Hi Sumit,
It turns out I was able to figure out how to get it to work. I can't explain and don't understand why, but here are the symptoms and what I did to get things back to working.
Some background: we are working for a company with Smart Cards. And recently, the AD server commands to generate the keytabs started to prompt me for my Smart Card PIN number (I haven't spoken to the Windows guys about it, but I suspect something has changed because I did this months ago and don't remember any PIN number dialog). I suppose the Smart Card software must have a 5-minute cache because it only asked me for my PIN number on the very first run of ktpass.exe (I'm running the setspn/ktpass commands over and over for many servers by copy/pasting from a notepad window).
Okay so I just happened to notice that the very first server was the only one not working. Also the very first server is of course where the AD server dialog pops up asking me for my Smart Card PIN number. I think all the other server's keytabs are generated using a connection to my Smart Card within the 5-minute window, since they don't ask me for a PIN. So I decided to just run the commands again a second time for the very first server. Amazingly, it starts working when I use a keytab where it "remembers" my PIN credentials, but does not work using a keytab created when the PIN dialog pops up.
Does any of this make sense? I can't grasp why this helped me out, or why it works this way but not the other way... My only guess is that the Smart Card software or Windows itself has some sort of issue, because I didn't do anything on the Linux machine configurations at all (other than install the working keytab I mean).
On Jul 30, 2013, at 07:32 AM, Sumit Bose <sbose@redhat.com> wrote:
On Tue, Jul 30, 2013 at 11:41:41AM +0000, Bryan Harris wrote:
Hi all,
I've followed the sssd page for connecting RHEL 6 to a Windows 2008 for authentication. It works on all our servers except one, and I'm getting confused. I've even gone as far as to clone a working VM and rename, give it a new ip address, etc. and even after that it still doesn't work (but just on that one machine).
When I run kinit -k host/server.ad.domain.com@AD.DOMAIN.COM I get the following message:
kinit: Cannot find KDC for requested realm while getting initial credentials
can you run kinit with 'strace -s 128' and send the output?
bye,
Sumit
Whereas on other servers running that same command just works.
Has anyone experienced this before? All server are configured the same but one server doesn't work. Here is my krb5.conf file, and the commands I used to generate the keytab. I can post logs I'll just have to sanitize them first.
[logging]
default = FILE:/var/log/krb5libs.log
[libdefaults]
default_realm = AD.DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
rdns = false
forwardable = yes
[realms]
[domain_realm]
setspn -A host/server.ad.domain.com@AD.DOMAIN.COM server
setspn -L server
ktpass /princ host/server.ad.domain.com@AD.DOMAIN.COM /out server-host.keytab /crypto all /ptype KRB5_NT_PRINCIPAL -desonly /mapuser CNOC\server$ /pass *
Any help would be greatly appreciated.
Bryan
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users