Hi all,
I'm new to sssd and am working on deploying it in my homelab on a test VM.
So far, I've successfully joined my host to my very basic/vanilla Active Directory domain using *realm join*. I can log in via console and ssh using AD credentials, and sudo works great too.
I can't for the life of me get GSSAPI to work on ssh, though. My relevant sshd_config options are:
# GSSAPI options GSSAPIAuthentication yes #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes GSSAPIKeyExchange yes
I turned on debug logging on the ssh server and client and the only thing I can see that would suggest any issues are:
Dec 16 23:09:55 test sshd[6068]: debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth]
I do see this in the syslog when sssd is restarted, though everything else does still work:
Dec 16 23:10:20 test sssd[6102]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database.
In my sssd_nub.lan.log file I have a few errors but from what I can tell they're all related to dynamic dns updates:
(2021-12-16 23:10:10): [be[nub.lan]] [ad_disable_gc] (0x0040): POSIX attributes were requested but are not present on the server side. Global Catalog lookups will be disabled (2021-12-16 23:10:20): [be[nub.lan]] [child_sig_handler] (0x0020): child [6102] failed with status [2]. (2021-12-16 23:10:20): [be[nub.lan]] [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [512] (2021-12-16 23:10:20): [be[nub.lan]] [be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158240]: Dynamic DNS update failed (2021-12-16 23:10:20): [be[nub.lan]] [child_sig_handler] (0x0020): child [6106] failed with status [2]. (2021-12-16 23:10:20): [be[nub.lan]] [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [512] (2021-12-16 23:10:20): [be[nub.lan]] [be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158240]: Dynamic DNS update failed (2021-12-16 23:10:20): [be[nub.lan]] [ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [1432158240]: Dynamic DNS update failed (2021-12-16 23:10:20): [be[nub.lan]] [be_ptask_done] (0x0040): Task [Dyndns update]: failed with [1432158240]: Dynamic DNS update failed (2021-12-16 23:25:20): [be[nub.lan]] [sss_ldap_init_sys_connect_done] (0x0020): ldap_init_fd failed: Bad parameter to an ldap routine. [23][cldap://arbiter.nub.lan:389] (2021-12-16 23:25:20): [be[nub.lan]] [sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed: [5]: Input/output error. (2021-12-16 23:25:20): [be[nub.lan]] [sss_ldap_init_sys_connect_done] (0x0020): ldap_init_fd failed: Bad parameter to an ldap routine. [24][cldap://ARBITER.nub.lan:389] (2021-12-16 23:25:20): [be[nub.lan]] [sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed: [5]: Input/output error. (2021-12-16 23:25:20): [be[nub.lan]] [ad_cldap_ping_done] (0x0040): Unable to get site and forest information [2]: No such file or directory
I noticed the sssd troubleshooting basics mention to use *kinit* for debug, which I did, and *klist* shows:
Ticket cache: FILE:/tmp/krb5cc_7000_MM3M16 Default principal: aram@NUB.LAN
Valid starting Expires Service principal 12/16/2021 23:28:30 12/17/2021 09:28:30 krbtgt/NUB.LAN@NUB.LAN renew until 12/17/2021 23:28:27
I'm guessing my issue may be related to the service principal name used for sshd, but despite my best searching efforts, I couldn't find anything that tells me what it should be or how I might add it to AD.
I'm stuck! Any pointers or guidance would be greatly appreciated.
Thanks,
Aram
Hello,
(sorry if this my comments will be non-relevant)
On Fri, Dec 17, 2021 at 8:35 AM Aram Akhavan aram@nubmail.ca wrote:
Hi all,
I'm new to sssd and am working on deploying it in my homelab on a test VM.
So far, I've successfully joined my host to my very basic/vanilla Active Directory domain using *realm join*. I can log in via console and ssh using AD credentials, and sudo works great too.
I can't for the life of me get GSSAPI to work on ssh, though.
Please check if this might be similar to https://github.com/SSSD/sssd/issues/5893
My relevant sshd_config options are:
# GSSAPI options GSSAPIAuthentication yes #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes GSSAPIKeyExchange yes
I turned on debug logging on the ssh server and client and the only thing I can see that would suggest any issues are:
Dec 16 23:09:55 test sshd[6068]: debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth]
I do see this in the syslog when sssd is restarted, though everything else does still work:
Dec 16 23:10:20 test sssd[6102]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database.
This email thread - https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... - mentions similar error message.
In my sssd_nub.lan.log file I have a few errors but from what I can tell they're all related to dynamic dns updates:
(2021-12-16 23:10:10): [be[nub.lan]] [ad_disable_gc] (0x0040): POSIX attributes were requested but are not present on the server side. Global Catalog lookups will be disabled (2021-12-16 23:10:20): [be[nub.lan]] [child_sig_handler] (0x0020): child [6102] failed with status [2]. (2021-12-16 23:10:20): [be[nub.lan]] [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [512] (2021-12-16 23:10:20): [be[nub.lan]] [be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158240]: Dynamic DNS update failed (2021-12-16 23:10:20): [be[nub.lan]] [child_sig_handler] (0x0020): child [6106] failed with status [2]. (2021-12-16 23:10:20): [be[nub.lan]] [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [512] (2021-12-16 23:10:20): [be[nub.lan]] [be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158240]: Dynamic DNS update failed (2021-12-16 23:10:20): [be[nub.lan]] [ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [1432158240]: Dynamic DNS update failed (2021-12-16 23:10:20): [be[nub.lan]] [be_ptask_done] (0x0040): Task [Dyndns update]: failed with [1432158240]: Dynamic DNS update failed (2021-12-16 23:25:20): [be[nub.lan]] [sss_ldap_init_sys_connect_done] (0x0020): ldap_init_fd failed: Bad parameter to an ldap routine. [23][cldap://arbiter.nub.lan:389] (2021-12-16 23:25:20): [be[nub.lan]] [sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed: [5]: Input/output error. (2021-12-16 23:25:20): [be[nub.lan]] [sss_ldap_init_sys_connect_done] (0x0020): ldap_init_fd failed: Bad parameter to an ldap routine. [24][cldap://ARBITER.nub.lan:389] (2021-12-16 23:25:20): [be[nub.lan]] [sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed: [5]: Input/output error. (2021-12-16 23:25:20): [be[nub.lan]] [ad_cldap_ping_done] (0x0040): Unable to get site and forest information [2]: No such file or directory
I noticed the sssd troubleshooting basics mention to use *kinit* for debug, which I did, and *klist* shows:
Ticket cache: FILE:/tmp/krb5cc_7000_MM3M16 Default principal: aram@NUB.LAN
Valid starting Expires Service principal 12/16/2021 23:28:30 12/17/2021 09:28:30 krbtgt/NUB.LAN@NUB.LAN renew until 12/17/2021 23:28:27
I'm guessing my issue may be related to the service principal name used for sshd, but despite my best searching efforts, I couldn't find anything that tells me what it should be or how I might add it to AD.
I'm stuck! Any pointers or guidance would be greatly appreciated.
Thanks,
Aram
Thanks Alexey! That github issue solved my problem. Do you know if this will get backported to Debian bullseye?
Aram
On 12/23/2021 2:07 PM, Alexey Tikhonov wrote:
Hello,
(sorry if this my comments will be non-relevant)
On Fri, Dec 17, 2021 at 8:35 AM Aram Akhavan aram@nubmail.ca wrote:
Hi all, I'm new to sssd and am working on deploying it in my homelab on a test VM. So far, I've successfully joined my host to my very basic/vanilla Active Directory domain using *realm join*. I can log in via console and ssh using AD credentials, and sudo works great too. I can't for the life of me get GSSAPI to work on ssh, though.Please check if this might be similar to https://github.com/SSSD/sssd/issues/5893
My relevant sshd_config options are: # GSSAPI options GSSAPIAuthentication yes #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes GSSAPIKeyExchange yes I turned on debug logging on the ssh server and client and the only thing I can see that would suggest any issues are: Dec 16 23:09:55 test sshd[6068]: debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth] I do see this in the syslog when sssd is restarted, though everything else does still work: Dec 16 23:10:20 test sssd[6102]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database.This email thread - https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
mentions similar error message.
In my sssd_nub.lan.log file I have a few errors but from what I can tell they're all related to dynamic dns updates:
(2021-12-16 23:10:10): [be[nub.lan]] [ad_disable_gc] (0x0040): POSIX attributes were requested but are not present on the server side. Global Catalog lookups will be disabled (2021-12-16 23:10:20): [be[nub.lan]] [child_sig_handler] (0x0020): child [6102] failed with status [2]. (2021-12-16 23:10:20): [be[nub.lan]] [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [512] (2021-12-16 23:10:20): [be[nub.lan]] [be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158240]: Dynamic DNS update failed (2021-12-16 23:10:20): [be[nub.lan]] [child_sig_handler] (0x0020): child [6106] failed with status [2]. (2021-12-16 23:10:20): [be[nub.lan]] [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [512] (2021-12-16 23:10:20): [be[nub.lan]] [be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158240]: Dynamic DNS update failed (2021-12-16 23:10:20): [be[nub.lan]] [ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [1432158240]: Dynamic DNS update failed (2021-12-16 23:10:20): [be[nub.lan]] [be_ptask_done] (0x0040): Task [Dyndns update]: failed with [1432158240]: Dynamic DNS update failed (2021-12-16 23:25:20): [be[nub.lan]] [sss_ldap_init_sys_connect_done] (0x0020): ldap_init_fd failed: Bad parameter to an ldap routine. [23][cldap://arbiter.nub.lan:389] (2021-12-16 23:25:20): [be[nub.lan]] [sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed: [5]: Input/output error. (2021-12-16 23:25:20): [be[nub.lan]] [sss_ldap_init_sys_connect_done] (0x0020): ldap_init_fd failed: Bad parameter to an ldap routine. [24][cldap://ARBITER.nub.lan:389] (2021-12-16 23:25:20): [be[nub.lan]] [sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed: [5]: Input/output error. (2021-12-16 23:25:20): [be[nub.lan]] [ad_cldap_ping_done] (0x0040): Unable to get site and forest information [2]: No such file or directory
I noticed the sssd troubleshooting basics mention to use *kinit* for debug, which I did, and *klist* shows:
Ticket cache: FILE:/tmp/krb5cc_7000_MM3M16 Default principal: aram@NUB.LAN
Valid starting Expires Service principal 12/16/2021 23:28:30 12/17/2021 09:28:30 krbtgt/NUB.LAN@NUB.LAN renew until 12/17/2021 23:28:27
I'm guessing my issue may be related to the service principal name used for sshd, but despite my best searching efforts, I couldn't find anything that tells me what it should be or how I might add it to AD.
I'm stuck! Any pointers or guidance would be greatly appreciated.
Thanks,
Aram
sssd-users mailing list --sssd-users@lists.fedorahosted.org To unsubscribe send an email tosssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it:https://pagure.io/fedora-infrastructure
Hi,
On Fri, Dec 24, 2021 at 6:17 AM Aram Akhavan aram@nubmail.ca wrote:
Thanks Alexey! That github issue solved my problem. Do you know if this will get backported to Debian bullseye?
You should check with Debian maintainers of the SSSD package.
https://salsa.debian.org/sssd-team/sssd/-/commits/master
Aram On 12/23/2021 2:07 PM, Alexey Tikhonov wrote:
Hello,
(sorry if this my comments will be non-relevant)
On Fri, Dec 17, 2021 at 8:35 AM Aram Akhavan aram@nubmail.ca wrote:
Hi all,
I'm new to sssd and am working on deploying it in my homelab on a test VM.
So far, I've successfully joined my host to my very basic/vanilla Active Directory domain using *realm join*. I can log in via console and ssh using AD credentials, and sudo works great too.
I can't for the life of me get GSSAPI to work on ssh, though.
Please check if this might be similar to https://github.com/SSSD/sssd/issues/5893
My relevant sshd_config options are:
# GSSAPI options GSSAPIAuthentication yes #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes GSSAPIKeyExchange yes
I turned on debug logging on the ssh server and client and the only thing I can see that would suggest any issues are:
Dec 16 23:09:55 test sshd[6068]: debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password" [preauth]
I do see this in the syslog when sssd is restarted, though everything else does still work:
Dec 16 23:10:20 test sssd[6102]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database.
This email thread -
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
- mentions similar error message.
In my sssd_nub.lan.log file I have a few errors but from what I can tell they're all related to dynamic dns updates:
(2021-12-16 23:10:10): [be[nub.lan]] [ad_disable_gc] (0x0040): POSIX attributes were requested but are not present on the server side. Global Catalog lookups will be disabled (2021-12-16 23:10:20): [be[nub.lan]] [child_sig_handler] (0x0020): child [6102] failed with status [2]. (2021-12-16 23:10:20): [be[nub.lan]] [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [512] (2021-12-16 23:10:20): [be[nub.lan]] [be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158240]: Dynamic DNS update failed (2021-12-16 23:10:20): [be[nub.lan]] [child_sig_handler] (0x0020): child [6106] failed with status [2]. (2021-12-16 23:10:20): [be[nub.lan]] [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [512] (2021-12-16 23:10:20): [be[nub.lan]] [be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158240]: Dynamic DNS update failed (2021-12-16 23:10:20): [be[nub.lan]] [ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [1432158240]: Dynamic DNS update failed (2021-12-16 23:10:20): [be[nub.lan]] [be_ptask_done] (0x0040): Task [Dyndns update]: failed with [1432158240]: Dynamic DNS update failed (2021-12-16 23:25:20): [be[nub.lan]] [sss_ldap_init_sys_connect_done] (0x0020): ldap_init_fd failed: Bad parameter to an ldap routine. [23][cldap://arbiter.nub.lan:389] (2021-12-16 23:25:20): [be[nub.lan]] [sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed: [5]: Input/output error. (2021-12-16 23:25:20): [be[nub.lan]] [sss_ldap_init_sys_connect_done] (0x0020): ldap_init_fd failed: Bad parameter to an ldap routine. [24][cldap://ARBITER.nub.lan:389] (2021-12-16 23:25:20): [be[nub.lan]] [sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed: [5]: Input/output error. (2021-12-16 23:25:20): [be[nub.lan]] [ad_cldap_ping_done] (0x0040): Unable to get site and forest information [2]: No such file or directory
I noticed the sssd troubleshooting basics mention to use *kinit* for debug, which I did, and *klist* shows:
Ticket cache: FILE:/tmp/krb5cc_7000_MM3M16 Default principal: aram@NUB.LAN
Valid starting Expires Service principal 12/16/2021 23:28:30 12/17/2021 09:28:30 krbtgt/NUB.LAN@NUB.LAN renew until 12/17/2021 23:28:27
I'm guessing my issue may be related to the service principal name used for sshd, but despite my best searching efforts, I couldn't find anything that tells me what it should be or how I might add it to AD.
I'm stuck! Any pointers or guidance would be greatly appreciated.
Thanks,
Aram
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
sssd-users@lists.fedorahosted.org
-
Alexey Tikhonov -
Aram Akhavan