On Tue, Sep 29, 2015 at 04:16:37PM +0000, Ondrej Valousek wrote:
Ok found the problem.
I do not know why, but SSSD seems to be bit picky about /etc/krb5.conf:
Non working one:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
# default_realm =
EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = <MYREALM>
[realms]
#
EXAMPLE.COM = {
# kdc =
kerberos.example.com
# admin_server =
kerberos.example.com
# }
<MYREALM> = {
}
[domain_realm]
# .example.com =
EXAMPLE.COM
#
example.com =
EXAMPLE.COM
<myrealm> = <MYREALM>
.<myrealm> = <MYREALM>
Working one:
[libdefaults]
default_realm = <MYREALM>
# The following krb5.conf variables are only for MIT Kerberos.
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
[realms]
[domain_realm]
I guess it is picky about the default_ccache_name parameter as that is the only
difference I could see.
iirc you are using Ubuntu. I do not know if Ubuntu support KEYRING
credential caches which need support in the kernel or not. If not, then
the 'default_ccache_name = KEYRING:persistent:%{uid}' line might have
casued the issues.
bye,
Sumit
O.
-----
The information contained in this e-mail and in any attachments is confidential and is
designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s). Please
direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and
Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office:
South County Business Park, Leopardstown, Dublin 18.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users