On (22/02/16 11:48), Sumit Bose wrote:
On Mon, Feb 22, 2016 at 09:41:47AM +0000, John Hodrien wrote:
> On Mon, 22 Feb 2016, Patrice Peterson wrote:
>
> >Hey list,
> >
> >I have joined a CentOS 7 host to an AD domain using a fairly new version of
> >adcli (one of the versions that has this [0] bug fixed). In its keytab, this
> >host has a service principal of the form 'host/fqdn@REALM' (i.e.
lowercase).
> >User lookups with SSSD don't work, and the SSSD log says "Client
> >'host/fdqn@REALM' not found in Kerberos database. Unable to create
> >GSSAPI-encrypted LDAP connection."
> >
> >However, if I use the 'old' adcli to join the node and create the keytab,
it
> >creates a service principal of the form 'HOST/fqdn@REALM'. With this
keytab,
> >I can do username lookups just fine.
> >
> >Should this be considered a bug? Is there a way to make service principal
> >lookups w/SSSD case insensitive? I would like to keep the lower-case
> >principal names in my keytabs, because OpenSSH GSSAPI auth only works with
> >those.
> >
> >Thanks for any pointers!
>
> SSSD with a normal AD joined machine would use the SHORTHOST$@REALM entry, not
> any of the others. That one's the only one that's a userPrincipal by
default
> (although you can choose *one* additional userPrincipal if you require).
>
> You can test this on the command line as it's the only one kinit -k will work
> with:
>
> # These work
> kinit -k SHORTHOST$ kinit -k SHORTHOST$\(a)DS.LEEDS.AC.UK
>
> # These do not work
> kinit -k host/fqdn
> kinit -k host/fqdn\(a)DS.LEEDS.AC.UK
>
> So I'm not entirely sold on your diagnosis being correct.
I agree with John here. Can you share your sssd.conf?
And also sssd domain log file and (*_child.log)
https://fedorahosted.org/sssd/wiki/Troubleshooting
LS