Sumit, many thanks - you hit the nail on the head! My smb.conf was missing the line:

        kerberos method = secrets and keytab

so had not created the keytab. Added the line, rejoined and sssd starts as expected.

Cheers,

John

On 7 May 2015 at 11:45, Sumit Bose <sbose@redhat.com> wrote:
On Thu, May 07, 2015 at 11:35:21AM +0100, John Beranek wrote:
> Hi all,
>
> I've just built a RHEL 6.7 Beta VM to test the new SSSD release, and have
> come across a strange issue.
>
> I can successfully kinit and join our AD domain with "net ads join -k" but
> sssd won't start. The logs contain:

you have to make sure that net ads join really creates a keytab. Please
check 'kerberos method' in the smb.conf man page. By default the keys
are written only to samba's internal secrets.tdb.

As an alternative you might want to consider using the realm command to
join the AD domain.

HTH

bye,
Sumit

>
> [ad_set_ad_id_options] (0x0100): Option krb5_realm set to EXAMPLE.COM
> [sdap_set_sasl_options] (0x0100): Will look for
> rhel67.example.com@EXAMPLE.COM in default keytab
> [select_principal_from_keytab] (0x0200): trying to select the most
> appropriate principal from keytab
> [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
> [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
> [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
> [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
> [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
> [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
> [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
> [select_principal_from_keytab] (0x0080): No suitable principal found in
> keytab
> [select_principal_from_keytab] (0x0010): Failed to read keytab [default]:
> No such file or directory
> [ad_set_ad_id_options] (0x0040): Cannot set the SASL-related options
> [load_backend_module] (0x0010): Error (2) in module (ad) initialization
> (sssm_ad_id_init)!
> [be_process_init] (0x0010): fatal error initializing data providers
>
> Had a little feedback from Lukas, who suggested I ran "klist -kt". This
> gives:
>
> # klist -kt
> Keytab name: FILE:/etc/krb5.keytab
> klist: No such file or directory while starting keytab scan
>
> Any ideas?
>
> John
>
> --
> John Beranek                         To generalise is to be an idiot.
> http://redux.org.uk/                                 -- William Blake

> _______________________________________________
> sssd-users mailing list
> sssd-users@lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/sssd-users

_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users



--
John Beranek                         To generalise is to be an idiot.
http://redux.org.uk/                                 -- William Blake