SSSD Unable to create GSSAPI-encrypted LDAP connection.

Latest response

Hi All,

I am tying to configure SSSD for the first time for CentOS 7, we have one forest but multiple domains:

xx.company.com
eu.company.com
na.company.com
ap.company.com

There is already trust relation between domains. I am getting below error:

Sep 16 12:56:46 XXA-ANSTLNX14 [sssd[ldap_child[4201]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'host/XXa-anstlnx14.eu.COMPANY.COM@EU.COMPANY.COM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection.

Below is Kerberos Configuration file:

cat /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EU.COMPANY.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
XX.COMPANY.COM = {
kdc = XXa-XXdc01.XX.COMPANY.COM
kdc = XXc-XXdc01.XX.COMPANY.COM
kdc = XXs-XXdc01.XX.COMPANY.COM
admin_server = XXa-XXdc01.XX.COMPANY.COM
default_domain = XX.COMPANY.COM
}
EU.COMPANY.COM = {
kdc = XXa-eudc01.eu.COMPANY.COM
kdc = XXc-eudc01.eu.COMPANY.COM
kdc = XXs-eudc01.eu.COMPANY.COM
admin_server = XXa-eudc01.eu.COMPANY.COM
default_domain = eu.COMPANY.COM
}
NA.COMPANY.COM = {
kdc = XXa-nadc01.na.COMPANY.COM
kdc = XXc-nadc01.na.COMPANY.COM
kdc = XXs-nadc01.na.COMPANY.COM
admin_server = XXa-nadc01.na.COMPANY.COM
default_domain = na.COMPANY.COM
}
AP.COMPANY.COM = {
kdc = XXa-apdc01.ap.COMPANY.COM
kdc = XXc-apdc01.ap.COMPANY.COM
kdc = XXs-apdc01.ap.COMPANY.COM
admin_server = XXa-apdc01.ap.COMPANY.COM
default_domain = ap.COMPANY.COM
}
DMZ.COMPANY.COM = {
kdc = XXa-dmzdc01.dmz.COMPANY.COM
kdc = XXc-dmzdc01.dmz.COMPANY.COM
kdc = XXs-dmzdc01.dmz.COMPANY.COM
admin_server = XXa-dmzdc01.dmz.COMPANY.COM
default_domain = dmz.COMPANY.COM
}
COMPANY.COM = {
kdc = XXa-autdc01.COMPANY.COM
kdc = XXc-autdc01.COMPANY.COM
kdc = XXs-autdc01.COMPANY.COM
admin_server = XXa-autdc01.COMPANY.COM
default_domain = COMPANY.COM
}

[domain_realm]
.XX.COMPANY.COM = XX.COMPANY.COM
XX.COMPANY.COM = XX.COMPANY.COM
.eu.COMPANY.COM = EU.COMPANY.COM
eu.COMPANY.COM = EU.COMPANY.COM
.na.COMPANY.COM = NA.COMPANY.COM
na.COMPANY.COM = NA.COMPANY.COM
.ap.COMPANY.COM = AP.COMPANY.COM
ap.COMPANY.COM = AP.COMPANY.COM
.dmz.COMPANY.COM = DMZ.COMPANY.COM
dmz.COMPANY.COM = DMZ.COMPANY.COM
.COMPANY.COM = COMPANY.COM

Responses

Yepp, facing the very same issues..... it's just filling up the logs..... very frustrating.

Why not use "COMPANY.COM" as the default realm and simplify things? Also, I assume you've looked at the relevant documentation

You can use global catalog to simplify the configuration, but as far as I know SSSD doesn't work very well with sub-domain in this case.

There is of course trust relation between all domain.

Any body know how we can get help on this plz ?

or if someone please know how to disable those logs in case they don't harm

Please look at this article https://access.redhat.com/solutions/2210951 Maybe "krb5_validate=false" in sssd.conf for all trusted domains will help.