On Wed, Jun 07, 2017 at 11:33:55AM +0000, Tallinn von Estonia wrote:
So here are the three logfiles as a gzipped tar-ball.
I did some cleanup for data protection purposes:
1. Where the certificate used was listed as a base64-encoded string I replaced it with
... and some trailing bytes of the string.2. I replaced the real realm and domain used
with the word "realm" where the realm appeared in lowercase and
"REALM" where the realm appeared in upper case. In sssd.conf the domain and the
realm are the same and given in upper case.
The subject name of the certificate used for the tests was "CN=bernd,
UID=<number>". Obviously one can't deduce the domain or realm of the user
from the subject given in the certificate. The ldap-entry of the user does not contain the
domain or the kerberos principal name either, the principal name is found as a subject alt
name extension in the certificate only (which is included in the ldap-entry of the user).
I have probably have to change something here, may it be including the kerberos principal
name in the ldap entry of the user or in the subject name of the certificate or some
totally different kind of magic.
Thank you in advance for any help here.
Tallinn
Thank you for the logs. The backend in the offline case returned
(Wed Jun 7 11:19:02 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [4
(Systemfehler)][REALM]
Can you send me the content of the domain log around this timestamp as
well and the krb5_child.log? Feel free the send them to me directly if
you prefer to not share the content on the list.
bye,
Sumit
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org