Am Tue, Aug 10, 2021 at 03:49:34PM -0400 schrieb Jovan Quinones-Morales:
Hello!
I am looking at some errors that I have been seeing in some logs specific to but not limited to RHEL/CentOS 7.x 8.x and Rocky 8.x (SSSD version
- sssd-2.4.0-9.el8_4.1.x86_64). All systems are attached to a Windows
Active Directory domain using 'adcli'.
The configuration works as expected and seems to see no major problems. Although it does cause some unnecessary noise in the logs. Which prompted me to look at it a little further.
All the logs show the errors that are happening. FYI: Servers are part of a forest and it does look like rdns = false.
Here are all the logs related to the error (If I am missing anything please let me know and I will add it in there ASAP! Some logs are compressed as it repeats itself over and over again.
****Command Used: journalctl -p 4****
Aug 10 10:28:33 EXAMPLE.CC.CC.NET sssd[ldap_child[2972536]][2972536]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection. Aug 10 10:28:33 EXAMPLE.CC.CC.NET sssd[ldap_child[2972537]][2972537]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection. Aug 10 10:28:33 EXAMPLE.CC.CC.NET sssd[ldap_child[2972538]][2972538]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection. Aug 10 10:28:33 EXAMPLE.CC.CC.NET sssd[ldap_child[2972539]][2972539]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection. Aug 10 10:28:33 EXAMPLE.CC.CC.NET sssd[ldap_child[2972540]][2972540]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection.
Hi,
currently I have no idea what makes ldap_child requesting a ticket for 'host/EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM'. The default for the AD provider would be 'MYSERVER$@EXAMPLE.DOMAIN.COM' which you also set explicitly with the ldap_sasl_authid option.
Can you send the full domain logs as well? This might help to identify what 'host/EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM' is used.
****Command Used: journalctl -u sssd****
Aug 09 14:28:32 EXAMPLE.CC.CC.NET sssd[3906155]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. Aug 09 14:28:32 EXAMPLE.CC.CC.NET sssd[3906155]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. Aug 09 14:28:32 EXAMPLE.CC.CC.NET sssd[3906155]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. Aug 09 14:28:32 EXAMPLE.CC.CC.NET sssd[3906155]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. Aug 09 14:40:52 EXAMPLE.CC.CC.NET adcli[2526663]: GSSAPI client step 1 Aug 09 14:40:52 EXAMPLE.CC.CC.NET adcli[2526663]: GSSAPI client step 1 Aug 09 14:40:52 EXAMPLE.CC.CC.NET adcli[2526663]: GSSAPI client step 1
****KEYTAB****
Keytab name: FILE:/etc/krb5.keytab KVNO Principal
2 MYSERVER$@EXAMPLE.DOMAIN.COM 2 MYSERVER$@EXAMPLE.DOMAIN.COM 2 host/MYSERVER@EXAMPLE.DOMAIN.COM 2 host/MYSERVER@EXAMPLE.DOMAIN.COM 2 host/EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM 2 host/EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM 2 RestrictedKrbHost/MYSERVER@EXAMPLE.DOMAIN.COM 2 RestrictedKrbHost/MYSERVER@EXAMPLE.DOMAIN.COM 2 RestrictedKrbHost/EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM 2 RestrictedKrbHost/EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM
****KRB5_CHILD.LOG****
(2021-08-10 13:59:37): [krb5_child[3051214]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. (2021-08-10 13:59:37): [krb5_child[3051214]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [someuser1@ EXAMPLE.DOMAIN.COM@EXAMPLE.DOMAIN.COM] might not be correct. (2021-08-10 14:24:43): [krb5_child[3061023]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. (2021-08-10 14:24:43): [krb5_child[3061023]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [someuser1@ EXAMPLE.DOMAIN.COM@EXAMPLE.DOMAIN.COM] might not be correct.
Most probably the PAC responder is not running. It is not enabled by default with the AD provide because there are other means to determine group-memberships as well. If you add 'pac' to the 'services' option in sssd.conf this message should go away. But you can ignore this message as well, iirc we increased the debug level for this messages in more recent versions of SSSD.
HTH
bye, Sumit
****LDAP_CHILD.LOG****
(2021-08-10 14:28:33): [ldap_child[3063821]] [ldap_child_get_tgt_sync] (0x0040): krb5_get_init_creds_keytab() failed: -1765328378 (2021-08-10 14:28:33): [ldap_child[3063821]] [ldap_child_get_tgt_sync] (0x0010): Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection. (2021-08-10 14:28:33): [ldap_child[3063821]] [main] (0x0020): ldap_child_get_tgt_sync failed. (2021-08-10 14:28:33): [ldap_child[3063822]] [ldap_child_get_tgt_sync] (0x0040): krb5_get_init_creds_keytab() failed: -1765328378 (2021-08-10 14:28:33): [ldap_child[3063822]] [ldap_child_get_tgt_sync] (0x0010): Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection. (2021-08-10 14:28:33): [ldap_child[3063822]] [main] (0x0020): ldap_child_get_tgt_sync failed.
****SSSD.CONF****
[sssd] domains = EXAMPLE.domain.com config_file_version = 2 services = nss, pam
[domain/EXAMPLE.domain.com] ad_domain = EXAMPLE.domain.com ad_enable_gc = false krb5_realm = EXAMPLE.DOMAIN.COM krb5_lifetime = 10h subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout ignore_group_members = true ldap_purge_cache_timeout = 0 realmd_tags = joined-with-adcli, manages-system cache_credentials = false id_provider = ad krb5_store_password_if_offline = true default_shell = /bin/bash ldap_id_mapping = true ldap_sasl_authid = MYSERVER$@EXAMPLE.DOMAIN.COM ldap_use_tokengroups = true use_fully_qualified_names = false fallback_homedir = /home/%d/%u access_provider = simple Simple_allow_groups = linux_admins simple_allow_users = someuser1, someuser2, someuser3
Thank you so much for your help!
-- *Jovan Quinones-Morales* Linux Operating Systems Analyst VCU Infrastructure Services https://www.ucc.vcu.edu/ Technology Services Department 804.828.4810 quinonesmoj@vcu.edu
https://adminmicro2.questionpro.com/?t_340030260=Jovan%20Quinones-Morales&u_65977055=351791134 *Don't be a phishing victim -- VCU and other reputable organisations will never use email to request that you reply with your password, social security number or confidential personal information. For more details, visit **https://ts.vcu.edu/about-us/information-security/common-questions/what-is-ph... https://ts.vcu.edu/about-us/information-security/common-questions/what-is-phishing*
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure