Hello!
I put the pac option in the sssd config which seemed to help in the logs and in the long
run. Although taking a look at the domain logs I have this. The main issue with
"Server not found in kerberos databse" was remediated by setting dyndns_update =
false being that we are not using dyndns.
Here are the logs when dyndns is set to false.
***DOMAIN LOGS***
(2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [orderly_shutdown] (0x0010): SIGTERM:
killing children
(2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [orderly_shutdown] (0x0040): Shutting
down (status = 0)(2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [server_setup] (0x0040):
Starting with debug level = 0x0070
(2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [sdap_cli_connect_recv] (0x0040): Unable
to establish connection [13]: Permission denied
(2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [sdap_cli_connect_recv] (0x0040): Unable
to establish connection [13]: Permission denied
(2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [sdap_cli_connect_recv] (0x0040): Unable
to establish connection [13]: Permission denied
(2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [sdap_cli_connect_recv] (0x0040): Unable
to establish connection [13]: Permission denied
(2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [sdap_cli_connect_recv] (0x0040): Unable
to establish connection [13]: Permission denied
(2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [fo_resolve_service_send] (0x0020): No
available servers for service 'sd_domain.com'
(2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [ad_get_slave_domain_connect_done]
(0x0020): Unable to connect to LDAP [5]: Input/output error
(2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [ad_subdomains_refresh_done] (0x0040):
Unable to get subdomains [5]: Input/output error
(2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [be_ptask_done] (0x0040): Task
[Subdomains Refresh]: failed with [5]: Input/output error
(2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [ad_get_slave_domain_connect_done]
(0x0020): Unable to connect to LDAP [5]: Input/output error
(2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [ad_subdomains_refresh_done] (0x0040):
Unable to get subdomains [5]: Input/output error
Hi,
can you run SSSD with 'debug_level = 9' in the [domain/...] section for
this case as well? For dyndns SSSD should reuse the Kerberos credentials
used for the LDAP connection.
bye,
Sumit
***LDAP_CHILD LOGS***
(2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] (0x2000): got
realm_name: [
EXAMPLE.DOMAIN.COM]
(2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] (0x0100):
Principal name is: [MYSERVER$(a)EXAMPLE.DOMAIN.COM]
(2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] (0x0100): Using
keytab [MEMORY:/etc/krb5.keytab]
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018940: Getting initial credentials for MYSERVER$(a)EXAMPLE.DOMAIN.COM
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018941: Unrecognized enctype name in default_tkt_enctypes:
des-cbc-crc
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018942: Unrecognized enctype name in default_tkt_enctypes:
des-cbc-md5
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018943: Looked up etypes in keytab: rc4-hmac, aes256-cts
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018945: Sending unauthenticated request
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018946: Sending request (205 bytes) to
EXAMPLE.DOMAIN.COM
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018947: Sending initial UDP request to dgram 192.172.2.5:88
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018948: Received answer (228 bytes) from dgram 192.172.2.5:88
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018949: Response was from master KDC
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018950: Received error from KDC: -1765328359/Additional
pre-authentication required
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018953: Preauthenticating using KDC method data
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018954: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD
(15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018955: Selected etype info: etype aes256-cts, salt
"EXAMPLE.DOMAIN.COMhostmyserver.example.domain.com", params ""
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018956: Retrieving MYSERVER$(a)EXAMPLE.DOMAIN.COM from
MEMORY:/etc/krb5.keytab (vno 0, enctype aes256-cts) with result: 0/Success
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018957: AS key obtained for encrypted timestamp: aes256-cts/D0B6
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018959: Encrypted timestamp (for 1628777855.139844): plain
301AA011180F32303231303831323134313733355AA1050203022244, encrypted
7E3F423BDB4DC1D927079C7D0E47E4AF671FC5255391F8812547A862034C5F3BEF53F551A9544A3BB7CE65201DF22772A9B0A3A2440ED2E2
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018960: Preauth module encrypted_timestamp (2) (real) returned:
0/Success
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018961: Produced preauth for next request: PA-ENC-TIMESTAMP (2)
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018962: Sending request (285 bytes) to
EXAMPLE.DOMAIN.COM
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018963: Sending initial UDP request to dgram 192.172.2.5:88
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018964: Received answer (104 bytes) from dgram 192.172.2.5:88
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018965: Response was from master KDC
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018966: Received error from KDC: -1765328332/Response too big for
UDP, retry with TCP
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018967: Request or response is too big for UDP; retrying with TCP
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018968: Sending request (285 bytes) to
EXAMPLE.DOMAIN.COM (tcp only)
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018969: Initiating TCP connection to stream 192.172.2.5:88
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018970: Sending TCP request to stream 192.172.2.5:88
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018971: Received answer (1627 bytes) from stream 192.172.2.5:88
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018972: Terminating TCP connection to stream 192.172.2.5:88
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018973: Response was from master KDC
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018974: Processing preauth types: PA-ETYPE-INFO2 (19)
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018975: Selected etype info: etype aes256-cts, salt
"EXAMPLE.DOMAIN.COMhostmyserver.example.domain.com", params ""
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018976: Produced preauth for next request: (empty)
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018977: AS key determined by preauth: aes256-cts/D0B6
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018978: Decrypted AS reply; session key is: aes256-cts/D18C
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018979: FAST negotiation: unavailable
(2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] (0x2000):
credentials initialized
(2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] (0x2000): keytab
ccname: [FILE:/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM_mgQNA9]
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018980: Initializing
FILE:/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM_mgQNA9 with default princ
MYSERVER$(a)EXAMPLE.DOMAIN.COM
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000):
[4054178] 1628777855.018981: Storing MYSERVER$(a)EXAMPLE.DOMAIN.COM ->
krbtgt/EXAMPLE.DOMAIN.COM(a)EXAMPLE.DOMAIN.COM in
FILE:/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM_mgQNA9
(2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] (0x2000):
credentials stored
(2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] (0x2000): Got KDC
time offset
(2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] (0x2000): Renaming
[/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM_mgQNA9] to
[/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM]
(2021-08-12 10:17:35): [ldap_child[4054178]] [unique_filename_destructor] (0x2000):
Unlinking [/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM_mgQNA9]
(2021-08-12 10:17:35): [ldap_child[4054178]] [unlink_dbg] (0x2000): File already removed:
[/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM_mgQNA9]
(2021-08-12 10:17:35): [ldap_child[4054178]] [prepare_response] (0x0400): Building
response for result [0]
(2021-08-12 10:17:35): [ldap_child[4054178]] [pack_buffer] (0x2000): response size: 64
(2021-08-12 10:17:35): [ldap_child[4054178]] [pack_buffer] (0x1000): result [0] krberr
[0] msgsize [44] msg [
FILE:/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM]
(2021-08-12 10:17:35): [ldap_child[4054178]] [main] (0x0400): ldap_child completed
successfully
(2021-08-12 10:32:12): [ldap_child[4057811]] [main] (0x0020): ldap_child_get_tgt_sync
failed.
(2021-08-12 10:32:12): [ldap_child[4057812]] [ldap_child_get_tgt_sync] (0x0040):
krb5_get_init_creds_keytab() failed: -1765328378
(2021-08-12 10:32:12): [ldap_child[4057812]] [ldap_child_get_tgt_sync] (0x0010): Failed
to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client
'host/EXAMPLE.CC.CC.NET(a)EXAMPLE.DOMAIN.COM' not found in Kerberos database. Unable
to create GSSAPI-encrypted LDAP connection.
(2021-08-12 10:32:12): [ldap_child[4057812]] [main] (0x0020): ldap_child_get_tgt_sync
failed.
Thank you!
Jovan
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure