11
On 2 May 2018, at 17:54, JOHE (John Hearns)
<JOHE(a)novozymes.com> wrote:
I would appreciate some pointers.
I have a sandbox setup running on VMs. There is an AD controller using the VM image
which Microsoft has available for testing.
I have created a domain called ad.test
On my client machine I am continually getting this error:
[sssd[be[adtest.private]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (Server not found in Kerberos database)
I find it easier to debug this kind of an issue with:
KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -H ldap://your.ad.dc -s base -b “”
Also, what version and on what OS are you running?
On the client klist-k | uniq returns
KVNO Principal
---- --------------------------------------------------------------------------
3 CLIENT1$(a)ADTEST.PRIVATE
3 host/CLIENT1(a)ADTEST.PRIVATE
3 host/client1(a)ADTEST.PRIVATE
3 RestrictedKrbHost/CLIENT1(a)ADTEST.PRIVATE
3 RestrictedKrbHost/client1(a)ADTEST.PRIVATE
The funny thing is ONLY kinit -k CLIENT1$\(a)ADTEST.PRIVATE will work.
This is expected, only the client$@realm principal is a user/computer principal, the rest
are service principals.
I do get a tgt:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: CLIENT1$(a)ADTEST.PRIVATE
Just in the sandbox I am also setting:
ldap_auth_disable_tls_never_use_in_production = true
Please don’t use this, not only it is very insecure, but also it doesn’t make any sense,
this option is only useful if you use auth_provider=ldap. With
id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.
Any pointers please? I have cranked debug up to 8 and this error message seems to be the
crucial one.
By the way, why does the debug level not go up to 11?
Because 9 is the highest?
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org