[SSSD-users] Re: Server not found in Kerberos database

12 Aug 2021


      Hello!
I put the pac option in the sssd config which seemed to help in the logs and in the long run. Although taking a look at the domain logs I have this. The main issue with "Server not found in kerberos databse" was remediated by setting dyndns_update = false being that we are not using dyndns.
Here are the logs when dyndns is set to false.
***DOMAIN LOGS***
(2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [orderly_shutdown] (0x0010): SIGTERM: killing children
(2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [orderly_shutdown] (0x0040): Shutting down (status = 0)(2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [server_setup] (0x0040): Starting with debug level = 0x0070
(2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [13]: Permission denied
(2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [13]: Permission denied
(2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [13]: Permission denied
(2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [13]: Permission denied
(2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [13]: Permission denied
(2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [fo_resolve_service_send] (0x0020): No available servers for service 'sd_domain.com'
(2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [ad_get_slave_domain_connect_done] (0x0020): Unable to connect to LDAP [5]: Input/output error
(2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [ad_subdomains_refresh_done] (0x0040): Unable to get subdomains [5]: Input/output error
(2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [be_ptask_done] (0x0040): Task [Subdomains Refresh]: failed with [5]: Input/output error
(2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [ad_get_slave_domain_connect_done] (0x0020): Unable to connect to LDAP [5]: Input/output error
(2021-08-12 10:32:12): [be[EXAMPLE.domain.com]] [ad_subdomains_refresh_done] (0x0040): Unable to get subdomains [5]: Input/output error
***LDAP_CHILD LOGS***
(2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] (0x2000): got realm_name: [EXAMPLE.DOMAIN.COM]
(2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [MYSERVER$@EXAMPLE.DOMAIN.COM]
(2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab]
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018940: Getting initial credentials for MYSERVER$@EXAMPLE.DOMAIN.COM
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018941: Unrecognized enctype name in default_tkt_enctypes: des-cbc-crc
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018942: Unrecognized enctype name in default_tkt_enctypes: des-cbc-md5
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018943: Looked up etypes in keytab: rc4-hmac, aes256-cts
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018945: Sending unauthenticated request
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018946: Sending request (205 bytes) to EXAMPLE.DOMAIN.COM
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018947: Sending initial UDP request to dgram 192.172.2.5:88
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018948: Received answer (228 bytes) from dgram 192.172.2.5:88
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018949: Response was from master KDC
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018950: Received error from KDC: -1765328359/Additional pre-authentication required
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018953: Preauthenticating using KDC method data
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018954: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018955: Selected etype info: etype aes256-cts, salt "EXAMPLE.DOMAIN.COMhostmyserver.example.domain.com", params ""
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018956: Retrieving MYSERVER$@EXAMPLE.DOMAIN.COM from MEMORY:/etc/krb5.keytab (vno 0, enctype aes256-cts) with result: 0/Success
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018957: AS key obtained for encrypted timestamp: aes256-cts/D0B6
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018959: Encrypted timestamp (for 1628777855.139844): plain 301AA011180F32303231303831323134313733355AA1050203022244, encrypted 7E3F423BDB4DC1D927079C7D0E47E4AF671FC5255391F8812547A862034C5F3BEF53F551A9544A3BB7CE65201DF22772A9B0A3A2440ED2E2
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018960: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018961: Produced preauth for next request: PA-ENC-TIMESTAMP (2)
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018962: Sending request (285 bytes) to EXAMPLE.DOMAIN.COM
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018963: Sending initial UDP request to dgram 192.172.2.5:88
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018964: Received answer (104 bytes) from dgram 192.172.2.5:88
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018965: Response was from master KDC
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018966: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018967: Request or response is too big for UDP; retrying with TCP
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018968: Sending request (285 bytes) to EXAMPLE.DOMAIN.COM (tcp only)
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018969: Initiating TCP connection to stream 192.172.2.5:88
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018970: Sending TCP request to stream 192.172.2.5:88
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018971: Received answer (1627 bytes) from stream 192.172.2.5:88
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018972: Terminating TCP connection to stream 192.172.2.5:88
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018973: Response was from master KDC
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018974: Processing preauth types: PA-ETYPE-INFO2 (19)
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018975: Selected etype info: etype aes256-cts, salt "EXAMPLE.DOMAIN.COMhostmyserver.example.domain.com", params ""
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018976: Produced preauth for next request: (empty)
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018977: AS key determined by preauth: aes256-cts/D0B6
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018978: Decrypted AS reply; session key is: aes256-cts/D18C
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018979: FAST negotiation: unavailable
(2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] (0x2000): credentials initialized
(2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] (0x2000): keytab ccname: [FILE:/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM_mgQNA9]
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018980: Initializing FILE:/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM_mgQNA9 with default princ MYSERVER$@EXAMPLE.DOMAIN.COM
(2021-08-12 10:17:35): [ldap_child[4054178]] [sss_child_krb5_trace_cb] (0x4000): [4054178] 1628777855.018981: Storing MYSERVER$@EXAMPLE.DOMAIN.COM -> krbtgt/EXAMPLE.DOMAIN.COM@EXAMPLE.DOMAIN.COM in FILE:/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM_mgQNA9
(2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] (0x2000): credentials stored
(2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] (0x2000): Got KDC time offset
(2021-08-12 10:17:35): [ldap_child[4054178]] [ldap_child_get_tgt_sync] (0x2000): Renaming [/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM_mgQNA9] to [/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM]
(2021-08-12 10:17:35): [ldap_child[4054178]] [unique_filename_destructor] (0x2000): Unlinking [/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM_mgQNA9]
(2021-08-12 10:17:35): [ldap_child[4054178]] [unlink_dbg] (0x2000): File already removed: [/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM_mgQNA9]
(2021-08-12 10:17:35): [ldap_child[4054178]] [prepare_response] (0x0400): Building response for result [0]
(2021-08-12 10:17:35): [ldap_child[4054178]] [pack_buffer] (0x2000): response size: 64
(2021-08-12 10:17:35): [ldap_child[4054178]] [pack_buffer] (0x1000): result [0] krberr [0] msgsize [44] msg [FILE:/var/lib/sss/db/ccache_EXAMPLE.DOMAIN.COM]
(2021-08-12 10:17:35): [ldap_child[4054178]] [main] (0x0400): ldap_child completed successfully
(2021-08-12 10:32:12): [ldap_child[4057811]] [main] (0x0020): ldap_child_get_tgt_sync failed.
(2021-08-12 10:32:12): [ldap_child[4057812]] [ldap_child_get_tgt_sync] (0x0040): krb5_get_init_creds_keytab() failed: -1765328378
(2021-08-12 10:32:12): [ldap_child[4057812]] [ldap_child_get_tgt_sync] (0x0010): Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/EXAMPLE.CC.CC.NET@EXAMPLE.DOMAIN.COM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection.
(2021-08-12 10:32:12): [ldap_child[4057812]] [main] (0x0020): ldap_child_get_tgt_sync failed.
Thank you!
Jovan

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

[SSSD-users] Re: Server not found in Kerberos database