On Mon, Mar 30, 2015 at 06:41:37PM +0200, YVAN MASSON wrote:
Hi everybody,
First, thanks for this great tool !
With a very simple setup, it allows me to use dozens of *Ubuntu 14.04
(sssd version 1.11.5-1ubuntu3) computers in the AD environment of my
school, where I have two 2003 servers.
I tried to help a collegue to do the same in another school (where there
is a mix of 2003 and 2008 servers), but I failed : the problem seems to
come from Kerberos, because I found messages of this type in the sssd logs
: "... has no support for encryption type". The enrollment of the computer
in the realm was OK, but users login sometimes fails.
In some blog I can't find anymore, it was written that old encryption
types (DES) was not supported anymore on 2008 servers, so I tried to force
some Kerberos options ("krb5_use_kdcinfo = false" in sssd.conf and
Setting this should not be needed. With the default setting SSSD will
try to use the same AD DC as long as possible for Kerberos related
operations. With your settings it might use a different AD DC for every
operation.
"allow_weak_crypto = 1" in /etc/krb5.conf).
Please try 'allow_weak_crypto = true' I'm not sure if '1' evaluates
to
'true' as well.
The sssd logs let think that /etc/krb5.conf is looked, but the result
is
the same.
The only thing "working" was to prevent the computer to talk with the 2003
server with iptables, but this is a horrible and annoying hack.
So my question are :
- Does anyone alredy managed to use sssd in this type of environment ?
- Would you have any idea where to look for better debugging ?
SSSD's krb5_child.log should have all the details if you use
debug_level=10 in the domain section of sssd.conf.
HTH
bye,
Sumit
Thanks very much,
Yvan Masson
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users