On 09/07/2012 05:08 PM, John Thomas wrote:
Hello,
I am having problems trying to get SSSD to work with RHEL 5 to authenticate against a
Microsoft AD 2008. I did a manual complile/install of Kerberos 1.9.4 to use with SSSD
1.8.2., because I understand that the kerberos must be greater than 1.7. A "getent
passwd username" is unsuccessful. This is the output is the
/var/log/sssd/ldap_child.log.
(Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [main] (0x0400): ldap_child
started.
(Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): total
buffer size: 67
(Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): realm_str
size: 12
(Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): got
realm_str:
REALM.COM
(Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): princ_str
size: 23
(Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): got
princ_str: HOSTNAME$(a)REALM.COM
(Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000):
keytab_name size: 16
(Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): got
keytab_name: /etc/krb5.keytab
(Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [unpack_buffer] (0x1000): lifetime:
86400
(Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [ldap_child_get_tgt_sync] (0x0100):
Principal name is: [HOSTNAME$(a)REALM.COM]
(Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]]
[sss_krb5_get_init_creds_opt_set_canonicalize] (0x0040): Kerberos principal
canonicalization is not available!
(Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [ldap_child_get_tgt_sync] (0x0010):
Failed to init credentials: Key table entry not found
(Fri Sep 7 16:49:39 2012) [[sssd[ldap_child[9473]]]] [main] (0x0020):
ldap_child_get_tgt_sync failed.
Haven't been able to figure out what is wrong so far. Can someone help?
Please provide sssd.conf and krb5.conf files.
Based on the information above the name of the host principal did not
match the name of the principal in the keytab.
Did you provision host keytab from the KDC manually? Please see what
host principals you have in the keytab and verify that it matches the
host name of the system.
Also the host principal is usually "host/<host FQDN>@<REALM IN
CAPS>"
http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-K...
It seems that the principal that has been looked up is different but it
is sanitized to be sure what the issue is.
John
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/