On Thu, 5 Aug 2010, Stephen Gallagher wrote:
Someone else just reported this same issue to me :(
Can you attach the /var/log/sssd/sssd_<domain>.log and /var/log/sssd/ldap_child.log for this?
I suspect you'll see the ldap_child.log report that it couldn't find a KDC for the realm.
I can now enumerate the user, but auth fails because of this:
/var/log/sssd/krb5_child.log: (Tue Aug 10 16:54:10 2010) [[sssd[krb5_child[13472]]]] [get_and_save_tgt] (1): 524: [-1765328230][Cannot find KDC for requested realm] (Tue Aug 10 16:54:10 2010) [[sssd[krb5_child[13472]]]] [tgt_req_child] (1): 756: [-1765328230][Cannot find KDC for requested realm]
also, I don't know what to use for searching the group information :) So it cannot find the name for the default group. I checked from AD that the values below should be correct.
[domain/aalto] description = LDAP domain with AD server min_id = 1000
id_provider = ldap auth_provider = krb5
krb5_kdcip = 130.233.251.4 krb5_realm = ORG.AALTO.FI
ldap_sasl_mech = gssapi # meh ldap_sasl_authid = NEXUS6$@ORG.AALTO.FI
ldap_uri = ldap://dc01.org.aalto.fi ldap_force_upper_case_realm = True
ldap_schema = rfc2307bis ldap_search_base = dc=org,dc=aalto,dc=fi ldap_user_object_class = person ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_group_search_base = ou=Users,dc=org,dc=aalto,dc=fi ldap_group_object_class = group
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/10/2010 10:29 AM, Timo Aaltonen wrote:
On Thu, 5 Aug 2010, Stephen Gallagher wrote:
Someone else just reported this same issue to me :(
Can you attach the /var/log/sssd/sssd_<domain>.log and /var/log/sssd/ldap_child.log for this?
I suspect you'll see the ldap_child.log report that it couldn't find a KDC for the realm.
I can now enumerate the user, but auth fails because of this:
/var/log/sssd/krb5_child.log: (Tue Aug 10 16:54:10 2010) [[sssd[krb5_child[13472]]]] [get_and_save_tgt] (1): 524: [-1765328230][Cannot find KDC for requested realm] (Tue Aug 10 16:54:10 2010) [[sssd[krb5_child[13472]]]] [tgt_req_child] (1): 756: [-1765328230][Cannot find KDC for requested realm]
See: https://bugzilla.redhat.com/show_bug.cgi?id=621541
also, I don't know what to use for searching the group information :) So it cannot find the name for the default group. I checked from AD that the values below should be correct.
[domain/aalto] description = LDAP domain with AD server min_id = 1000
id_provider = ldap auth_provider = krb5
krb5_kdcip = 130.233.251.4 krb5_realm = ORG.AALTO.FI
ldap_sasl_mech = gssapi # meh ldap_sasl_authid = NEXUS6$@ORG.AALTO.FI
ldap_uri = ldap://dc01.org.aalto.fi ldap_force_upper_case_realm = True
ldap_schema = rfc2307bis ldap_search_base = dc=org,dc=aalto,dc=fi ldap_user_object_class = person ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_group_search_base = ou=Users,dc=org,dc=aalto,dc=fi ldap_group_object_class = group
I'm almost certain your value for ldap_group_search_base is wrong. In fact, you probably don't need ldap_group_search_base at all. The ldap_search_base is enough here.
- -- Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/
sssd-devel@lists.fedorahosted.org