SSSD Kerberos AD authentication troubleshooting?

Latest response

Hi all,

I'm trying to set up a kickstart that includes registering in the local AD.
I have managed to get it working with my trialruns using CentOS7.
Including using a dedicated KeyTab to register the machine.

  /sbin/realm join --verbose --computer-ou="...." example.com

But when I started with a RHEL7 server intended for live use the KeyTab does not work for joining the realm and when I join it manually (with -U ) I can't log in to the new server using my AD user.

    /sbin/realm join -U sysUser@EXAMPLE.COM --verbose --computer-ou="...." example.com

I have verified that the sssd.conf and krb5.conf have the same settings.
Actually every setting I can think of is the same between the two Machines.
I tried setting SELinux to permissive mode but it did not help either.

I can use kinit to authenticate from the cli:

]$ kinit -V  myUser@EXAMPLE.COM
Using default cache: /tmp/krb5cc_1000
Using principal: myUser@EXAMPLE.COM
Password for myUser@EXAMPLE.COM:
Authenticated to Kerberos v5
]$

but the sssd service says:

]$ sudo systemctl status sssd -l
● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/sssd.service.d
           └─journal.conf
   Active: active (running) since Mon 2018-03-05 18:22:42 CET; 1min 33s ago
 Main PID: 682 (sssd)
   CGroup: /system.slice/sssd.service
           ├─682 /usr/sbin/sssd -i -f
           ├─771 /usr/libexec/sssd/sssd_be --domain example.com --uid 0 --gid 0 --debug-to-files
           ├─924 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
           └─925 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files

Mar 05 18:23:57 my-host@example.com sssd[be[example.com ]][771]: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)
Mar 05 18:23:57 my-host@example.com sssd_be[771]: GSSAPI client step 1
Mar 05 18:23:57 my-host@example.com sssd_be[771]: GSSAPI client step 1

/var/log/sssd/sssd_example.com.log is huge even on log-level 3 but this part stands out:

(Mon Mar  5 18:22:44 2018) [sssd[be[example.com]]] [be_run_online_cb] (0x0080): Going online. Running callbacks.
(Mon Mar  5 18:22:44 2018) [sssd[be[example.com]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)
(Mon Mar  5 18:22:44 2018) [sssd[be[example.com]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error]
(Mon Mar  5 18:22:44 2018) [sssd[be[example.com]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)]
(Mon Mar  5 18:22:44 2018) [sssd[be[example.com]]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [1432158226]: Authentication Failed

Can anyone give me some idea of where I should continue searching?

Thanks.

Regards,
//Samuel

Responses

Hi,

To start with:

a) Check DNS, especially reverse resource records for all systems, including Domain Controllers.

b) Is IPV6 enabled?

Regards,

Dusan Baljevic (amateur radio VK2COT)

Samuel,

Kerberos is time sensitive. Make sure you have NTP configured and matches the time on the server.

DNS - DNS - DNS

Thanks everyone :-)

Adding:

 rdns=false

to section

[libdefaults]

in /etc/krb5.conf solved the problem.

The machine I'm installing does not have a DNS entry in the AD-controlled DNS before it has connected to the AD...

//Samuel

Awesome catch!! dyndns is false, so the DNS record wasn't being created. Would not have guessed this from the cryptic error message...thanks!

Hi Samuel,

Good to see your problem resolved. As I said before, DNS is a very common source of many problems.

Regards,

Dusan Baljevic (amateur radio VK2COT)

I Have rhel6 client and it is producing same type of error messages, though I have rdns = false set correctly and I know its is a dns problem. I have a case open with RedHat too but some how even RH support is not able to help. Any one have seen same error before ?

[root@idm-auth-client-lkf-rhel6-noc01 ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.10 (Santiago)

Sep 19 23:48:21 idm-auth-client-lkf-rhel6-noc01 ipa-submit: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/CPC.LOCAL.12.168.192.IN-ADDR.ARPA@CPC.LOCAL not found in Kerberos database) And the below message being repeated in messages file.

Cannot resolve servers for KDC in realm "ABCD.COM"

Thanks in advance.

Want to post an update and a solution for this suggested by RH Support and improvised a little by us as per the need of environment. server side sssd.conf added following parameters and restared sssd and ipactl services.

subdomain_inherit = ldap_user_principal ldap_user_principal = nosuchattr

Thanks, -Raj