On Tue, Mar 10, 2015 at 08:34:13PM +0000, Baird, Josh wrote:
Hi,
I'm having an issue with IPA/sssd (RHEL 7.1) when accessing resources through an AD
trust. The following is logged in ldap_child.log (debug_level=10):
(Tue Mar 10 12:31:12 2015) [sssd[be[unix.domain.com]]] [sasl_bind_send] (0x0080):
Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (KDC has no support for encryption
type)]
This error seems to occur randomly. We have over 40+ DC's in our HUB site for active
directory forest/domain. All of these DC's are running either Windows 2008 R2/Windows
2012/Windows 2012 R2. The domain/forest level is still Windows 2003. The trust is
established between IPA (
unix.domain.com) and the forest root AD domain (
domain.com). The
AD users actually exist in a child domain (
ad.domain.com).
I conducted a test where I deleted the sssd server cache (in /var/lib/sss/db/), restarted
sssd, and then did a 'getent passwd user(a)domain.com.' There were several
instances where sssd was successfully using one of the AD DC's, and then after
clearing the cache and restarting failed on the same AD DC with the "KDC has no
support for encryption type" error. Nothing is being logged to
/var/log/sssd/krb5_child.log.
krb5_child in not involved here. We use the same credentials to access
the AD DC as we use to access the IPA server, namely the host keytab.
The credential cache is in /var/lib/sss/db/ccache_IPA.DOMAIN. You can
check content and encryption types with:
klist -e /var/lib/sss/db/ccache_IPA.DOMAIN
Currently I have no idea why the same AD DC changes the behaviour. Can
you reproduce this manually by calling:
kinit -k (to get a TGT with the host credentials)
kvno ldap/ad-dc.dns.name(a)AD.REALM (to get the service ticket)
If you can reproduce it this way it would be nice if you can sent the
output of both command prefixed by 'KRB5_TRACE=/dev/stdout' to get full
debug output.
bye,
Sumit
We are running the following versions:
ipa-server-4.1.0-18.el7.x86_64
ipa-server-trust-ad-4.1.0-18.el7.x86_64
sssd-1.12.2-58.el7.x86_64
Does anyone have an idea of what may be happening here?
Thanks,
Josh
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users