I've always used a fully qualified hostname. My example was a cleanup version and I was to lazy to write subdomain1.example.com.

I've set ad_hostname to the correct hostname. Your question made me take a look into other settings and I noticed that the servers hostname had a different domain name. But still hade the same problems as before.

Increading debug_level created an amazing amount of rows.  :)

This is my clean up log.


2018-03-05 15:35 GMT+01:00 Sumit Bose <sbose@redhat.com>:
On Mon, Mar 05, 2018 at 08:40:19AM -0500, Justin Stephenson wrote:
> On 03/05/2018 08:25 AM, Roger Martensson wrote:
> > Sorry about that.. Bleeping send-button-shortcut.
> >
> > Let me continue.
> >
> > Command I use to test: ssh userid@subdomain2@localhost
> >
> > The krb5_child.log contains these error messages:
> > [[sssd[krb5_child[5720]]]] [get_and_save_tgt] (0x0400): Attempting kinit
> > for realm [SUBDOMAIN1]
> > [[sssd[krb5_child[5720]]]] [sss_krb5_expire_callback_func] (0x2000):
> > exp_time: [5621224]
> > [[sssd[krb5_child[5720]]]] [validate_tgt] (0x2000): Keytab entry with the
> > realm of the credential not found in keytab. Using the last entry.
> > [[sssd[krb5_child[5720]]]] [validate_tgt] (0x0020): TGT failed verification
> > using key for [RestrictedKrbHost/myclient@SUBDOMAIN1].
> > [[sssd[krb5_child[5720]]]] [get_and_save_tgt] (0x0020): 1581:
> > [-1765328377][Server not found in Kerberos database]
> > [[sssd[krb5_child[5720]]]] [map_krb5_error] (0x0020): 1657:
> > [-1765328377][Server not found in Kerberos database]
> >
> > I can get it to work using 'krb5_validate = false' but that disables some
> > nice security measure.
> >
> > So.. Anyone that can help me back on track? AKA What did I do wrong this
> > time?
>
> Can you make sure your hostname is fully-qualified?
>
> If it is not currently then you will need to leave the domain, make sure the
> /etc/krb5.keytab is removed, set the fully-qualified name and rejoin the
> domain.

If validation still fails after joining with the fully qualified name
please run SSSD with debug_level=9 in the [domain/...] section. This
will add the full Kerberos trace output to the krb5_child.log files
which will help to identify which step during validation fails.

bye,
Sumit

>
> -Justin
>
> >
> >
> >
> > 2018-03-05 14:13 GMT+01:00 Roger Martensson <roger.martensson@gmail.com>:
> >
> > > Hi!
> > >
> > > It's me again with multiple domain problems. :)
> > >
> > > I have once again problems with multiple domain. This time with login.
> > > Maybe some one of you could explain to me what I did wrong this time.
> > >
> > > OS: Ubuntu 17.10
> > > SSSD: 1.15.3
> > >
> > > Domain setup. two subdomain both connected to the same parent domain Both
> > > subdomains contains users. Most of them only contains one domain but some
> > > is found in both.
> > >
> > > Client is connected to subdomain1. I can login with a user on subdomain 1.
> > > When login in to subdomain2 (both using 'su-with-password-prompt' and
> > > 'ssh-to-localhost') I get a System Error 4.
> > >
> > > The log krb_child.log (which sssd_domain.log points to) I see these logs.
> > > (altered some names)
> > >
> > >
> >
> >
> >
> > _______________________________________________
> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> >
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org