NOTE: My email was blocked due to size being >40k.  I put my logs on pastebin to get the email to go through, hope it's okay.  I didn't cancel my other submission, so I it may eventually go through.

On May 30, 2013, at 10:06 AM, Jakub Hrozek <> wrote:

On Thu, May 30, 2013 at 02:36:08PM +0000, Harris, Bryan L. wrote:

> ldap_child.log: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP
> ldap_child.log: Received error from KDC: -1765328359/Additional pre-authentication required ...

This is interesting, do these occur after every sssd startup or was it
just some artifact from before? The ldap_child is used to authenticate
with GSSAPI to the LDAP server, if the authentication wouldn't succeed,
the SSSD would go offline.
Yes, I always do a ( service sssd stop ; rm /var/lib/sss/db/* ; service sssd start ) every time I make a change to anything.

Here are the lines from that file when I do a stop / start of sssd.

Also typically the host/fqdn@REALM principal is not user, but rather
shortname$@REALM, in your case linux$@MY.GREAT.DOMAIN
I'm not exactly 100% sure I understand, I thought from the page [3] above that:

1. If my server name is "linux-server" (without quotes)
2. If my 2008 AD domain is MY.GREAT.DOMAIN
3. Then I should use the text "host/linux-server@MY.GREAT.DOMAIN" (without quote marks) when I do my ktpass.exe on Windows.

Did I do it wrong?

> sssd_nss.log: Got reply from Data Provider - DP error code: 3 errno: 19 error message: Subdomains back end target is not configured
> sssd_nss.log: Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success ...
> sssd_MY.GREAT.DOMAIN.log: Could not get fully qualified name for host name error [2]: No such file or directory, resolver returned: [4]: Domain name not found

are you sure the new password meets the complexity requirements imposed
by AD? Currently SSSD doesn't really report those in a meaningful way.

My test was to set the password in the Windows server itself by clicking Start > Security > Change Password as the user in question.  When I did it in Windows, it was successful.  Now that I have that in my previous 24 passwords, Windows doesn't accept that exact same password again.  So I came up with another one of a similar pattern/style and same length etc.  Maybe I'm doing something wrong here...?

Also, are there any interesting information in the krb5_child.log ? With
debug level as high as yours, I would expect all the trace information
Oh that file is completely empty until I go to my user and run the passwd command.  Here is the resulting log when I run passwd as my user.