Although perhaps I spoke too soon. sssd starts up but throws log entries:
May 7 14:36:04 paixlab-rhel67 [sssd[ldap_child[24887]]]: Failed to
initialize credentials using keytab [MEMORY:/etc/krb5.keytab]:
Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
May 7 14:36:04 paixlab-rhel67 [sssd[ldap_child[24887]]]: Preauthentication
failed
John
On 7 May 2015 at 14:34, John Beranek <john(a)redux.org.uk> wrote:
Sumit, many thanks - you hit the nail on the head! My smb.conf was
missing
the line:
kerberos method = secrets and keytab
so had not created the keytab. Added the line, rejoined and sssd starts as
expected.
Cheers,
John
On 7 May 2015 at 11:45, Sumit Bose <sbose(a)redhat.com> wrote:
> On Thu, May 07, 2015 at 11:35:21AM +0100, John Beranek wrote:
> > Hi all,
> >
> > I've just built a RHEL 6.7 Beta VM to test the new SSSD release, and
> have
> > come across a strange issue.
> >
> > I can successfully kinit and join our AD domain with "net ads join
-k"
> but
> > sssd won't start. The logs contain:
>
> you have to make sure that net ads join really creates a keytab. Please
> check 'kerberos method' in the smb.conf man page. By default the keys
> are written only to samba's internal secrets.tdb.
>
> As an alternative you might want to consider using the realm command to
> join the AD domain.
>
> HTH
>
> bye,
> Sumit
>
> >
> > [ad_set_ad_id_options] (0x0100): Option krb5_realm set to
EXAMPLE.COM
> > [sdap_set_sasl_options] (0x0100): Will look for
> > rhel67.example.com(a)EXAMPLE.COM in default keytab
> > [select_principal_from_keytab] (0x0200): trying to select the most
> > appropriate principal from keytab
> > [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
> > [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
> > [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
> > [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
> > [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
> > [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
> > [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
> > [select_principal_from_keytab] (0x0080): No suitable principal found in
> > keytab
> > [select_principal_from_keytab] (0x0010): Failed to read keytab
> [default]:
> > No such file or directory
> > [ad_set_ad_id_options] (0x0040): Cannot set the SASL-related options
> > [load_backend_module] (0x0010): Error (2) in module (ad) initialization
> > (sssm_ad_id_init)!
> > [be_process_init] (0x0010): fatal error initializing data providers
> >
> > Had a little feedback from Lukas, who suggested I ran "klist -kt".
This
> > gives:
> >
> > # klist -kt
> > Keytab name: FILE:/etc/krb5.keytab
> > klist: No such file or directory while starting keytab scan
> >
> > Any ideas?
> >
> > John
> >
> > --
> > John Beranek To generalise is to be an idiot.
> >
http://redux.org.uk/ -- William Blake
>
> > _______________________________________________
> > sssd-users mailing list
> > sssd-users(a)lists.fedorahosted.org
> >
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>
--
John Beranek To generalise is to be an idiot.
http://redux.org.uk/ -- William Blake
--
John Beranek To generalise is to be an idiot.