Hi,
I'm having an issue with IPA/sssd (RHEL 7.1) when accessing resources through an AD trust. The following is logged in ldap_child.log (debug_level=10):
(Tue Mar 10 12:31:12 2015) [sssd[be[unix.domain.com]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC has no support for encryption type)]
This error seems to occur randomly. We have over 40+ DC's in our HUB site for active directory forest/domain. All of these DC's are running either Windows 2008 R2/Windows 2012/Windows 2012 R2. The domain/forest level is still Windows 2003. The trust is established between IPA (unix.domain.com) and the forest root AD domain (domain.com). The AD users actually exist in a child domain (ad.domain.com).
I conducted a test where I deleted the sssd server cache (in /var/lib/sss/db/), restarted sssd, and then did a 'getent passwd user@domain.com.' There were several instances where sssd was successfully using one of the AD DC's, and then after clearing the cache and restarting failed on the same AD DC with the "KDC has no support for encryption type" error. Nothing is being logged to /var/log/sssd/krb5_child.log.
We are running the following versions:
ipa-server-4.1.0-18.el7.x86_64 ipa-server-trust-ad-4.1.0-18.el7.x86_64 sssd-1.12.2-58.el7.x86_64
Does anyone have an idea of what may be happening here?
Thanks,
Josh
On Tue, Mar 10, 2015 at 08:34:13PM +0000, Baird, Josh wrote:
Hi,
I'm having an issue with IPA/sssd (RHEL 7.1) when accessing resources through an AD trust. The following is logged in ldap_child.log (debug_level=10):
(Tue Mar 10 12:31:12 2015) [sssd[be[unix.domain.com]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC has no support for encryption type)]
This error seems to occur randomly. We have over 40+ DC's in our HUB site for active directory forest/domain. All of these DC's are running either Windows 2008 R2/Windows 2012/Windows 2012 R2. The domain/forest level is still Windows 2003. The trust is established between IPA (unix.domain.com) and the forest root AD domain (domain.com). The AD users actually exist in a child domain (ad.domain.com).
I conducted a test where I deleted the sssd server cache (in /var/lib/sss/db/), restarted sssd, and then did a 'getent passwd user@domain.com.' There were several instances where sssd was successfully using one of the AD DC's, and then after clearing the cache and restarting failed on the same AD DC with the "KDC has no support for encryption type" error. Nothing is being logged to /var/log/sssd/krb5_child.log.
krb5_child in not involved here. We use the same credentials to access the AD DC as we use to access the IPA server, namely the host keytab. The credential cache is in /var/lib/sss/db/ccache_IPA.DOMAIN. You can check content and encryption types with:
klist -e /var/lib/sss/db/ccache_IPA.DOMAIN
Currently I have no idea why the same AD DC changes the behaviour. Can you reproduce this manually by calling:
kinit -k (to get a TGT with the host credentials) kvno ldap/ad-dc.dns.name@AD.REALM (to get the service ticket)
If you can reproduce it this way it would be nice if you can sent the output of both command prefixed by 'KRB5_TRACE=/dev/stdout' to get full debug output.
bye, Sumit
We are running the following versions:
ipa-server-4.1.0-18.el7.x86_64 ipa-server-trust-ad-4.1.0-18.el7.x86_64 sssd-1.12.2-58.el7.x86_64
Does anyone have an idea of what may be happening here?
Thanks,
Josh _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org