We created the keytab file and imported that into the existing krb5.keytab
file using ktutil. I can see that now, klist -k shows a "host" principle
entry for this computer which was missing earlier.
Also initialized the new keytab file using "kinit -k -t /etc/krb5.keytab
host/hostname.X.Y.local". I can see the service principal update after this
step in klist.
But authentication using my AD account still fails with the following in
logs:
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sbus_dispatch] (0x4000):
dbus conn: 0x1666a60
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sbus_dispatch] (0x4000):
Dispatching.
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sbus_message_handler]
(0x2000): Received SBUS method
org.freedesktop.sssd.dataprovider.getAccountInfo on path
/org/freedesktop/sssd/dataprovider
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sbus_get_sender_id_send]
(0x2000): Not a sysbus message, quit
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [be_get_account_info]
(0x0200): Got request for [0x1001][FAST
BE_REQ_USER][1][name=firstname.lastname]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [be_req_set_domain]
(0x0400): Changing request domain from [X.Y.local] to [X.Y.local]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_id_op_connect_step]
(0x4000): reusing cached connection
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
[sdap_search_user_next_base] (0x0400): Searching for users with base
[dc=X,dc=Y,dc=local]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_print_server]
(0x2000): Searching xxx.xxx.xxx.xxx
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(sAMAccountName=firstname.lastname)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=X,dc=Y,dc=local].
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 17
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_op_add] (0x2000):
New operation 17 timeout 6
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_result]
(0x2000): Trace: sh[0x166d2a0], connected[1], ops[0x1667a50],
ldap[0x1637f20]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_message]
(0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_result]
(0x2000): Trace: sh[0x166d2a0], connected[1], ops[0x1667a50],
ldap[0x1637f20]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_message]
(0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_op_destructor]
(0x2000): Operation 17 finished
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
[generic_ext_search_handler] (0x4000): Request included referrals which
were ignored.
*(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
[sdap_search_user_process] (0x0400): Search for users, returned 0 results.*
*(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_users_done]
(0x0040): Failed to retrieve users*
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_id_op_done]
(0x4000): releasing operation connection
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Added
timed event "ltdb_callback": 0x1692df0
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Added
timed event "ltdb_timeout": 0x1692120
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Running
timer event 0x1692df0 "ltdb_callback"
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Destroying
timer event 0x1692120 "ltdb_timeout"
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Ending
timer event 0x1692df0 "ltdb_callback"
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sysdb_search_by_name]
(0x0400): No such entry
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sysdb_search_groups]
(0x2000): Search groups with filter:
(&(objectclass=group)(ghost=firstname.lastname))
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Added
timed event "ltdb_callback": 0x1691210
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Added
timed event "ltdb_timeout": 0x167da00
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Running
timer event 0x1691210 "ltdb_callback"
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Destroying
timer event 0x167da00 "ltdb_timeout"
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Ending
timer event 0x1691210 "ltdb_callback"
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sysdb_search_groups]
(0x2000): No such entry
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sysdb_delete_user]
(0x0400): Error: 2 (No such file or directory)
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [acctinfo_callback]
(0x0100): Request processed. Returned 0,0,Success
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_result]
(0x2000): Trace: sh[0x166d2a0], connected[1], ops[(nil)], ldap[0x1637f20]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
How to check further where it is failing?
Thanks,
~ Abhi
On Tue, Feb 14, 2017 at 12:42 PM, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
On Tue, Feb 14, 2017 at 11:36:32AM -0500, Abhijit Tikekar wrote:
> Hi,
>
> Has anyone had any success while setting up SSSD with RODC AD Server? We
> are setting this up on CentOS 6.8 machines but doesn't seem to work.
>
> Computer object is created and replicated to RODC. Verified that all
> configuration file parameters are identical to the ones mentioned in the
> link below.
>
https://access.redhat.com/discussions/2838371
>
> I assume we still have to join the server to RODC? Is the joining process
> still the same as we do for a Writable DC.
No, you need to create the computer object first and then copy the
keytab.
>
> When using "net ads join" I get the following error:
>
> Failed to join domain: Failed to set account flags for machine account
> (NT_STATUS_NOT_SUPPORTED)
>
>
> in the logs, we also get the following( Debug level set to 7)
>
> (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options]
> (0x0100): Will look for testdmzlin(a)X.Y.LOCAL in default keytab
> (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]]
> [select_principal_from_keytab] (0x0200): trying to select the most
> appropriate principal from keytab
> (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]]
[find_principal_in_keytab]
> (0x0400): No principal matching testdmzlin(a)X.Y.LOCAL found in keytab.
> (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]]
[find_principal_in_keytab]
> (0x0400): No principal matching TESTDMZLIN$(a)X.Y.LOCAL found in keytab.
> (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]]
[find_principal_in_keytab]
> (0x0400): No principal matching host/testdmzlin(a)X.Y.LOCAL found in
keytab.
> (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]]
[find_principal_in_keytab]
> (0x0400): No principal matching *$(a)X.Y.LOCAL found in keytab.
> (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]]
[find_principal_in_keytab]
> (0x0400): No principal matching host/*(a)X.Y.LOCAL found in keytab.
> (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]]
[find_principal_in_keytab]
> (0x0400): No principal matching host/*@(null) found in keytab.
>
>
> But if i try to query this RODC using "ldapsearch" it works.
>
> ldapsearch -H ldap://RODC_ServerName.x.y.local/ -Y GSSAPI -N -b
> "dc=x,dc=y,dc=local"
> "(&(objectClass=user)(sAMAccountName=firstname.lastname))"
What principal did you authenticate as?
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org