Hi Dimitri,
Thanks for your fast answer.
dpal(a)redhat.com le Mar, Mar 31, 2015 à 1:06 a écrit:On 03/30/2015 12:41
PM, YVAN MASSON wrote:
Hi everybody,
First, thanks for this great tool !
With a very simple setup, it allows me to use dozens of *Ubuntu 14.04
(sssd version 1.11.5-1ubuntu3) computers in the AD environment of my
school, where I have two 2003 servers.
I tried to help a collegue to do the same in another school (where there
is a mix of 2003 and 2008 servers), but I failed : the problem seems to
come from Kerberos, because I found messages of this type in the sssd logs
: "... has no support for encryption type". The enrollment of the computer
in the realm was OK, but users login sometimes fails.
The key is to understand why it fails.
Can you define which authentication fail? What is the scenario?
Does it happen on the same client some users are ok and some not?
Users that are failing do they fail on other clients?
Which DC they are in 2003 or 2008 (I assume they are different domains in
the same forest)?There is only one domain, and no firewall between the
client and the servers.
The authentication we want is the one from lightdm, but to debug we used
the one from the TTY or just the kinit command.
We only tried one computer client, just installed and upgraded. All other
computers are Windows ones, with AD authentication working for all users.
The failing authentication seems to be random, but not completely as it
seems that there is a "cache" (maybe the one of sssd, maybe the kerberos
ticket):
- if someone has been able to log in, it will be possible again.
- if someone failed to log in, the next login will also fail
But a "reset" was possible, leaving and joining the domain again with the
realmd tool.
I will try to better investigate as soon as I can have a remote access to
a test computer, and I will let you know.
Regards,
Yvan
In some blog I can't find anymore, it was written that old encryption
types (DES) was not supported anymore on 2008 servers, so I tried to force
some Kerberos options ("krb5_use_kdcinfo = false" in sssd.conf and
"allow_weak_crypto = 1" in /etc/krb5.conf).
The sssd logs let think that /etc/krb5.conf is looked, but the result is
the same.
The only thing "working" was to prevent the computer to talk with the 2003
server with iptables, but this is a horrible and annoying hack.
So my question are :
- Does anyone alredy managed to use sssd in this type of environment ?
- Would you have any idea where to look for better debugging ?
Thanks very much,
Yvan Masson
_______________________________________________
sssd-users mailing list
mailto:sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.