SSSD Kerberos AD authentication troubleshooting?
Hi all,
I'm trying to set up a kickstart that includes registering in the local AD.
I have managed to get it working with my trialruns using CentOS7.
Including using a dedicated KeyTab to register the machine.
/sbin/realm join --verbose --computer-ou="...." example.com
But when I started with a RHEL7 server intended for live use the KeyTab does not work for joining the realm and when I join it manually (with -U ) I can't log in to the new server using my AD user.
/sbin/realm join -U sysUser@EXAMPLE.COM --verbose --computer-ou="...." example.com
I have verified that the sssd.conf and krb5.conf have the same settings.
Actually every setting I can think of is the same between the two Machines.
I tried setting SELinux to permissive mode but it did not help either.
I can use kinit to authenticate from the cli:
]$ kinit -V myUser@EXAMPLE.COM
Using default cache: /tmp/krb5cc_1000
Using principal: myUser@EXAMPLE.COM
Password for myUser@EXAMPLE.COM:
Authenticated to Kerberos v5
]$
but the sssd service says:
]$ sudo systemctl status sssd -l
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/sssd.service.d
└─journal.conf
Active: active (running) since Mon 2018-03-05 18:22:42 CET; 1min 33s ago
Main PID: 682 (sssd)
CGroup: /system.slice/sssd.service
├─682 /usr/sbin/sssd -i -f
├─771 /usr/libexec/sssd/sssd_be --domain example.com --uid 0 --gid 0 --debug-to-files
├─924 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
└─925 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
Mar 05 18:23:57 my-host@example.com sssd[be[example.com ]][771]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
Mar 05 18:23:57 my-host@example.com sssd_be[771]: GSSAPI client step 1
Mar 05 18:23:57 my-host@example.com sssd_be[771]: GSSAPI client step 1
/var/log/sssd/sssd_example.com.log is huge even on log-level 3 but this part stands out:
(Mon Mar 5 18:22:44 2018) [sssd[be[example.com]]] [be_run_online_cb] (0x0080): Going online. Running callbacks.
(Mon Mar 5 18:22:44 2018) [sssd[be[example.com]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
(Mon Mar 5 18:22:44 2018) [sssd[be[example.com]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error]
(Mon Mar 5 18:22:44 2018) [sssd[be[example.com]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)]
(Mon Mar 5 18:22:44 2018) [sssd[be[example.com]]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [1432158226]: Authentication Failed
Can anyone give me some idea of where I should continue searching?
Thanks.
Regards,
//Samuel
Responses
Guru
2929 points
Hi,
To start with:
a) Check DNS, especially reverse resource records for all systems, including Domain Controllers.
b) Is IPV6 enabled?
Regards,
Dusan Baljevic (amateur radio VK2COT)
Guru
6735 points
Samuel,
Kerberos is time sensitive. Make sure you have NTP configured and matches the time on the server.
Awesome catch!! dyndns is false, so the DNS record wasn't being created. Would not have guessed this from the cryptic error message...thanks!
Guru
2929 points
Hi Samuel,
Good to see your problem resolved. As I said before, DNS is a very common source of many problems.
Regards,
Dusan Baljevic (amateur radio VK2COT)
I Have rhel6 client and it is producing same type of error messages, though I have rdns = false set correctly and I know its is a dns problem. I have a case open with RedHat too but some how even RH support is not able to help. Any one have seen same error before ?
[root@idm-auth-client-lkf-rhel6-noc01 ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.10 (Santiago)
Sep 19 23:48:21 idm-auth-client-lkf-rhel6-noc01 ipa-submit: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/CPC.LOCAL.12.168.192.IN-ADDR.ARPA@CPC.LOCAL not found in Kerberos database) And the below message being repeated in messages file.
Cannot resolve servers for KDC in realm "ABCD.COM"
Thanks in advance.
Want to post an update and a solution for this suggested by RH Support and improvised a little by us as per the need of environment. server side sssd.conf added following parameters and restared sssd and ipactl services.
subdomain_inherit = ldap_user_principal ldap_user_principal = nosuchattr
Thanks, -Raj
I am getting this error while running kinit -V abc@xyz.com
Using default cache: /tmp/krb5cc_0 Using principal: abc@xyz.com kinit: Cannot find KDC for realm "xyz.com" while getting initial credentials
So if you get an error with kinit about not allowed, make sure the account you are using is unenforced.
Actually Samuel's solution isn't quite right - because I typed it exactly as he stated. In the krb5.conf file, the statement is space-separated. Should be rdns = false, not rdns=false.
Hi All
Can I use Domain controllers hostnames which have different FQDN than my AD domain? Ex. my domain - ad.example.net Domain Controller hostnames that i want to use - dc1.example.net dc2.example.net
It fails with error - SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) ldap_sasl_bind failed (-2)[Local error]
Hi All , Using realm list i could see RHEL is joined the windows domain.
When i tried to verify the AD users seeing "no such user" error message.
[root@adint ssh]# id pradeep@vz.camp id: pradeep@vz.camp: no such user
Also in systemctl ssd status seeing GSS failure [root@adint ssh]# systemctl status sssd -l Sep 13 07:07:02 adint.sdip-poc.verizon.com sssd[be[vz.camp]][13072]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
Can someone let me know how to fix these errors ?
When I got the GSSAPI Error: Unspecified GSS failure on my rhel8 machine it was due to DNS not being configured on my Domain Controller. I had to create the A Record and reverse zone. I also forgot to specify the FQDN on the AD_Server field inside of /etc/sssd/sssd.conf
I was using "example.local" instead of "dc1.example.local"
issue resolved just by adding FQDN on the ad_server field inside of /etc/sssd/sssd.conf as mentioned above.
Everything mentioned above I have tried but still facing same issue:
:DNS update failed: NT_STATUS_UNSUCCESSFUL
Using short domain name -- TFS Joined 'AWVA-PCLXXXX' to dns domain 'TFS.Toyota.com' DNS Update for awva-pclXXX.tfs.toyota.com failed: ERROR_DNS_GSS_ERROR * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.VGQUA2 -U username@tfs.toyota.com ads keytab create