Hey,
I got this working today with these settings,
ldap_uri = ldap://foo.bar ldap_sasl_mech = gssapi ldap_krb5_keytab = /etc/krb5.keytab ldap_sasl_authid = nfs/xx.xxxx.xx
Note1, I could not get it to work with my ldaps://foo.bar, but maybe that's normal ? Maybe ssl isn't necessary when its krb ?
Note2, When i join my machine to the ad (thus creating its machine account) i use the following method,
# First make sure of a couple of things. kdestroy rm -rf /etc/krb5.keytab net ads leave -U foo%bar net ads keytab flush -U foo%bar
# Join AD. net ads join createupn="nfs/$HOSTNAME@XX.XXXX.XX" createcomputer="foo" osName="Linux Red Hat Workstation" osVer="6" -U foo%bar
# Now we are joined and have a keytab that looks like this, [root@client openldap]# klist -kte Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 2 08/05/10 15:26:06 host/client.xx.xxxx.xx@XX.XXXX.XX (DES cbc mode with CRC-32) 2 08/05/10 15:26:06 host/client.xx.xxxx.xx@XX.XXXX.XX (DES cbc mode with RSA-MD5) 2 08/05/10 15:26:06 host/client.xx.xxxx.xx@XX.XXXX.XX (ArcFour with HMAC/md5) 2 08/05/10 15:26:06 host/CLIENT@XX.XXXX.XX (DES cbc mode with CRC-32) 2 08/05/10 15:26:06 host/CLIENT@XX.XXXX.XX (DES cbc mode with RSA-MD5) 2 08/05/10 15:26:06 host/CLIENT@XX.XXXX.XX (ArcFour with HMAC/md5) 2 08/05/10 14:18:53 CLIENT$@XX.XXXX.XX (DES cbc mode with CRC-32) 2 08/05/10 14:18:53 CLIENT$@XX.XXXX.XX (DES cbc mode with RSA-MD5) 2 08/05/10 14:18:54 CLIENT$@XX.XXXX.XX (ArcFour with HMAC/md5) 2 08/05/10 14:18:54 nfs/client.xx.xxxx.xx@XX.XXXX.XX (DES cbc mode with CRC-32) 2 08/05/10 14:18:54 nfs/client.xx.xxxx.xx@XX.XXXX.XX (DES cbc mode with RSA-MD5) 2 08/05/10 14:18:54 nfs/client.xx.xxxx.xx@XX.XXXX.XX (ArcFour with HMAC/md5)
Now i would like to use the default setting for 'ldap_sasl_authid' sssd, host/xx.xxxx.xx, but when doing that i get the response, Client 'host/client.xx.xxxx.xx@XX.XXXX.XX' not found in Kerberos database while getting initial credentials.
So then i tried with the nfs/xx.xxxx.xx instead, and that works. (But that's not the way to do it, is it ?)
If i do, kinit -k nfs/xx.xxxx.xx, i get klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: nfs/nfs/xx.xxxx.xx@XX.XXXX.XX
Valid starting Expires Service principal 08/05/10 15:22:45 08/06/10 01:22:45 krbtgt/XX.XXXX.XX@XX.XXXX.XX renew until 08/06/10 15:22:45, Etype (skey, tkt): DES cbc mode with RSA-MD5, ArcFour with HMAC/md5
If i do, kinit -k host/client.xx.xxxx.xx, i get kinit: Client 'host/client.xx.xxxx.xx@XX.XXXX.XX' not found in Kerberos database while getting initial credentials
So i guess that's why sssd is failing when it tries to do kinit with the host as principle.
Ehm, maybe this rather should be on a krb-mailinglist, but i figure i would share and see if anyone has any tip for me here too.
Best regards, Patrik Martinsson, Sweden,.
On 08/05/2010 02:25 PM, Stephen Gallagher wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/05/2010 08:21 AM, Timo Aaltonen wrote:
On Wed, 4 Aug 2010, Stephen Gallagher wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/04/2010 10:18 AM, Timo Aaltonen wrote:
On Mon, 2 Aug 2010, Patrik Martinsson wrote:
ldap_tls_reqcert = demand ldap_tls_cacert = /etc/openldap/cacerts/CADOUBLE.cer ldap_tls_cacertdir = /etc/openldap/cacerts
I guess this doesn't work with GSSAPI SASL binding yet? Tried to force the authid to FOO$@REALM, but it fails just the same.
it's harder to automatically generate certificates for the clients, that's why I'm interested in getting this working :)
I'm not sure what you're asking for here.
I think what you're talking about is using: ldap_sasl_mech = gssapi ldap_krb5_keytab = /path/to/ldap.keytab
I did that, but it doesn't seem to work, or somethings missing still. It said something like "marking ldap server foo as broken" (sorry no logs, reinstalling the machine).
Someone else just reported this same issue to me :(
Can you attach the /var/log/sssd/sssd_<domain>.log and /var/log/sssd/ldap_child.log for this?
I suspect you'll see the ldap_child.log report that it couldn't find a KDC for the realm.
Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkxaraUACgkQeiVVYja6o6PB6wCfYrJ+di1t/hOka/WVGuKNcgnC MhwAni9NyIvG76/G9mmTxmr82DKi+joD =iCQk -----END PGP SIGNATURE----- _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel