Following
https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate...
on Oracle Linux (RHEL clone) 6.3, 64-bit, sssd version 1.8.0 gets us all the way to the
point where we can kinit with /etc/krb5.keytab and successfully run the test ldapsearch
command. When we start sssd and try getent on a user in AD we get this to
/var/log/messages:
"Jul 18 14:58:44 wardentest3 sssd_be: encoded packet size too big (813957120 >
16777215)"
Setting debug_level to 0x7850 (the highest, I believe) doesn't yield any additional
helpful info.
I did deviate a bit from the SSSD/AD document in that I did not bind the host but instead
created a keytab for a generic user we use to give our linux hosts access to LDAP on AD. I
didn't think this would be a problem since the kinit/ldapsearch test worked fine.
Here's the safe bits of our keytab (we're using mailuser(a)W2K.GENESEO.EDU as our
principal):
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
25 HOST/mail.geneseo.edu(a)W2K.GENESEO.EDU (arcfour-hmac)
25 HOST/mailtest.geneseo.edu(a)W2K.GENESEO.EDU (arcfour-hmac)
25 IMAP/mail.geneseo.edu(a)W2K.GENESEO.EDU (arcfour-hmac)
25 IMAP/mailtest.geneseo.edu(a)W2K.GENESEO.EDU (arcfour-hmac)
25 SMTP/mail.geneseo.edu(a)W2K.GENESEO.EDU (arcfour-hmac)
25 SMTP/mailtest.geneseo.edu(a)W2K.GENESEO.EDU (arcfour-hmac)
25 HTTP/mail.geneseo.edu(a)W2K.GENESEO.EDU (arcfour-hmac)
25 HTTP/mailtest.geneseo.edu(a)W2K.GENESEO.EDU (arcfour-hmac)
25 mailuser(a)W2K.GENESEO.EDU (arcfour-hmac)
Google searches seemed to indicate that this may be some kind of sasl issue and possibly
out of SSSD's control. Has anyone experience a similar problem or have advice on what
to try?
--
David Warden
Mail Administrator
State University of New York at Geneseo
"There's only one rule that I know of, babies—God damn it, you've got to be
kind."