It turns out I was able to figure out how to get it to work. I can't explain and
don't understand why, but here are the symptoms and what I did to get things back to
Some background: we are working for a company with Smart Cards. And recently, the AD
server commands to generate the keytabs started to prompt me for my Smart Card PIN number
(I haven't spoken to the Windows guys about it, but I suspect something has changed
because I did this months ago and don't remember any PIN number dialog). I suppose
the Smart Card software must have a 5-minute cache because it only asked me for my PIN
number on the very first run of ktpass.exe (I'm running the setspn/ktpass commands
over and over for many servers by copy/pasting from a notepad window).
Okay so I just happened to notice that the very first server was the only one not working.
Also the very first server is of course where the AD server dialog pops up asking me for
my Smart Card PIN number. I think all the other server's keytabs are generated using
a connection to my Smart Card within the 5-minute window, since they don't ask me for
a PIN. So I decided to just run the commands again a second time for the very first
server. Amazingly, it starts working when I use a keytab where it "remembers"
my PIN credentials, but does not work using a keytab created when the PIN dialog pops up.
Does any of this make sense? I can't grasp why this helped me out, or why it works
this way but not the other way... My only guess is that the Smart Card software or
Windows itself has some sort of issue, because I didn't do anything on the Linux
machine configurations at all (other than install the working keytab I mean).
On Jul 30, 2013, at 07:32 AM, Sumit Bose <sbose(a)redhat.com> wrote:
On Tue, Jul 30, 2013 at 11:41:41AM +0000, Bryan Harris wrote:
I've followed the sssd page for connecting RHEL 6 to a Windows 2008 for
authentication. It works on all our servers except one, and I'm getting confused.
I've even gone as far as to clone a working VM and rename, give it a new ip address,
etc. and even after that it still doesn't work (but just on that one machine).
When I run kinit -k host/server.ad.domain.com(a)AD.DOMAIN.COM I get the following message:
kinit: Cannot find KDC for requested realm while getting initial credentials
can you run kinit with 'strace -s 128' and send the output?
Whereas on other servers running that same command just works.
Has anyone experienced this before? All server are configured the same but one server
doesn't work. Here is my krb5.conf file, and the commands I used to generate the
keytab. I can post logs I'll just have to sanitize them first.
default = FILE:/var/log/krb5libs.log
default_realm = AD.DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
rdns = false
forwardable = yes
setspn -A host/server.ad.domain.com(a)AD.DOMAIN.COM server
setspn -L server
ktpass /princ host/server.ad.domain.com(a)AD.DOMAIN.COM /out server-host.keytab /crypto all
/ptype KRB5_NT_PRINCIPAL -desonly /mapuser CNOC\server$ /pass *
Any help would be greatly appreciated.
sssd-users mailing list
sssd-users mailing list