On Tue, Feb 05, 2019 at 10:13:41PM -0000, Ian Puleston wrote:
Thanks for the suggestion Sumit. Your kinit command gave this output:
kinit: Pre-authentication failed: Permission denied while getting initial credentials
I wasn't sure if I should run that direct from my domain user account or with su privilege, so tried the same with sudo and that gave:
kinit: Keytab contains no suitable keys for IAN-LAPTOP@SV.US.SONICWALL.COM while getting initial credentials
Are you sure you quoted the trailing '$' in the principal name? e.g. you should call this: kinit -k 'IAN-LAPTOP$@SV.US.SONICWALL.COM'
ldap_child.log contains just this (repeatedly):
(Tue Feb 5 14:00:15 2019) [[sssd[ldap_child[13905]]]] [main] (0x0400): ldap_child started. (Tue Feb 5 14:00:15 2019) [[sssd[ldap_child[13905]]]] [unpack_buffer] (0x0200): Will run as [0][0]. (Tue Feb 5 14:00:15 2019) [[sssd[ldap_child[13905]]]] [become_user] (0x0200): Trying to become user [0][0]. (Tue Feb 5 14:00:15 2019) [[sssd[ldap_child[13905]]]] [become_user] (0x0200): Already user [0]. (Tue Feb 5 14:00:15 2019) [[sssd[ldap_child[13905]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [IAN-LAPTOP$@SV.US.SONICWALL.COM] (Tue Feb 5 14:00:15 2019) [[sssd[ldap_child[13905]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab] (Tue Feb 5 14:00:15 2019) [[sssd[ldap_child[13904]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Preauthentication failed (Tue Feb 5 14:00:15 2019) [[sssd[ldap_child[13904]]]] [main] (0x0020): ldap_child_get_tgt_sync failed. (Tue Feb 5 14:00:15 2019) [[sssd[ldap_child[13904]]]] [prepare_response] (0x0400): Building response for result [-1765328360] (Tue Feb 5 14:00:15 2019) [[sssd[ldap_child[13904]]]] [main] (0x0400): ldap_child completed successfully (Tue Feb 5 14:00:15 2019) [[sssd[ldap_child[13905]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Preauthentication failed
This means the machine credentials in the keytab cannot be used to authenticate to the server, most probably the client has to be re-joined or the keytab otherwise regenerated.
(Tue Feb 5 14:00:15 2019) [[sssd[ldap_child[13905]]]] [main] (0x0020): ldap_child_get_tgt_sync failed. (Tue Feb 5 14:00:15 2019) [[sssd[ldap_child[13905]]]] [prepare_response] (0x0400): Building response for result [-1765328360] (Tue Feb 5 14:00:15 2019) [[sssd[ldap_child[13905]]]] [main] (0x0400): ldap_child completed successfully
Ian _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...