On Wed, Jan 15, 2014 at 04:53:10PM +0000, Ondrej Valousek wrote:
Hi list,
I am experiencing strange issue w/ sssd (F19, AD).
SSSD is working fine until I do:
1. net ads leave
2. change machine hostname
3. net ads join
After this, name services are working OK, but I am unable to authenticate myself using
pam_sss.so.
The workaround is:
1. net ads leave
2. rm /etc/krb5.keytab
3. net ads join
Looks like after machine rename the old principal is still held in krb5.keytab and making
pam_sss worthless.
Is this a known issue? Note that pam_krb5 is working fine.
Thanks,
I guess it is kind of know. I think it is related to validation. As can
be seen in the in sssd-krb5 man page the first principal in the keytab
with a matching realm will be used for validation. In your case where
the new keys are added to the end of the keytab and the old ones are
still at the beginning sssd will pick the old key and validations fails.
The solution is either to remove the keytab as you did before the new
join or to delete the old keys with ktutil.
HTH
bye,
Sumit
Ondrej
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users