Ok got it.
SSSD is contacting root forest controllers first to obtain information about AD forest.
Unfortunately our root DCs seems to be running some older version of Windows server which
is not quite happy with AES keys.
Workaround is to disable subdomains provider & specify ad servers manually.
Sorry for the noise.
Ondrej
-----Original Message-----
From: Sumit Bose [mailto:sbose@redhat.com]
Sent: Wednesday, April 06, 2016 9:39 AM
To: sssd-users(a)lists.fedorahosted.org
Subject: [SSSD-users] Re: Allowed Kerberos encryption types for SSSD
On Wed, Apr 06, 2016 at 07:09:16AM +0000, Ondrej Valousek wrote:
Both commands works just fine - I am getting AES256 keys then (if I
forbid arcfour).
Seems to me that SSSD for some reason rely on arcfour - is this by design?
No, there is no dependency on arcfour, SSSD just use common library calls to libkrb5 and
libldap as the two commands below.
Can you try to remove the credential cache used by SSSD with
rm /var/lib/sss/db/ccache_*
and restart SSSD? Maybe there are still olb but valid tickets in the ccache?
HTH
bye,
Sumit
Thanks,
Ondrej
-----Original Message-----
From: Sumit Bose [mailto:sbose@redhat.com]
Sent: Tuesday, April 05, 2016 5:27 PM
To: sssd-users(a)lists.fedorahosted.org
Subject: [SSSD-users] Re: Allowed Kerberos encryption types for SSSD
On Tue, Apr 05, 2016 at 02:48:51PM +0000, Ondrej Valousek wrote:
> Hi List,
>
> I am currently fighting to get Kerberized NFS working against clustered Netapp.
Their support says that they support all enc types but arcfour-hmac.
> When I specify default_enctypes in krb5.conf and omit arcfour-hmac enc type, sssd
stops working (goes offline, can not connect).
> Funny thing is, that kinit -k $HOSTNAME$ works just fine.
>
> Is SSSD picky about Kerberos encryption types or not?
If you use AD on the server side arcfour might be needed.
Does
kvno LDAP/some.ad.dc(a)AD.DOMAIN
or
ldapsearch -H ldap://some.ad.dc -b '' -s base -Y GSSAPI
work after kinit?
bye,
Sumit
>
> Thanks,
> Ondrej
>
> -----
>
> The information contained in this e-mail and in any attachments is confidential and
is designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s). Please
direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and
Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office:
South County Business Park, Leopardstown, Dublin 18.
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedoraho
>
sted.org
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost
ed.org
-----
The information contained in this e-mail and in any attachments is confidential and is
designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s). Please
direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and
Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office:
South County Business Park, Leopardstown, Dublin 18.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost
ed.org
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
-----
The information contained in this e-mail and in any attachments is confidential and is
designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s). Please
direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and
Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office:
South County Business Park, Leopardstown, Dublin 18.