On Tue, Feb 14, 2017 at 04:32:44PM -0500, Abhijit Tikekar wrote:
> We created the keytab file and imported that into the existing krb5.keytab
> file using ktutil. I can see that now, klist -k shows a "host" principle
> entry for this computer which was missing earlier.
>
> Also initialized the new keytab file using "kinit -k -t /etc/krb5.keytab
> host/hostname.X.Y.local". I can see the service principal update after this
> step in klist.
>
> But authentication using my AD account still fails with the following in
> logs:
>
>
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sbus_dispatch] (0x4000):
> dbus conn: 0x1666a60
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sbus_dispatch] (0x4000):
> Dispatching.
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sbus_message_handler]
> (0x2000): Received SBUS method
> org.freedesktop.sssd.dataprovider.getAccountInfo on path
> /org/freedesktop/sssd/dataprovider
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sbus_get_sender_id_send]
> (0x2000): Not a sysbus message, quit
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [be_get_account_info]
> (0x0200): Got request for [0x1001][FAST
> BE_REQ_USER][1][name=firstname.lastname]
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [be_req_set_domain]
> (0x0400): Changing request domain from [X.Y.local] to [X.Y.local]
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_id_op_connect_step]
> (0x4000): reusing cached connection
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
> [sdap_search_user_next_base] (0x0400): Searching for users with base
> [dc=X,dc=Y,dc=local]
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_print_server]
> (0x2000): Searching xxx.xxx.xxx.xxx
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(&(sAMAccountName=firstname.lastname)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=X,dc=Y,dc=local].
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName]
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword]
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory]
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName]
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name]
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID]
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID]
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID]
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged]
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
> [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 17
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_op_add] (0x2000):
> New operation 17 timeout 6
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_result]
> (0x2000): Trace: sh[0x166d2a0], connected[1], ops[0x1667a50],
> ldap[0x1637f20]
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_message]
> (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_result]
> (0x2000): Trace: sh[0x166d2a0], connected[1], ops[0x1667a50],
> ldap[0x1637f20]
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_message]
> (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> errmsg set
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_op_destructor]
> (0x2000): Operation 17 finished
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
> [generic_ext_search_handler] (0x4000): Request included referrals which
> were ignored.

> *(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
> [sdap_search_user_process] (0x0400): Search for users, returned 0 results.*
> *(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_users_done]
> (0x0040): Failed to retrieve users*

> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_id_op_done]
> (0x4000): releasing operation connection
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Added
> timed event "ltdb_callback": 0x1692df0
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Added
> timed event "ltdb_timeout": 0x1692120
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Running
> timer event 0x1692df0 "ltdb_callback"
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Destroying
> timer event 0x1692120 "ltdb_timeout"
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Ending
> timer event 0x1692df0 "ltdb_callback"
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sysdb_search_by_name]
> (0x0400): No such entry
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sysdb_search_groups]
> (0x2000): Search groups with filter:
> (&(objectclass=group)(ghost=firstname.lastname))
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Added
> timed event "ltdb_callback": 0x1691210
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Added
> timed event "ltdb_timeout": 0x167da00
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Running
> timer event 0x1691210 "ltdb_callback"
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Destroying
> timer event 0x167da00 "ltdb_timeout"
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Ending
> timer event 0x1691210 "ltdb_callback"
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sysdb_search_groups]
> (0x2000): No such entry
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sysdb_delete_user]
> (0x0400): Error: 2 (No such file or directory)
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [acctinfo_callback]
> (0x0100): Request processed. Returned 0,0,Success
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_result]
> (0x2000): Trace: sh[0x166d2a0], connected[1], ops[(nil)], ldap[0x1637f20]
> (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_result]
> (0x2000): Trace: ldap_result found nothing!
>
>
> How to check further where it is failing?

The log snippet just shows that this search:

[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(sAMAccountName=firstname.lastname)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=X,dc=Y,dc=local].
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]

didn't match any object on the AD side. I would test that if you kinit
with the host principal and then ldapserch the DC manually using thy -Y
GSSAPI switch, does the search yield any result?

_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org