SSSD tries to resolve the users from wrong realm

Solution Verified - Updated -


My Kerberos realm is EXAMPLE.COM and when I try to login using Kerberos (GSSAPI) it works fine.

However if I want to use a password (i.e: I login from a machine that is not a part of the same Kerberos realm) with my AD user SSSD seems to search for the user in the realm FOO.BAR instead of EXAMPLE.COM.

Here is the relevant logs from SSSD.

    [sssd[be[default]]] [write_pipe_handler] (0x0400): All data has been sent!
    [[sssd[krb5_child[25136]]]] [main] (0x0400): krb5_child started.
    [[sssd[krb5_child[25136]]]] [unpack_buffer] (0x1000): total buffer size: [127]
    [[sssd[krb5_child[25136]]]] [unpack_buffer] (0x0100): cmd [241] uid [1157] gid [1000] validate [false] offline [false] UPN [najmuddin@FOO.BAR]
    [[sssd[krb5_child[25136]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1157_XXXXXX] keytab: [/etc/krb5.keytab]
    [[sssd[krb5_child[25136]]]] [krb5_child_setup] (0x0400): Will perform online auth
    [[sssd[krb5_child[25136]]]] [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
    [[sssd[krb5_child[25136]]]] [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
    [[sssd[krb5_child[25136]]]] [krb5_set_canonicalize] (0x0100): SSSD_KRB5_CANONICALIZE is set to [false]
    [[sssd[krb5_child[25136]]]] [krb5_child_setup] (0x0100): Not using FAST.
    [[sssd[krb5_child[25136]]]] [tgt_req_child] (0x1000): Attempting to get a TGT
    [[sssd[krb5_child[25136]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [FOO.BAR]
    [[sssd[krb5_child[25136]]]] [sss_child_krb5_trace_cb] (0x4000): [25136] 1361539794.737092: Getting initial credentials for najmuddin@FOO.BAR
    [[sssd[krb5_child[25136]]]] [sss_child_krb5_trace_cb] (0x4000): [25136] 1361539794.737274: Sending request (188 bytes) to FOO.BAR
    [[sssd[krb5_child[25136]]]] [get_and_save_tgt] (0x0020): 977: [-1765328164][Cannot resolve servers for KDC in realm "FOO.BAR"]
    [[sssd[krb5_child[25136]]]] [kerr_handle_error] (0x0020): 1030: [-1765328164][Cannot resolve servers for KDC in realm "FOO.BAR"]
    [[sssd[krb5_child[25136]]]] [prepare_response_message] (0x0400): Building response for result [-1765328164]
    [[sssd[krb5_child[25136]]]] [pack_response_packet] (0x2000): response packet size: [70]
    [[sssd[krb5_child[25136]]]] [sendresponse] (0x4000): Response sent.
    [[sssd[krb5_child[25136]]]] [main] (0x0400): krb5_child completed successfully
    [sssd[be[default]]] [read_pipe_handler] (0x0400): EOF received, client finished
    [sssd[be[default]]] [parse_krb5_child_response] (0x1000): child response [4][1][58].
    [sssd[be[default]]] [check_wait_queue] (0x1000): Wait queue for user [najmuddin] is empty.
    [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success]
    [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Sending result [4][default]
    [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Sent result [4][default]
    [sssd[be[default]]] [child_sig_handler] (0x1000): Waiting for child [25136].
    [sssd[be[default]]] [child_sig_handler] (0x0100): child [25136] finished successfully.


Red Hat Enterprise Linux 6.4

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content