Hi,
I know the issue means the client (or name of the client) is wrong, but I
can't figure out why, and I attempt to create it using the commands, keytab
looks fine, and I have another server working, but on a previous version.
So I'm stuck...
Environnemet is an AD with a child domain, eg
example.com and
child.example.com. Servers are 1 ubuntu 14.04 (sssd 1.11.8-0ubunt) and 1
16.04 (sssd 1.13.4-1ubuntu1.7). I am trying to add them to
child.example.com
and login with my_user(a)example.com. It does work on 14.04, not on 16.04.
Join to the domain is achieved with adcli join
child.example.com -U
my_user(a)EXAMPLE.COM, which creates the keytab and the object in AD, and
AFAIK this is good; I can see the objects in AD
child.example.com, and the
keytabs are generated with a bunch of principals. For every file or setup
that I know of, both servers are identical (krb5.conf, sssd.conf,
resolv.conf, hosts, ntp.conf, I followed most of
https://help.ubuntu.com/lts/serverguide/sssd-ad.html).
I have tried to raise the log_level to 9 in [sssd] [
domain/example.com] and
[
domain/child.example.com], but I have no message in krb5_child.log...
On the machine that works, I can login with my_user(a)example.com, on the
other I get a client not found in kerberos database, backend offline.
On machine with offline backend I get :
(Tue Sep 12 14:04:00 2017) [sssd[be[example.com]]]
[find_principal_in_keytab] (0x4000): Trying to find principal host/
servernotok.child.example.com(a)CHILD.EXAMPLE.COM in keytab.
(Tue Sep 12 14:04:00 2017) [sssd[be[example.com]]] [match_principal]
(0x1000): Principal matched to the sample (host/
servernotok.child.example.com(a)CHILD.EXAMPLE.COM).
(Tue Sep 12 14:04:00 2017) [sssd[be[example.com]]]
[select_principal_from_keytab] (0x0200): Selected primary: host/
servernotok.child.example.com
(Tue Sep 12 14:04:00 2017) [sssd[be[example.com]]]
[select_principal_from_keytab] (0x0200): Selected realm:
CHILD.EXAMPLE.COM
(Tue Sep 12 14:04:00 2017) [sssd[be[example.com]]] [sdap_set_sasl_options]
(0x0100): Option ldap_sasl_authid set to
host/servernotok.child.example.com
[...]
(Tue Sep 12 14:04:01 2017) [sssd[be[example.com]]] [sdap_get_tgt_recv]
(0x0400): Child responded: 14 [Client not found in Kerberos database],
expired on [0]
(Tue Sep 12 14:04:01 2017) [sssd[be[example.com]]] [sdap_kinit_done]
(0x0100): Could not get TGT: 14 [Bad address]
(Tue Sep 12 14:04:01 2017) [sssd[be[example.com]]] [sdap_cli_kinit_done]
(0x0400): Cannot get a TGT: ret [1432158219](Authentication Failed)
(Tue Sep 12 14:04:01 2017) [sssd[be[example.com]]] [_be_fo_set_port_status]
(0x8000): Setting status: PORT_NOT_WORKING. Called from:
../src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_recv: 2039
(Tue Sep 12 14:04:01 2017) [sssd[be[example.com]]] [fo_set_port_status]
(0x0100): Marking port 389 of server 'ad.example.com' as 'not working'
In AD
child.example.com I do have an computer object entry with
servicePrincipalName
RestrictedKrbHost/servernotok.child.example.com
servicePrincipalName RestrictedKrbHost/SERVERNOTOK
servicePrincipalName
host/servernotok.child.example.com
servicePrincipalName host/SERVERNOTOK
sssd.conf looks like :
root@servernotok:/var/log/sssd# cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
debug_level =9
domains =
child.example.com,example.com
services = nss, pam
[
domain/child.example.com]
enumerate = true
dns_discovery_domain =
cy2._sites.child.example.com
debug_level = 9
id_provider = ad
access_provider = ad
ldap_id_mapping = false
[
domain/example.com]
enumerate = true
dns_discovery_domain =
cy2._sites.example.com
debug_level = 9
ldap_sasl_authid = host/servernotok.child.example.com(a)BRS666.BCRS.FR
id_provider = ad
access_provider = ad
ldap_id_mapping = false
I have tried to force the ldap_sasl_authidn without it it didn't find any
match for servernotok(a)EXAMPLE.COM, and I did get the same client not found
in kerberos error message.
So I am stuck here, I do not even know if the right behaviour is the one
that works or not :-)
Thanks for your help,
Jeremy