Hi all,
I've followed the sssd page for connecting RHEL 6 to a Windows 2008 for authentication. It works on all our servers except one, and I'm getting confused. I've even gone as far as to clone a working VM and rename, give it a new ip address, etc. and even after that it still doesn't work (but just on that one machine).
When I run kinit -k host/server.ad.domain.com@AD.DOMAIN.COM I get the following message:
kinit: Cannot find KDC for requested realm while getting initial credentials
Whereas on other servers running that same command just works.
Has anyone experienced this before? All server are configured the same but one server doesn't work. Here is my krb5.conf file, and the commands I used to generate the keytab. I can post logs I'll just have to sanitize them first.
[logging] default = FILE:/var/log/krb5libs.log
[libdefaults] default_realm = AD.DOMAIN.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d rdns = false forwardable = yes
[realms]
[domain_realm]
setspn -A host/server.ad.domain.com@AD.DOMAIN.COM server setspn -L server ktpass /princ host/server.ad.domain.com@AD.DOMAIN.COM /out server-host.keytab /crypto all /ptype KRB5_NT_PRINCIPAL -desonly /mapuser CNOC\server$ /pass *
Any help would be greatly appreciated.
Bryan
On Tue, Jul 30, 2013 at 11:41:41AM +0000, Bryan Harris wrote:
Hi all,
I've followed the sssd page for connecting RHEL 6 to a Windows 2008 for authentication. It works on all our servers except one, and I'm getting confused. I've even gone as far as to clone a working VM and rename, give it a new ip address, etc. and even after that it still doesn't work (but just on that one machine).
When I run kinit -k host/server.ad.domain.com@AD.DOMAIN.COM I get the following message:
kinit: Cannot find KDC for requested realm while getting initial credentials
Whereas on other servers running that same command just works.
Has anyone experienced this before? All server are configured the same but one server doesn't work. Here is my krb5.conf file, and the commands I used to generate the keytab. I can post logs I'll just have to sanitize them first.
[logging] default = FILE:/var/log/krb5libs.log
[libdefaults] default_realm = AD.DOMAIN.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d rdns = false forwardable = yes
[realms]
[domain_realm]
setspn -A host/server.ad.domain.com@AD.DOMAIN.COM server setspn -L server ktpass /princ host/server.ad.domain.com@AD.DOMAIN.COM /out server-host.keytab /crypto all /ptype KRB5_NT_PRINCIPAL -desonly /mapuser CNOC\server$ /pass *
Any help would be greatly appreciated.
Bryan
There is no KDC explicitly defined so you rely on DNS lookups for locating the KDC. Can you check if the other servers that work use the same DNS servers in resolv.conf?
Hi Jakub,
On Jul 30, 2013, at 07:28 AM, Jakub Hrozek jhrozek@redhat.com wrote:
On Tue, Jul 30, 2013 at 11:41:41AM +0000, Bryan Harris wrote When I run kinit -k host/server.ad.domain.com@AD.DOMAIN.COM I get the following message: kinit: Cannot find KDC for requested realm while getting initial credentials
There is no KDC explicitly defined so you rely on DNS lookups for locating the KDC. Can you check if the other servers that work use the same DNS servers in resolv.conf? I'm sorry but I saw Sumit's email first. Also in my other email I tried to explain the weird Smart Card PIN behavior.
Our resolv.conf is pointing to our BIND servers, which have the following in the zone the linux servers will search using the domain sub.domain.com in /etc/resolv.conf. It seems to work okay but please feel free to let me know if it's not right. I honestly don't remember if I found this information on the sssd fedorahosted.org pages, but it seemed to work thus far. We do realize that if we ever make changes to our environment's addressing we will need to change the zone in the BIND servers as well.
_ldap._tcp 1D IN SRV 0 100 389 dc01 _ldap._tcp 1D IN SRV 0 100 389 dc02 _kerberos._tcp 1D IN SRV 0 100 88 dc01 _kerberos._tcp 1D IN SRV 0 100 88 dc02 _kpasswd._tcp 1D IN SRV 0 100 464 dc01 _kpasswd._tcp 1D IN SRV 0 100 464 dc02
_kerberos._udp 1D IN SRV 0 100 88 dc01 _kerberos._udp 1D IN SRV 0 100 88 dc02 _kpasswd._udp 1D IN SRV 0 100 464 dc01 _kpasswd._udp 1D IN SRV 0 100 464 dc02 Bryan
On Tue, Jul 30, 2013 at 11:41:41AM +0000, Bryan Harris wrote:
Hi all,
I've followed the sssd page for connecting RHEL 6 to a Windows 2008 for authentication. It works on all our servers except one, and I'm getting confused. I've even gone as far as to clone a working VM and rename, give it a new ip address, etc. and even after that it still doesn't work (but just on that one machine).
When I run kinit -k host/server.ad.domain.com@AD.DOMAIN.COM I get the following message:
kinit: Cannot find KDC for requested realm while getting initial credentials
can you run kinit with 'strace -s 128' and send the output?
bye, Sumit
Whereas on other servers running that same command just works.
Has anyone experienced this before? All server are configured the same but one server doesn't work. Here is my krb5.conf file, and the commands I used to generate the keytab. I can post logs I'll just have to sanitize them first.
[logging] default = FILE:/var/log/krb5libs.log
[libdefaults] default_realm = AD.DOMAIN.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d rdns = false forwardable = yes
[realms]
[domain_realm]
setspn -A host/server.ad.domain.com@AD.DOMAIN.COM server setspn -L server ktpass /princ host/server.ad.domain.com@AD.DOMAIN.COM /out server-host.keytab /crypto all /ptype KRB5_NT_PRINCIPAL -desonly /mapuser CNOC\server$ /pass *
Any help would be greatly appreciated.
Bryan
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi Sumit,
It turns out I was able to figure out how to get it to work. I can't explain and don't understand why, but here are the symptoms and what I did to get things back to working.
Some background: we are working for a company with Smart Cards. And recently, the AD server commands to generate the keytabs started to prompt me for my Smart Card PIN number (I haven't spoken to the Windows guys about it, but I suspect something has changed because I did this months ago and don't remember any PIN number dialog). I suppose the Smart Card software must have a 5-minute cache because it only asked me for my PIN number on the very first run of ktpass.exe (I'm running the setspn/ktpass commands over and over for many servers by copy/pasting from a notepad window).
Okay so I just happened to notice that the very first server was the only one not working. Also the very first server is of course where the AD server dialog pops up asking me for my Smart Card PIN number. I think all the other server's keytabs are generated using a connection to my Smart Card within the 5-minute window, since they don't ask me for a PIN. So I decided to just run the commands again a second time for the very first server. Amazingly, it starts working when I use a keytab where it "remembers" my PIN credentials, but does not work using a keytab created when the PIN dialog pops up.
Does any of this make sense? I can't grasp why this helped me out, or why it works this way but not the other way... My only guess is that the Smart Card software or Windows itself has some sort of issue, because I didn't do anything on the Linux machine configurations at all (other than install the working keytab I mean). Bryan
On Jul 30, 2013, at 07:32 AM, Sumit Bose sbose@redhat.com wrote:
On Tue, Jul 30, 2013 at 11:41:41AM +0000, Bryan Harris wrote: Hi all, I've followed the sssd page for connecting RHEL 6 to a Windows 2008 for authentication. It works on all our servers except one, and I'm getting confused. I've even gone as far as to clone a working VM and rename, give it a new ip address, etc. and even after that it still doesn't work (but just on that one machine). When I run kinit -k host/server.ad.domain.com@AD.DOMAIN.COM I get the following message: kinit: Cannot find KDC for requested realm while getting initial credentials
can you run kinit with 'strace -s 128' and send the output?
bye, Sumit
Whereas on other servers running that same command just works. Has anyone experienced this before? All server are configured the same but one server doesn't work. Here is my krb5.conf file, and the commands I used to generate the keytab. I can post logs I'll just have to sanitize them first. [logging] default = FILE:/var/log/krb5libs.log [libdefaults] default_realm = AD.DOMAIN.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d rdns = false forwardable = yes [realms] [domain_realm] setspn -A host/server.ad.domain.com@AD.DOMAIN.COM server setspn -L server ktpass /princ host/server.ad.domain.com@AD.DOMAIN.COM /out server-host.keytab /crypto all /ptype KRB5_NT_PRINCIPAL -desonly /mapuser CNOC\server$ /pass * Any help would be greatly appreciated. Bryan
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org