sssd kinit attempts fail even when correct 'ldap_sasl_authid' entry is defined
Issue
sssd attempts to authenticate using Kerberos after a successful join fail, even when the ldap_sasl_authid in /etc/sssd/sssd.conf entry includes the correct principal name.
Errors such as the following are seen within /var/log/sssd/sssd_<realm>.log:
[sdap_kinit_send] (0x0400): Attempting kinit (default, host/<hostname>, <realm>, <ID>)
[fo_resolve_service_send] (0x0100): Trying to resolve service '<realm>'
[resolve_srv_send] (0x0200): The status of SRV lookup is resolved
[be_resolve_server_process] (0x0200): Found address for server <incorrect_principal>.<realm>: [<IP_address>] TTL 1200
[create_tgt_req_send_buffer] (0x0400): buffer size: 64
[set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child
[write_pipe_handler] (0x0400): All data has been sent!
[read_pipe_handler] (0x0400): EOF received, client finished
[sdap_get_tgt_recv] (0x0400): Child responded: 14 [Client not found in Kerberos database], expired on [0]
[sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address]
[sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret [<ID>](Authentication Failed)
Environment
- Red Hat Enterprise Linux (RHEL) 6.
sssdpackage versions earlier than1.11.6-30.el6.x86_64.
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
