sssd kinit attempts fail even when correct 'ldap_sasl_authid' entry is defined
Issue
sssd
attempts to authenticate using Kerberos after a successful join fail, even when the ldap_sasl_authid
in /etc/sssd/sssd.conf
entry includes the correct principal name.
Errors such as the following are seen within /var/log/sssd/sssd_<realm>.log
:
[sdap_kinit_send] (0x0400): Attempting kinit (default, host/<hostname>, <realm>, <ID>)
[fo_resolve_service_send] (0x0100): Trying to resolve service '<realm>'
[resolve_srv_send] (0x0200): The status of SRV lookup is resolved
[be_resolve_server_process] (0x0200): Found address for server <incorrect_principal>.<realm>: [<IP_address>] TTL 1200
[create_tgt_req_send_buffer] (0x0400): buffer size: 64
[set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child
[write_pipe_handler] (0x0400): All data has been sent!
[read_pipe_handler] (0x0400): EOF received, client finished
[sdap_get_tgt_recv] (0x0400): Child responded: 14 [Client not found in Kerberos database], expired on [0]
[sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address]
[sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret [<ID>](Authentication Failed)
Environment
- Red Hat Enterprise Linux (RHEL) 6.
sssd
package versions earlier than1.11.6-30.el6.x86_64
.
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.