On Mon, Mar 05, 2018 at 04:24:50PM +0100, Roger Martensson wrote:
I've always used a fully qualified hostname. My example was a
cleanup
version and I was to lazy to write
subdomain1.example.com.
I've set ad_hostname to the correct hostname. Your question made me take a
look into other settings and I noticed that the servers hostname had a
different domain name. But still hade the same problems as before.
Increading debug_level created an amazing amount of rows. :)
This is my clean up log.
[[sssd[krb5_child[1926]]]] [validate_tgt] (0x2000): Keytab entry with the
realm of the credential not found in keytab. Using the last entry.
[[sssd[krb5_child[1926]]]] [validate_tgt] (0x0020): TGT failed verification
using key for [RestrictedKrbHost/myclient(a)SUBDOMAIN1.EXAMPLE.COM].
ok, so you dropped
subdomain1.example.com here as well?
To investigate further the debug logs with debug_level=9 in the
[domain/..] section are needed which e.g. will tell which DC send the
'Server not found in Kerberos database' error code. Feel free to send
the log directly to me if you do not want to share it on the list.
bye,
Sumit
[[sssd[krb5_child[1926]]]] [get_and_save_tgt] (0x0020): 1581:
[-1765328377][Server not found in Kerberos database]
[[sssd[krb5_child[1926]]]] [map_krb5_error] (0x0020): 1657:
[-1765328377][Server not found in Kerberos database]
[[sssd[krb5_child[1926]]]] [k5c_send_data] (0x0200): Received error code
1432158209
This is when trying to login using SSH with userid(a)subdomain2.example.com.
With userid(a)subdomain1.example.com it works.
[[sssd[krb5_child[2135]]]] [validate_tgt] (0x0400): TGT verified using key
for [MYCLIENT$(a)DOMAIN1.EXAMPLE.COM].
2018-03-05 16:18 GMT+01:00 Roger Martensson <roger.martensson(a)gmail.com>:
> I've always used a fully qualified hostname. My example was a cleanup
> version and I was to lazy to write
subdomain1.example.com.
>
> I've set ad_hostname to the correct hostname. Your question made me take a
> look into other settings and I noticed that the servers hostname had a
> different domain name. But still hade the same problems as before.
>
> Increading debug_level created an amazing amount of rows. :)
>
> This is my clean up log.
>
>
> 2018-03-05 15:35 GMT+01:00 Sumit Bose <sbose(a)redhat.com>:
>
>> On Mon, Mar 05, 2018 at 08:40:19AM -0500, Justin Stephenson wrote:
>> > On 03/05/2018 08:25 AM, Roger Martensson wrote:
>> > > Sorry about that.. Bleeping send-button-shortcut.
>> > >
>> > > Let me continue.
>> > >
>> > > Command I use to test: ssh userid@subdomain2@localhost
>> > >
>> > > The krb5_child.log contains these error messages:
>> > > [[sssd[krb5_child[5720]]]] [get_and_save_tgt] (0x0400): Attempting
>> kinit
>> > > for realm [SUBDOMAIN1]
>> > > [[sssd[krb5_child[5720]]]] [sss_krb5_expire_callback_func] (0x2000):
>> > > exp_time: [5621224]
>> > > [[sssd[krb5_child[5720]]]] [validate_tgt] (0x2000): Keytab entry with
>> the
>> > > realm of the credential not found in keytab. Using the last entry.
>> > > [[sssd[krb5_child[5720]]]] [validate_tgt] (0x0020): TGT failed
>> verification
>> > > using key for [RestrictedKrbHost/myclient@SUBDOMAIN1].
>> > > [[sssd[krb5_child[5720]]]] [get_and_save_tgt] (0x0020): 1581:
>> > > [-1765328377][Server not found in Kerberos database]
>> > > [[sssd[krb5_child[5720]]]] [map_krb5_error] (0x0020): 1657:
>> > > [-1765328377][Server not found in Kerberos database]
>> > >
>> > > I can get it to work using 'krb5_validate = false' but that
disables
>> some
>> > > nice security measure.
>> > >
>> > > So.. Anyone that can help me back on track? AKA What did I do wrong
>> this
>> > > time?
>> >
>> > Can you make sure your hostname is fully-qualified?
>> >
>> > If it is not currently then you will need to leave the domain, make
>> sure the
>> > /etc/krb5.keytab is removed, set the fully-qualified name and rejoin the
>> > domain.
>>
>> If validation still fails after joining with the fully qualified name
>> please run SSSD with debug_level=9 in the [domain/...] section. This
>> will add the full Kerberos trace output to the krb5_child.log files
>> which will help to identify which step during validation fails.
>>
>> bye,
>> Sumit
>>
>> >
>> > -Justin
>> >
>> > >
>> > >
>> > >
>> > > 2018-03-05 14:13 GMT+01:00 Roger Martensson <
>> roger.martensson(a)gmail.com>:
>> > >
>> > > > Hi!
>> > > >
>> > > > It's me again with multiple domain problems. :)
>> > > >
>> > > > I have once again problems with multiple domain. This time with
>> login.
>> > > > Maybe some one of you could explain to me what I did wrong this
>> time.
>> > > >
>> > > > OS: Ubuntu 17.10
>> > > > SSSD: 1.15.3
>> > > >
>> > > > Domain setup. two subdomain both connected to the same parent
>> domain Both
>> > > > subdomains contains users. Most of them only contains one domain
>> but some
>> > > > is found in both.
>> > > >
>> > > > Client is connected to subdomain1. I can login with a user on
>> subdomain 1.
>> > > > When login in to subdomain2 (both using
'su-with-password-prompt'
>> and
>> > > > 'ssh-to-localhost') I get a System Error 4.
>> > > >
>> > > > The log krb_child.log (which sssd_domain.log points to) I see
these
>> logs.
>> > > > (altered some names)
>> > > >
>> > > >
>> > >
>> > >
>> > >
>> > > _______________________________________________
>> > > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>> > > To unsubscribe send an email to sssd-users-leave(a)lists.fedorah
>>
osted.org
>> > >
>> > _______________________________________________
>> > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>> > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>> _______________________________________________
>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>>
>
>
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org