Dear Sumit,
>>>>>>> I am trying to use the AD provider in
order to connect a client to our
>>>>>>> Active Directory. I have to mention, that our DNS Setup is
somewhat
>>>>>>> broken, so reverse lookups do not work by default.
>>>>>>>
>>>>>>> When I now try connect, with reverse lookups not working, I
got an error:
>>>>>>>
>>>>>>> ...
>>>>>>>
>>>>>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]]
[resolve_srv_send]
>>>>>>> (0x0200): The status of SRV lookup is resolved
>>>>>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]]
[get_server_status]
>>>>>>> (0x1000): Status of server 'novo.d.ethz.ch' is
'name resolved'
>>>>>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]]
>>>>>>> [be_resolve_server_process] (0x1000): Saving the first
resolved server
>>>>>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]]
>>>>>>> [be_resolve_server_process] (0x0200): Found address for
server
>>>>>>> novo.d.ethz.ch: [172.31.65.60] TTL 938
>>>>>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]]
>>>>>>> [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting
to get
>>>>>>> TGT...
>>>>>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]]
>>>>>>> [create_tgt_req_send_buffer] (0x1000): buffer size: 43
>>>>>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]]
[set_tgt_child_timeout]
>>>>>>> (0x0400): Setting 6 seconds timeout for tgt child
>>>>>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]]
[write_pipe_handler]
>>>>>>> (0x0400): All data has been sent!
>>>>>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [main]
(0x0400):
>>>>>>> ldap_child started.
>>>>>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]]
[unpack_buffer]
>>>>>>> (0x1000): total buffer size: 43
>>>>>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]]
[unpack_buffer]
>>>>>>> (0x1000): realm_str size: 9
>>>>>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]]
[unpack_buffer]
>>>>>>> (0x1000): got realm_str: D.ETHZ.CH
>>>>>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]]
[unpack_buffer]
>>>>>>> (0x1000): princ_str size: 18
>>>>>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]]
[unpack_buffer]
>>>>>>> (0x1000): got princ_str: ldapmap1/d.ethz.ch
>>>>>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]]
[unpack_buffer]
>>>>>>> (0x1000): keytab_name size: 0
>>>>>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]]
[unpack_buffer]
>>>>>>> (0x1000): lifetime: 86400
>>>>>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]]
>>>>>>> [ldap_child_get_tgt_sync] (0x0100): Principal name is:
>>>>>>> [ldapmap1/d.ethz.ch(a)D.ETHZ.CH]
>>>>>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]]
>>>>>>> [ldap_child_get_tgt_sync] (0x0100): Using keytab [default]
>>>>>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]]
[prepare_response]
>>>>>>> (0x0400): Building response for result [0]
>>>>>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]]
[pack_buffer]
>>>>>>> (0x1000): result [0] krberr [0] msgsize [37] msg
>>>>>>> [FILE:/var/lib/sss/db/ccache_D.ETHZ.CH]
>>>>>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [main]
(0x0400):
>>>>>>> ldap_child completed successfully
>>>>>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]]
[read_pipe_handler]
>>>>>>> (0x0400): EOF received, client finished
>>>>>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]]
[sdap_get_tgt_recv]
>>>>>>> (0x0400): Child responded: 0
[FILE:/var/lib/sss/db/ccache_D.ETHZ.CH],
>>>>>>> expired on [1376347208]
>>>>>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]]
[sdap_cli_auth_step]
>>>>>>> (0x0100): expire timeout is 900
>>>>>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]]
[sdap_cli_auth_step]
>>>>>>> (0x1000): the connection will expire at 1376312108
>>>>>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]]
[sasl_bind_send]
>>>>>>> (0x0100): Executing sasl bind mech: gssapi, user:
ldapmap1/d.ethz.ch
>>>>>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]]
[sasl_bind_send]
>>>>>>> (0x0020): ldap_sasl_bind failed (-2)[Local error]
>>>>>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]]
[sasl_bind_send]
>>>>>>> (0x0080): Extended failure message: [SASL(-1): generic
failure: GSSAPI
>>>>>>> Error: Unspecified GSS failure. Minor code may provide more
information
>>>>>>> (Server not found in Kerberos database)]
>>>>>>>
>>>>>>> ...
>>>>>>>
>>>>>>> Any idea why this might happen?
>>>>>>>
>>>>>>> Greets
>>>>>>> Marcus
>>>>>>>
>>>>>>
>>>>>> Hi Marcus,
>>>>>>
>>>>>> Could you post your sssd.conf and krb5.conf setting?
>>>>>
>>>>>
>>>>> krb5.conf
>>>>> ...
>>>>> [libdefaults]
>>>>> dns_lookup_realm = true
>>>>> forwardable = true
>>>>> default_realm = D.ETHZ.CH
>>>>>
>>>>>
>>>>> sssd.conf
>>>>> ...
>>>>> [sssd]
>>>>> config_file_version = 2
>>>>>
>>>>> # Number of times services should attempt to reconnect in the
>>>>> # event of a crash or restart before they give up
>>>>> reconnection_retries = 3
>>>>>
>>>>> # If a back end is particularly slow you can raise this timeout here
>>>>> sbus_timeout = 30
>>>>> services = nss, pam
>>>>>
>>>>> # SSSD will not start if you do not configure any domains.
>>>>> # Add new domain configurations as [domain/<NAME>] sections,
and
>>>>> # then add the list of domains (in the order you want them to be
>>>>> # queried) to the "domains" attribute below and uncomment
it.
>>>>> # domains = LOCAL,LDAP
>>>>>
>>>>> domains = D.ETHZ.CH
>>>>>
>>>>> [nss]
>>>>> # The following prevents SSSD from searching for the root user/group
in
>>>>> # all domains (you can add here a comma-separated list of system
>>>>> accounts that
>>>>> # are always going to be /etc/passwd users, or that you want to
filter out).
>>>>> filter_groups = root
>>>>> filter_users = root
>>>>> reconnection_retries = 3
>>>>>
>>>>> # The entry_cache_timeout indicates the number of seconds to retain
an
>>>>> # entry in cache before it is considered stale and must block to
refresh.
>>>>> # The entry_cache_nowait_timeout indicates the number of seconds to
>>>>> # wait before updating the cache out-of-band. (NSS requests will
still
>>>>> # be returned from cache until the full entry_cache_timeout). Setting
this
>>>>> # value to 0 turns this feature off (default).
>>>>> # entry_cache_timeout = 600
>>>>> # entry_cache_nowait_timeout = 300
>>>>>
>>>>> [pam]
>>>>> reconnection_retries = 3
>>>>>
>>>>> [domain/D.ETHZ.CH]
>>>>> #debug_level=5
>>>>> id_provider = ad
>>>>> ad_domain = d.ethz.ch
>>>>> dns_discovery_domain = d.ethz.ch
>>>>> krb5_realm = D.ETHZ.CH
>>>>> ldap_user_principal = xyz.example
>>>>> ldap_id_mapping = false
>>>>>
>>>>>
>>>>> Greets
>>>>> Marcus
>>>>>
>>>>
>>>> SSSD tries to get a TGT for ldapmap1/d.ethz.ch(a)D.ETHZ.CH which looks a
>>>> bit odd and the AD KDC returns (Server not found in Kerberos database)
>>>> for this principal. Please try to add the hostname of the client in the
>>>> ad_hostname option.
>>>
>>> I am using a keytab and have not joined the machine. ldapmap1 is correct.
>>
>> Does
>>
>> kinit -k 'ldapmap1/d.ethz.ch(a)D.ETHZ.CH'
>>
>> work on the command line?
>>
>> How did you create the keytab? If ldapmap1 is just an SPN it might not
>> be possible to get a TGT for this principal.
>
> Yes, it all works and it also works when reverse lookup is set up
> correctly, so it must be somewhat related to that.
By "when reverse lookup is set up correctly" you mean correctly set up
on the DNS server?
Have you set the rdns option in your krb5.conf? Setting it to false
should skip all attempts to do reverse lookups in libkrb5.
That was the option that was missing. Thanks for pointing it out.
Greets
Marcus