Hi all,
I'm new to sssd and am working on deploying it in my homelab on a test VM.
So far, I've successfully joined my host to my very basic/vanilla Active
Directory domain using *realm join*. I can log in via console and ssh
using AD credentials, and sudo works great too.
I can't for the life of me get GSSAPI to work on ssh, though. My
relevant sshd_config options are:
# GSSAPI options
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange yes
I turned on debug logging on the ssh server and client and the only
thing I can see that would suggest any issues are:
Dec 16 23:09:55 test sshd[6068]: debug3: userauth_finish: failure
partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password"
[preauth]
I do see this in the syslog when sssd is restarted, though everything
else does still work:
Dec 16 23:10:20 test sssd[6102]: tkey query failed: GSSAPI error: Major
= Unspecified GSS failure. Minor code may provide more information,
Minor = Server not found in Kerberos database.
In my sssd_nub.lan.log file I have a few errors but from what I can tell
they're all related to dynamic dns updates:
(2021-12-16 23:10:10): [be[nub.lan]] [ad_disable_gc] (0x0040): POSIX
attributes were requested but are not present on the server side. Global
Catalog lookups will be disabled
(2021-12-16 23:10:20): [be[nub.lan]] [child_sig_handler] (0x0020): child
[6102] failed with status [2].
(2021-12-16 23:10:20): [be[nub.lan]] [nsupdate_child_handler] (0x0040):
Dynamic DNS child failed with status [512]
(2021-12-16 23:10:20): [be[nub.lan]] [be_nsupdate_done] (0x0040):
nsupdate child execution failed [1432158240]: Dynamic DNS update failed
(2021-12-16 23:10:20): [be[nub.lan]] [child_sig_handler] (0x0020): child
[6106] failed with status [2].
(2021-12-16 23:10:20): [be[nub.lan]] [nsupdate_child_handler] (0x0040):
Dynamic DNS child failed with status [512]
(2021-12-16 23:10:20): [be[nub.lan]] [be_nsupdate_done] (0x0040):
nsupdate child execution failed [1432158240]: Dynamic DNS update failed
(2021-12-16 23:10:20): [be[nub.lan]] [ad_dyndns_sdap_update_done]
(0x0040): Dynamic DNS update failed [1432158240]: Dynamic DNS update failed
(2021-12-16 23:10:20): [be[nub.lan]] [be_ptask_done] (0x0040): Task
[Dyndns update]: failed with [1432158240]: Dynamic DNS update failed
(2021-12-16 23:25:20): [be[nub.lan]] [sss_ldap_init_sys_connect_done]
(0x0020): ldap_init_fd failed: Bad parameter to an ldap routine.
[23][cldap://arbiter.nub.lan:389]
(2021-12-16 23:25:20): [be[nub.lan]] [sdap_sys_connect_done] (0x0020):
sdap_async_connect_call request failed: [5]: Input/output error.
(2021-12-16 23:25:20): [be[nub.lan]] [sss_ldap_init_sys_connect_done]
(0x0020): ldap_init_fd failed: Bad parameter to an ldap routine.
[24][cldap://ARBITER.nub.lan:389]
(2021-12-16 23:25:20): [be[nub.lan]] [sdap_sys_connect_done] (0x0020):
sdap_async_connect_call request failed: [5]: Input/output error.
(2021-12-16 23:25:20): [be[nub.lan]] [ad_cldap_ping_done] (0x0040):
Unable to get site and forest information [2]: No such file or directory
I noticed the sssd troubleshooting basics mention to use *kinit* for
debug, which I did, and *klist* shows:
Ticket cache: FILE:/tmp/krb5cc_7000_MM3M16
Default principal: aram(a)NUB.LAN
Valid starting Expires Service principal
12/16/2021 23:28:30 12/17/2021 09:28:30 krbtgt/NUB.LAN(a)NUB.LAN
renew until 12/17/2021 23:28:27
I'm guessing my issue may be related to the service principal name used
for sshd, but despite my best searching efforts, I couldn't find
anything that tells me what it should be or how I might add it to AD.
I'm stuck! Any pointers or guidance would be greatly appreciated.
Thanks,
Aram
Show replies by date