On Mon, Aug 12, 2013 at 03:27:56PM +0200, Marcus Moeller wrote:
Am 12.08.2013 15:26, schrieb Ondrej Kos:
>On 08/12/2013 03:00 PM, Marcus Moeller wrote:
>>Hi all,
>>
>>I am trying to use the AD provider in order to connect a client to our
>>Active Directory. I have to mention, that our DNS Setup is somewhat
>>broken, so reverse lookups do not work by default.
>>
>>When I now try connect, with reverse lookups not working, I got an error:
>>
>>...
>>
>>(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [resolve_srv_send]
>>(0x0200): The status of SRV lookup is resolved
>>(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [get_server_status]
>>(0x1000): Status of server 'novo.d.ethz.ch' is 'name resolved'
>>(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]]
>>[be_resolve_server_process] (0x1000): Saving the first resolved server
>>(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]]
>>[be_resolve_server_process] (0x0200): Found address for server
>>novo.d.ethz.ch: [172.31.65.60] TTL 938
>>(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]]
>>[sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get
>>TGT...
>>(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]]
>>[create_tgt_req_send_buffer] (0x1000): buffer size: 43
>>(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [set_tgt_child_timeout]
>>(0x0400): Setting 6 seconds timeout for tgt child
>>(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [write_pipe_handler]
>>(0x0400): All data has been sent!
>>(Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [main] (0x0400):
>>ldap_child started.
>>(Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer]
>>(0x1000): total buffer size: 43
>>(Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer]
>>(0x1000): realm_str size: 9
>>(Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer]
>>(0x1000): got realm_str: D.ETHZ.CH
>>(Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer]
>>(0x1000): princ_str size: 18
>>(Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer]
>>(0x1000): got princ_str: ldapmap1/d.ethz.ch
>>(Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer]
>>(0x1000): keytab_name size: 0
>>(Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer]
>>(0x1000): lifetime: 86400
>>(Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]]
>>[ldap_child_get_tgt_sync] (0x0100): Principal name is:
>>[ldapmap1/d.ethz.ch(a)D.ETHZ.CH]
>>(Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]]
>>[ldap_child_get_tgt_sync] (0x0100): Using keytab [default]
>>(Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [prepare_response]
>>(0x0400): Building response for result [0]
>>(Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [pack_buffer]
>>(0x1000): result [0] krberr [0] msgsize [37] msg
>>[FILE:/var/lib/sss/db/ccache_D.ETHZ.CH]
>>(Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [main] (0x0400):
>>ldap_child completed successfully
>>(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [read_pipe_handler]
>>(0x0400): EOF received, client finished
>>(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_get_tgt_recv]
>>(0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_D.ETHZ.CH],
>>expired on [1376347208]
>>(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_cli_auth_step]
>>(0x0100): expire timeout is 900
>>(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_cli_auth_step]
>>(0x1000): the connection will expire at 1376312108
>>(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send]
>>(0x0100): Executing sasl bind mech: gssapi, user: ldapmap1/d.ethz.ch
>>(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send]
>>(0x0020): ldap_sasl_bind failed (-2)[Local error]
>>(Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send]
>>(0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI
>>Error: Unspecified GSS failure. Minor code may provide more information
>>(Server not found in Kerberos database)]
>>
>>...
>>
>>Any idea why this might happen?
>>
>>Greets
>>Marcus
>>
>
>Hi Marcus,
>
>Could you post your sssd.conf and krb5.conf setting?
krb5.conf
...
[libdefaults]
dns_lookup_realm = true
forwardable = true
default_realm = D.ETHZ.CH
sssd.conf
...
[sssd]
config_file_version = 2
# Number of times services should attempt to reconnect in the
# event of a crash or restart before they give up
reconnection_retries = 3
# If a back end is particularly slow you can raise this timeout here
sbus_timeout = 30
services = nss, pam
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
# domains = LOCAL,LDAP
domains = D.ETHZ.CH
[nss]
# The following prevents SSSD from searching for the root user/group in
# all domains (you can add here a comma-separated list of system
accounts that
# are always going to be /etc/passwd users, or that you want to filter out).
filter_groups = root
filter_users = root
reconnection_retries = 3
# The entry_cache_timeout indicates the number of seconds to retain an
# entry in cache before it is considered stale and must block to refresh.
# The entry_cache_nowait_timeout indicates the number of seconds to
# wait before updating the cache out-of-band. (NSS requests will still
# be returned from cache until the full entry_cache_timeout). Setting this
# value to 0 turns this feature off (default).
# entry_cache_timeout = 600
# entry_cache_nowait_timeout = 300
[pam]
reconnection_retries = 3
[domain/D.ETHZ.CH]
#debug_level=5
id_provider = ad
ad_domain = d.ethz.ch
dns_discovery_domain = d.ethz.ch
krb5_realm = D.ETHZ.CH
ldap_user_principal = xyz.example
ldap_id_mapping = false
Greets
Marcus
SSSD tries to get a TGT for ldapmap1/d.ethz.ch(a)D.ETHZ.CH which looks a
bit odd and the AD KDC returns (Server not found in Kerberos database)
for this principal. Please try to add the hostname of the client in the
ad_hostname option.
HTH
bye,
Sumit
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users