Sorry about that.. Bleeping send-button-shortcut.

Let me continue.

Command I use to test: ssh userid@subdomain2@localhost

The krb5_child.log contains these error messages:
[[sssd[krb5_child[5720]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [SUBDOMAIN1]
[[sssd[krb5_child[5720]]]] [sss_krb5_expire_callback_func] (0x2000): exp_time: [5621224]
[[sssd[krb5_child[5720]]]] [validate_tgt] (0x2000): Keytab entry with the realm of the credential not found in keytab. Using the last entry.
[[sssd[krb5_child[5720]]]] [validate_tgt] (0x0020): TGT failed verification using key for [RestrictedKrbHost/myclient@SUBDOMAIN1].
[[sssd[krb5_child[5720]]]] [get_and_save_tgt] (0x0020): 1581: [-1765328377][Server not found in Kerberos database]
[[sssd[krb5_child[5720]]]] [map_krb5_error] (0x0020): 1657: [-1765328377][Server not found in Kerberos database]

I can get it to work using 'krb5_validate = false' but that disables some nice security measure.

So.. Anyone that can help me back on track? AKA What did I do wrong this time?

2018-03-05 14:13 GMT+01:00 Roger Martensson <roger.martensson@gmail.com>:

Hi!

It's me again with multiple domain problems. :)

I have once again problems with multiple domain. This time with login.
Maybe some one of you could explain to me what I did wrong this time.

OS: Ubuntu 17.10
SSSD: 1.15.3

Domain setup. two subdomain both connected to the same parent domain Both subdomains contains users. Most of them only contains one domain but some is found in both.

Client is connected to subdomain1. I can login with a user on subdomain 1.
When login in to subdomain2 (both using 'su-with-password-prompt' and 'ssh-to-localhost') I get a System Error 4.

The log krb_child.log (which sssd_domain.log points to) I see these logs. (altered some names)