I would appreciate some pointers.
I have a sandbox setup running on VMs. There is an AD controller using the VM image which Microsoft has available for testing.
I have created a domain called ad.test
On my client machine I am continually getting this error:
[sssd[be[adtest.private]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
On the client klist-k | uniq returns
KVNO Principal ---- -------------------------------------------------------------------------- 3 CLIENT1$@ADTEST.PRIVATE 3 host/CLIENT1@ADTEST.PRIVATE 3 host/client1@ADTEST.PRIVATE 3 RestrictedKrbHost/CLIENT1@ADTEST.PRIVATE 3 RestrictedKrbHost/client1@ADTEST.PRIVATE
The funny thing is ONLY kinit -k CLIENT1$@ADTEST.PRIVATE will work.
I do get a tgt:
Ticket cache: FILE:/tmp/krb5cc_0 Default principal: CLIENT1$@ADTEST.PRIVATE
Just in the sandbox I am also setting:
ldap_auth_disable_tls_never_use_in_production = true
Any pointers please? I have cranked debug up to 8 and this error message seems to be the crucial one.
By the way, why does the debug level not go up to 11?
On 2 May 2018, at 17:54, JOHE (John Hearns) JOHE@novozymes.com wrote:
I would appreciate some pointers. I have a sandbox setup running on VMs. There is an AD controller using the VM image which Microsoft has available for testing. I have created a domain called ad.test
On my client machine I am continually getting this error: [sssd[be[adtest.private]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
I find it easier to debug this kind of an issue with: KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -H ldap://your.ad.dc -s base -b “”
Also, what version and on what OS are you running?
On the client klist-k | uniq returns
KVNO Principal
3 CLIENT1$@ADTEST.PRIVATE 3 host/CLIENT1@ADTEST.PRIVATE 3 host/client1@ADTEST.PRIVATE 3 RestrictedKrbHost/CLIENT1@ADTEST.PRIVATE 3 RestrictedKrbHost/client1@ADTEST.PRIVATE
The funny thing is ONLY kinit -k CLIENT1$@ADTEST.PRIVATE will work.
This is expected, only the client$@realm principal is a user/computer principal, the rest are service principals.
I do get a tgt: Ticket cache: FILE:/tmp/krb5cc_0 Default principal: CLIENT1$@ADTEST.PRIVATE
Just in the sandbox I am also setting: ldap_auth_disable_tls_never_use_in_production = true
Please don’t use this, not only it is very insecure, but also it doesn’t make any sense, this option is only useful if you use auth_provider=ldap. With id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.
Any pointers please? I have cranked debug up to 8 and this error message seems to be the crucial one.
By the way, why does the debug level not go up to 11?
Because 9 is the highest?
Jakub, thankyou for your reply.
Client OS is Ubuntu Xenial. Yes, I know... pats favourite labrador goodbye. Sound of drawer opening and service revolver being loaded...
I did realise that the option p_auth_disable_tls_never_use_in_production = true the problem I have is that there is a CA cert on the Active Directory controller. But I cannot see if there is an SSL certificate. I may well be misunderstanding things.
Please don’t use this, not only it is very insecure, but also it doesn’t
make any sense, this option is only useful if you use auth_provider=ldap. With id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.
Aha. Thankyou for that information. I then have to ask the assembled choir (as I am not at the pearly gates) - does AD in the default configuration have SSL certificate capability? I have installed the Active Directory Certificate Services role
On 3 May 2018 at 09:43, Jakub Hrozek jhrozek@redhat.com wrote:
On 2 May 2018, at 17:54, JOHE (John Hearns) JOHE@novozymes.com wrote:
I would appreciate some pointers. I have a sandbox setup running on VMs. There is an AD controller using
the VM image which Microsoft has available for testing.
I have created a domain called ad.test
On my client machine I am continually getting this error: [sssd[be[adtest.private]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
I find it easier to debug this kind of an issue with: KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -H ldap://your.ad.dc -s base -b “”
Also, what version and on what OS are you running?
On the client klist-k | uniq returns
KVNO Principal
3 CLIENT1$@ADTEST.PRIVATE 3 host/CLIENT1@ADTEST.PRIVATE 3 host/client1@ADTEST.PRIVATE 3 RestrictedKrbHost/CLIENT1@ADTEST.PRIVATE 3 RestrictedKrbHost/client1@ADTEST.PRIVATE
The funny thing is ONLY kinit -k CLIENT1$@ADTEST.PRIVATE will work.
This is expected, only the client$@realm principal is a user/computer principal, the rest are service principals.
I do get a tgt: Ticket cache: FILE:/tmp/krb5cc_0 Default principal: CLIENT1$@ADTEST.PRIVATE
Just in the sandbox I am also setting: ldap_auth_disable_tls_never_use_in_production = true
Please don’t use this, not only it is very insecure, but also it doesn’t make any sense, this option is only useful if you use auth_provider=ldap. With id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.
Any pointers please? I have cranked debug up to 8 and this error
message seems to be the crucial one.
By the way, why does the debug level not go up to 11?
Because 9 is the highest? _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
To explain, I just sent a reply from my personal Googlemail.
I am now getting this logged: May 03 10:05:02 client1 [sssd[ldap_child[2481]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/client1@ADTEST.PRIVATE' not May 03 10:05:02 client1 [sssd[ldap_child[2481]: Client 'host/client1@ADTEST.PRIVATE' not found in Kerberos database
I know the case is important in Kerberos, but client1 is certainly in the Computers section of the adtest.private AD domain.
On 3 May 2018 at 09:59, John Hearns hearnsj@googlemail.com wrote:
Jakub, thankyou for your reply.
Client OS is Ubuntu Xenial. Yes, I know... pats favourite labrador goodbye. Sound of drawer opening and service revolver being loaded...
I did realise that the option p_auth_disable_tls_never_use_in_production = true the problem I have is that there is a CA cert on the Active Directory controller. But I cannot see if there is an SSL certificate. I may well be misunderstanding things.
Please don’t use this, not only it is very insecure, but also it doesn’t
make any sense, this option is only useful if you use auth_provider=ldap. With id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.
Aha. Thankyou for that information. I then have to ask the assembled choir (as I am not at the pearly gates) - does AD in the default configuration have SSL certificate capability? I have installed the Active Directory Certificate Services role
On 3 May 2018 at 09:43, Jakub Hrozek jhrozek@redhat.com wrote:
On 2 May 2018, at 17:54, JOHE (John Hearns) JOHE@novozymes.com wrote:
I would appreciate some pointers. I have a sandbox setup running on VMs. There is an AD controller using
the VM image which Microsoft has available for testing.
I have created a domain called ad.test
On my client machine I am continually getting this error: [sssd[be[adtest.private]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
I find it easier to debug this kind of an issue with: KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -H ldap://your.ad.dc -s base -b “”
Also, what version and on what OS are you running?
On the client klist-k | uniq returns
KVNO Principal
3 CLIENT1$@ADTEST.PRIVATE 3 host/CLIENT1@ADTEST.PRIVATE 3 host/client1@ADTEST.PRIVATE 3 RestrictedKrbHost/CLIENT1@ADTEST.PRIVATE 3 RestrictedKrbHost/client1@ADTEST.PRIVATE
The funny thing is ONLY kinit -k CLIENT1$@ADTEST.PRIVATE will work.
This is expected, only the client$@realm principal is a user/computer principal, the rest are service principals.
I do get a tgt: Ticket cache: FILE:/tmp/krb5cc_0 Default principal: CLIENT1$@ADTEST.PRIVATE
Just in the sandbox I am also setting: ldap_auth_disable_tls_never_use_in_production = true
Please don’t use this, not only it is very insecure, but also it doesn’t make any sense, this option is only useful if you use auth_provider=ldap. With id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.
Any pointers please? I have cranked debug up to 8 and this error
message seems to be the crucial one.
By the way, why does the debug level not go up to 11?
Because 9 is the highest? _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On Thu, May 03, 2018 at 10:08:34AM +0200, John Hearns wrote:
To explain, I just sent a reply from my personal Googlemail.
I am now getting this logged: May 03 10:05:02 client1 [sssd[ldap_child[2481]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/client1@ADTEST.PRIVATE' not May 03 10:05:02 client1 [sssd[ldap_child[2481]: Client 'host/client1@ADTEST.PRIVATE' not found in Kerberos database
I know the case is important in Kerberos, but client1 is certainly in the Computers section of the adtest.private AD domain.
Ad makes a distinction between user and server principals. The former can be used with kinit the latter not as you already have seen below.
The AD provider will use the keytab entry with the '$' by default, but the LDAP provider will use the host name and add 'host/' in the beginning and the realm at the end.
Please try to set 'ldap_sasl_authid = CLIENT1$@ADTEST.PRIVATE' to use 'CLIENT1$@ADTEST.PRIVATE' when requesting a TGT from AD.
HTH
bye, Sumit
On 3 May 2018 at 09:59, John Hearns hearnsj@googlemail.com wrote:
Jakub, thankyou for your reply.
Client OS is Ubuntu Xenial. Yes, I know... pats favourite labrador goodbye. Sound of drawer opening and service revolver being loaded...
I did realise that the option p_auth_disable_tls_never_use_in_production = true the problem I have is that there is a CA cert on the Active Directory controller. But I cannot see if there is an SSL certificate. I may well be misunderstanding things.
Please don’t use this, not only it is very insecure, but also it doesn’t
make any sense, this option is only useful if you use auth_provider=ldap. With id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.
Aha. Thankyou for that information. I then have to ask the assembled choir (as I am not at the pearly gates) - does AD in the default configuration have SSL certificate capability? I have installed the Active Directory Certificate Services role
On 3 May 2018 at 09:43, Jakub Hrozek jhrozek@redhat.com wrote:
On 2 May 2018, at 17:54, JOHE (John Hearns) JOHE@novozymes.com wrote:
I would appreciate some pointers. I have a sandbox setup running on VMs. There is an AD controller using
the VM image which Microsoft has available for testing.
I have created a domain called ad.test
On my client machine I am continually getting this error: [sssd[be[adtest.private]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
I find it easier to debug this kind of an issue with: KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -H ldap://your.ad.dc -s base -b “”
Also, what version and on what OS are you running?
On the client klist-k | uniq returns
KVNO Principal
3 CLIENT1$@ADTEST.PRIVATE 3 host/CLIENT1@ADTEST.PRIVATE 3 host/client1@ADTEST.PRIVATE 3 RestrictedKrbHost/CLIENT1@ADTEST.PRIVATE 3 RestrictedKrbHost/client1@ADTEST.PRIVATE
The funny thing is ONLY kinit -k CLIENT1$@ADTEST.PRIVATE will work.
This is expected, only the client$@realm principal is a user/computer principal, the rest are service principals.
I do get a tgt: Ticket cache: FILE:/tmp/krb5cc_0 Default principal: CLIENT1$@ADTEST.PRIVATE
Just in the sandbox I am also setting: ldap_auth_disable_tls_never_use_in_production = true
Please don’t use this, not only it is very insecure, but also it doesn’t make any sense, this option is only useful if you use auth_provider=ldap. With id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.
Any pointers please? I have cranked debug up to 8 and this error
message seems to be the crucial one.
By the way, why does the debug level not go up to 11?
Because 9 is the highest? _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted....
Jakub, thankyou for your reply.
Client OS is Ubuntu Xenial. Yes, I know... pats favourite labrador goodbye. Sound of drawer opening and service revolver being loaded...
I did realise that the option p_auth_disable_tls_never_use_in_production = true the problem I have is that there is a CA cert on the Active Directory controller. But I cannot see if there is an SSL certificate. I may well be misunderstanding things.
Please don’t use this, not only it is very insecure, but also it doesn’t make any sense, this option is only useful if you use auth_provider=ldap. With id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.
Aha. Thankyou for that information. I then have to ask the assembled choir (as I am not at the pearly gates) - does AD in the default configuration have SSL certificate capability? [https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif]
________________________________ From: Jakub Hrozek jhrozek@redhat.com Sent: 03 May 2018 09:43:33 To: End-user discussions about the System Security Services Daemon Subject: [SSSD-users] Re: Server not found in Kerberos database and debug level 11
On 2 May 2018, at 17:54, JOHE (John Hearns) JOHE@novozymes.com wrote:
I would appreciate some pointers. I have a sandbox setup running on VMs. There is an AD controller using the VM image which Microsoft has available for testing. I have created a domain called ad.test
On my client machine I am continually getting this error: [sssd[be[adtest.private]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
I find it easier to debug this kind of an issue with: KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -H ldap://your.ad.dc -s base -b “”
Also, what version and on what OS are you running?
On the client klist-k | uniq returns
KVNO Principal
3 CLIENT1$@ADTEST.PRIVATE 3 host/CLIENT1@ADTEST.PRIVATE 3 host/client1@ADTEST.PRIVATE 3 RestrictedKrbHost/CLIENT1@ADTEST.PRIVATE 3 RestrictedKrbHost/client1@ADTEST.PRIVATE
The funny thing is ONLY kinit -k CLIENT1$@ADTEST.PRIVATE will work.
This is expected, only the client$@realm principal is a user/computer principal, the rest are service principals.
I do get a tgt: Ticket cache: FILE:/tmp/krb5cc_0 Default principal: CLIENT1$@ADTEST.PRIVATE
Just in the sandbox I am also setting: ldap_auth_disable_tls_never_use_in_production = true
Please don’t use this, not only it is very insecure, but also it doesn’t make any sense, this option is only useful if you use auth_provider=ldap. With id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.
Any pointers please? I have cranked debug up to 8 and this error message seems to be the crucial one.
By the way, why does the debug level not go up to 11?
Because 9 is the highest? _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
By the way, why does the debug level not go up to 11?
Because 9 is the highest?
http://knowyourmeme.com/memes/these-go-to-11-spinal-tap
[http://i0.kym-cdn.com/entries/icons/facebook/000/003/182/Spinal_Tap_05.jpg]http://knowyourmeme.com/memes/these-go-to-11-spinal-tap
These go to 11 / Spinal Tap | Know Your Memehttp://knowyourmeme.com/memes/these-go-to-11-spinal-tap knowyourmeme.com Origin Background The movie This Is Spinal Tap was made to be a humorous mockumentary of rock n’ roll culture. To this day it is considered to be one of
________________________________ From: Jakub Hrozek jhrozek@redhat.com Sent: 03 May 2018 09:43:33 To: End-user discussions about the System Security Services Daemon Subject: [SSSD-users] Re: Server not found in Kerberos database and debug level 11
On 2 May 2018, at 17:54, JOHE (John Hearns) JOHE@novozymes.com wrote:
I would appreciate some pointers. I have a sandbox setup running on VMs. There is an AD controller using the VM image which Microsoft has available for testing. I have created a domain called ad.test
On my client machine I am continually getting this error: [sssd[be[adtest.private]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
I find it easier to debug this kind of an issue with: KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -H ldap://your.ad.dc -s base -b “”
Also, what version and on what OS are you running?
On the client klist-k | uniq returns
KVNO Principal
3 CLIENT1$@ADTEST.PRIVATE 3 host/CLIENT1@ADTEST.PRIVATE 3 host/client1@ADTEST.PRIVATE 3 RestrictedKrbHost/CLIENT1@ADTEST.PRIVATE 3 RestrictedKrbHost/client1@ADTEST.PRIVATE
The funny thing is ONLY kinit -k CLIENT1$@ADTEST.PRIVATE will work.
This is expected, only the client$@realm principal is a user/computer principal, the rest are service principals.
I do get a tgt: Ticket cache: FILE:/tmp/krb5cc_0 Default principal: CLIENT1$@ADTEST.PRIVATE
Just in the sandbox I am also setting: ldap_auth_disable_tls_never_use_in_production = true
Please don’t use this, not only it is very insecure, but also it doesn’t make any sense, this option is only useful if you use auth_provider=ldap. With id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.
Any pointers please? I have cranked debug up to 8 and this error message seems to be the crucial one.
By the way, why does the debug level not go up to 11?
Because 9 is the highest? _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Jakub,
thankyou for your reply. I have (almost!) got things working now.
I have removed the ldap parameters in the sssd.conf
I had a mixup with the AD controller hostname - it is ad.adtest.private and I think this was significant.
Now I am retrieving the user information from AD.
Still having problems with PAM, so I am sure I will be back (sorry!)
________________________________ From: JOHE (John Hearns) Sent: 03 May 2018 11:06:02 To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] Re: Server not found in Kerberos database and debug level 11
By the way, why does the debug level not go up to 11?
Because 9 is the highest?
http://knowyourmeme.com/memes/these-go-to-11-spinal-tap
[http://i0.kym-cdn.com/entries/icons/facebook/000/003/182/Spinal_Tap_05.jpg]http://knowyourmeme.com/memes/these-go-to-11-spinal-tap
These go to 11 / Spinal Tap | Know Your Memehttp://knowyourmeme.com/memes/these-go-to-11-spinal-tap knowyourmeme.com Origin Background The movie This Is Spinal Tap was made to be a humorous mockumentary of rock n’ roll culture. To this day it is considered to be one of
________________________________ From: Jakub Hrozek jhrozek@redhat.com Sent: 03 May 2018 09:43:33 To: End-user discussions about the System Security Services Daemon Subject: [SSSD-users] Re: Server not found in Kerberos database and debug level 11
On 2 May 2018, at 17:54, JOHE (John Hearns) JOHE@novozymes.com wrote:
I would appreciate some pointers. I have a sandbox setup running on VMs. There is an AD controller using the VM image which Microsoft has available for testing. I have created a domain called ad.test
On my client machine I am continually getting this error: [sssd[be[adtest.private]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
I find it easier to debug this kind of an issue with: KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -H ldap://your.ad.dc -s base -b “”
Also, what version and on what OS are you running?
On the client klist-k | uniq returns
KVNO Principal
3 CLIENT1$@ADTEST.PRIVATE 3 host/CLIENT1@ADTEST.PRIVATE 3 host/client1@ADTEST.PRIVATE 3 RestrictedKrbHost/CLIENT1@ADTEST.PRIVATE 3 RestrictedKrbHost/client1@ADTEST.PRIVATE
The funny thing is ONLY kinit -k CLIENT1$@ADTEST.PRIVATE will work.
This is expected, only the client$@realm principal is a user/computer principal, the rest are service principals.
I do get a tgt: Ticket cache: FILE:/tmp/krb5cc_0 Default principal: CLIENT1$@ADTEST.PRIVATE
Just in the sandbox I am also setting: ldap_auth_disable_tls_never_use_in_production = true
Please don’t use this, not only it is very insecure, but also it doesn’t make any sense, this option is only useful if you use auth_provider=ldap. With id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.
Any pointers please? I have cranked debug up to 8 and this error message seems to be the crucial one.
By the way, why does the debug level not go up to 11?
Because 9 is the highest? _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org