SSSD Kerberos AD authentication troubleshooting?
Hi all,
I'm trying to set up a kickstart that includes registering in the local AD.
I have managed to get it working with my trialruns using CentOS7.
Including using a dedicated KeyTab to register the machine.
/sbin/realm join --verbose --computer-ou="...." example.com
But when I started with a RHEL7 server intended for live use the KeyTab does not work for joining the realm and when I join it manually (with -U ) I can't log in to the new server using my AD user.
/sbin/realm join -U sysUser@EXAMPLE.COM --verbose --computer-ou="...." example.com
I have verified that the sssd.conf and krb5.conf have the same settings.
Actually every setting I can think of is the same between the two Machines.
I tried setting SELinux to permissive mode but it did not help either.
I can use kinit to authenticate from the cli:
]$ kinit -V myUser@EXAMPLE.COM
Using default cache: /tmp/krb5cc_1000
Using principal: myUser@EXAMPLE.COM
Password for myUser@EXAMPLE.COM:
Authenticated to Kerberos v5
]$
but the sssd service says:
]$ sudo systemctl status sssd -l
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/sssd.service.d
└─journal.conf
Active: active (running) since Mon 2018-03-05 18:22:42 CET; 1min 33s ago
Main PID: 682 (sssd)
CGroup: /system.slice/sssd.service
├─682 /usr/sbin/sssd -i -f
├─771 /usr/libexec/sssd/sssd_be --domain example.com --uid 0 --gid 0 --debug-to-files
├─924 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
└─925 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
Mar 05 18:23:57 my-host@example.com sssd[be[example.com ]][771]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
Mar 05 18:23:57 my-host@example.com sssd_be[771]: GSSAPI client step 1
Mar 05 18:23:57 my-host@example.com sssd_be[771]: GSSAPI client step 1
/var/log/sssd/sssd_example.com.log is huge even on log-level 3 but this part stands out:
(Mon Mar 5 18:22:44 2018) [sssd[be[example.com]]] [be_run_online_cb] (0x0080): Going online. Running callbacks.
(Mon Mar 5 18:22:44 2018) [sssd[be[example.com]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
(Mon Mar 5 18:22:44 2018) [sssd[be[example.com]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error]
(Mon Mar 5 18:22:44 2018) [sssd[be[example.com]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)]
(Mon Mar 5 18:22:44 2018) [sssd[be[example.com]]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [1432158226]: Authentication Failed
Can anyone give me some idea of where I should continue searching?
Thanks.
Regards,
//Samuel
