Am 12.08.2013 15:58, schrieb Sumit Bose:
On Mon, Aug 12, 2013 at 03:27:56PM +0200, Marcus Moeller wrote:
> Am 12.08.2013 15:26, schrieb Ondrej Kos:
>> On 08/12/2013 03:00 PM, Marcus Moeller wrote:
>>> Hi all,
>>>
>>> I am trying to use the AD provider in order to connect a client to our
>>> Active Directory. I have to mention, that our DNS Setup is somewhat
>>> broken, so reverse lookups do not work by default.
>>>
>>> When I now try connect, with reverse lookups not working, I got an error:
>>>
>>> ...
>>>
>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [resolve_srv_send]
>>> (0x0200): The status of SRV lookup is resolved
>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [get_server_status]
>>> (0x1000): Status of server 'novo.d.ethz.ch' is 'name
resolved'
>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]]
>>> [be_resolve_server_process] (0x1000): Saving the first resolved server
>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]]
>>> [be_resolve_server_process] (0x0200): Found address for server
>>> novo.d.ethz.ch: [172.31.65.60] TTL 938
>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]]
>>> [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get
>>> TGT...
>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]]
>>> [create_tgt_req_send_buffer] (0x1000): buffer size: 43
>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [set_tgt_child_timeout]
>>> (0x0400): Setting 6 seconds timeout for tgt child
>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [write_pipe_handler]
>>> (0x0400): All data has been sent!
>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [main] (0x0400):
>>> ldap_child started.
>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer]
>>> (0x1000): total buffer size: 43
>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer]
>>> (0x1000): realm_str size: 9
>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer]
>>> (0x1000): got realm_str: D.ETHZ.CH
>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer]
>>> (0x1000): princ_str size: 18
>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer]
>>> (0x1000): got princ_str: ldapmap1/d.ethz.ch
>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer]
>>> (0x1000): keytab_name size: 0
>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer]
>>> (0x1000): lifetime: 86400
>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]]
>>> [ldap_child_get_tgt_sync] (0x0100): Principal name is:
>>> [ldapmap1/d.ethz.ch(a)D.ETHZ.CH]
>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]]
>>> [ldap_child_get_tgt_sync] (0x0100): Using keytab [default]
>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [prepare_response]
>>> (0x0400): Building response for result [0]
>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [pack_buffer]
>>> (0x1000): result [0] krberr [0] msgsize [37] msg
>>> [FILE:/var/lib/sss/db/ccache_D.ETHZ.CH]
>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [main] (0x0400):
>>> ldap_child completed successfully
>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [read_pipe_handler]
>>> (0x0400): EOF received, client finished
>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_get_tgt_recv]
>>> (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_D.ETHZ.CH],
>>> expired on [1376347208]
>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_cli_auth_step]
>>> (0x0100): expire timeout is 900
>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_cli_auth_step]
>>> (0x1000): the connection will expire at 1376312108
>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send]
>>> (0x0100): Executing sasl bind mech: gssapi, user: ldapmap1/d.ethz.ch
>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send]
>>> (0x0020): ldap_sasl_bind failed (-2)[Local error]
>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send]
>>> (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI
>>> Error: Unspecified GSS failure. Minor code may provide more information
>>> (Server not found in Kerberos database)]
>>>
>>> ...
>>>
>>> Any idea why this might happen?
>>>
>>> Greets
>>> Marcus
>>>
>>
>> Hi Marcus,
>>
>> Could you post your sssd.conf and krb5.conf setting?
>
>
> krb5.conf
> ...
> [libdefaults]
> dns_lookup_realm = true
> forwardable = true
> default_realm = D.ETHZ.CH
>
>
> sssd.conf
> ...
> [sssd]
> config_file_version = 2
>
> # Number of times services should attempt to reconnect in the
> # event of a crash or restart before they give up
> reconnection_retries = 3
>
> # If a back end is particularly slow you can raise this timeout here
> sbus_timeout = 30
> services = nss, pam
>
> # SSSD will not start if you do not configure any domains.
> # Add new domain configurations as [domain/<NAME>] sections, and
> # then add the list of domains (in the order you want them to be
> # queried) to the "domains" attribute below and uncomment it.
> # domains = LOCAL,LDAP
>
> domains = D.ETHZ.CH
>
> [nss]
> # The following prevents SSSD from searching for the root user/group in
> # all domains (you can add here a comma-separated list of system
> accounts that
> # are always going to be /etc/passwd users, or that you want to filter out).
> filter_groups = root
> filter_users = root
> reconnection_retries = 3
>
> # The entry_cache_timeout indicates the number of seconds to retain an
> # entry in cache before it is considered stale and must block to refresh.
> # The entry_cache_nowait_timeout indicates the number of seconds to
> # wait before updating the cache out-of-band. (NSS requests will still
> # be returned from cache until the full entry_cache_timeout). Setting this
> # value to 0 turns this feature off (default).
> # entry_cache_timeout = 600
> # entry_cache_nowait_timeout = 300
>
> [pam]
> reconnection_retries = 3
>
> [domain/D.ETHZ.CH]
> #debug_level=5
> id_provider = ad
> ad_domain = d.ethz.ch
> dns_discovery_domain = d.ethz.ch
> krb5_realm = D.ETHZ.CH
> ldap_user_principal = xyz.example
> ldap_id_mapping = false
>
>
> Greets
> Marcus
>
SSSD tries to get a TGT for ldapmap1/d.ethz.ch(a)D.ETHZ.CH which looks a
bit odd and the AD KDC returns (Server not found in Kerberos database)
for this principal. Please try to add the hostname of the client in the
ad_hostname option.
I am using a keytab and have not joined the machine. ldapmap1 is correct.
Greets
Marcus