On Tue, Feb 5, 2019 at 3:35 PM Jeremy Monnet <jmonnet(a)gmail.com> wrote:
Hello,
On Tue, Feb 5, 2019 at 10:29 AM Jakub Hrozek <jhrozek(a)redhat.com> wrote:
>
> > Now, everything is OK with the main domain, AFAIK, I can login, sudo
> > based on groups, etc. But for the child domain, most work, I can id a
> > user@child (that resolves the user and the groups associated), I can
> > "su - user@child" from root, BUT I can not login with that
user@child.
> > Sanitized logs follow :
> >
>
> It's hard to say from the trimmed log, but I assume this happens during
> the TGT validation phase? If yes, then you could work around that
> temporarily by setting:
> krb5_validate = false
> in the domain section, but please read the sssd-krb5 manual page to see
> what security implications this have
I have tried that, and yes, it works. Though because of the security
implications I would rather set it up without it...
> kvno RestrictedKrbHost/ubuntu(a)EXAMPLE.COM
kvno: Server not found in Kerberos database while getting credentials
for RestrictedKrbHost/UBUNTU(a)EXAMPLE.COM
>
> Is the principal really lower-case and shortname? I would have expected
> either lower-case FQDN or an upper-case shortname..
I am not sure precisely what to look for principals...
I followed that lead, and found that no SPN were registered at all in
the AD object. I edited it with ADSI, and could login with all
domains...
I looked at other objects an dit seems none have had the same SPN
registered, and I don't know at all how the object is created (other
that it is created when I "realm" the server). I will look at it a bit
!
Jérémy