[prev in list] [next in list] [prev in thread] [next in thread]
List: sssd-users
Subject: Re: [SSSD-users] ldap bind fails
From: Marcus Moeller <marcus.moeller () gmx ! ch>
Date: 2013-08-13 9:02:58
Message-ID: 5209F642.4040402 () gmx ! ch
[Download RAW message or body]
Dies ist eine kryptografisch unterzeichnete Nachricht im MIME-Format.
[Attachment #2 (multipart/signed)]
Dies ist eine kryptografisch unterzeichnete Nachricht im MIME-Format.
Dear Sumit,
>>>>>>>> I am trying to use the AD provider in order to connect a client to our
>>>>>>>> Active Directory. I have to mention, that our DNS Setup is somewhat
>>>>>>>> broken, so reverse lookups do not work by default.
>>>>>>>>
>>>>>>>> When I now try connect, with reverse lookups not working, I got an error:
>>>>>>>>
>>>>>>>> ...
>>>>>>>>
>>>>>>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [resolve_srv_send]
>>>>>>>> (0x0200): The status of SRV lookup is resolved
>>>>>>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [get_server_status]
>>>>>>>> (0x1000): Status of server 'novo.d.ethz.ch' is 'name resolved'
>>>>>>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]]
>>>>>>>> [be_resolve_server_process] (0x1000): Saving the first resolved server
>>>>>>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]]
>>>>>>>> [be_resolve_server_process] (0x0200): Found address for server
>>>>>>>> novo.d.ethz.ch: [172.31.65.60] TTL 938
>>>>>>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]]
>>>>>>>> [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get
>>>>>>>> TGT...
>>>>>>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]]
>>>>>>>> [create_tgt_req_send_buffer] (0x1000): buffer size: 43
>>>>>>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [set_tgt_child_timeout]
>>>>>>>> (0x0400): Setting 6 seconds timeout for tgt child
>>>>>>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [write_pipe_handler]
>>>>>>>> (0x0400): All data has been sent!
>>>>>>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [main] (0x0400):
>>>>>>>> ldap_child started.
>>>>>>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer]
>>>>>>>> (0x1000): total buffer size: 43
>>>>>>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer]
>>>>>>>> (0x1000): realm_str size: 9
>>>>>>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer]
>>>>>>>> (0x1000): got realm_str: D.ETHZ.CH
>>>>>>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer]
>>>>>>>> (0x1000): princ_str size: 18
>>>>>>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer]
>>>>>>>> (0x1000): got princ_str: ldapmap1/d.ethz.ch
>>>>>>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer]
>>>>>>>> (0x1000): keytab_name size: 0
>>>>>>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [unpack_buffer]
>>>>>>>> (0x1000): lifetime: 86400
>>>>>>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]]
>>>>>>>> [ldap_child_get_tgt_sync] (0x0100): Principal name is:
>>>>>>>> [ldapmap1/d.ethz.ch@D.ETHZ.CH]
>>>>>>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]]
>>>>>>>> [ldap_child_get_tgt_sync] (0x0100): Using keytab [default]
>>>>>>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [prepare_response]
>>>>>>>> (0x0400): Building response for result [0]
>>>>>>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [pack_buffer]
>>>>>>>> (0x1000): result [0] krberr [0] msgsize [37] msg
>>>>>>>> [FILE:/var/lib/sss/db/ccache_D.ETHZ.CH]
>>>>>>>> (Mon Aug 12 14:40:08 2013) [[sssd[ldap_child[1917]]]] [main] (0x0400):
>>>>>>>> ldap_child completed successfully
>>>>>>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [read_pipe_handler]
>>>>>>>> (0x0400): EOF received, client finished
>>>>>>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_get_tgt_recv]
>>>>>>>> (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_D.ETHZ.CH],
>>>>>>>> expired on [1376347208]
>>>>>>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_cli_auth_step]
>>>>>>>> (0x0100): expire timeout is 900
>>>>>>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sdap_cli_auth_step]
>>>>>>>> (0x1000): the connection will expire at 1376312108
>>>>>>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send]
>>>>>>>> (0x0100): Executing sasl bind mech: gssapi, user: ldapmap1/d.ethz.ch
>>>>>>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send]
>>>>>>>> (0x0020): ldap_sasl_bind failed (-2)[Local error]
>>>>>>>> (Mon Aug 12 14:40:08 2013) [sssd[be[D.ETHZ.CH]]] [sasl_bind_send]
>>>>>>>> (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI
>>>>>>>> Error: Unspecified GSS failure. Minor code may provide more information
>>>>>>>> (Server not found in Kerberos database)]
>>>>>>>>
>>>>>>>> ...
>>>>>>>>
>>>>>>>> Any idea why this might happen?
>>>>>>>>
>>>>>>>> Greets
>>>>>>>> Marcus
>>>>>>>>
>>>>>>>
>>>>>>> Hi Marcus,
>>>>>>>
>>>>>>> Could you post your sssd.conf and krb5.conf setting?
>>>>>>
>>>>>>
>>>>>> krb5.conf
>>>>>> ...
>>>>>> [libdefaults]
>>>>>> dns_lookup_realm = true
>>>>>> forwardable = true
>>>>>> default_realm = D.ETHZ.CH
>>>>>>
>>>>>>
>>>>>> sssd.conf
>>>>>> ...
>>>>>> [sssd]
>>>>>> config_file_version = 2
>>>>>>
>>>>>> # Number of times services should attempt to reconnect in the
>>>>>> # event of a crash or restart before they give up
>>>>>> reconnection_retries = 3
>>>>>>
>>>>>> # If a back end is particularly slow you can raise this timeout here
>>>>>> sbus_timeout = 30
>>>>>> services = nss, pam
>>>>>>
>>>>>> # SSSD will not start if you do not configure any domains.
>>>>>> # Add new domain configurations as [domain/<NAME>] sections, and
>>>>>> # then add the list of domains (in the order you want them to be
>>>>>> # queried) to the "domains" attribute below and uncomment it.
>>>>>> # domains = LOCAL,LDAP
>>>>>>
>>>>>> domains = D.ETHZ.CH
>>>>>>
>>>>>> [nss]
>>>>>> # The following prevents SSSD from searching for the root user/group in
>>>>>> # all domains (you can add here a comma-separated list of system
>>>>>> accounts that
>>>>>> # are always going to be /etc/passwd users, or that you want to filter out).
>>>>>> filter_groups = root
>>>>>> filter_users = root
>>>>>> reconnection_retries = 3
>>>>>>
>>>>>> # The entry_cache_timeout indicates the number of seconds to retain an
>>>>>> # entry in cache before it is considered stale and must block to refresh.
>>>>>> # The entry_cache_nowait_timeout indicates the number of seconds to
>>>>>> # wait before updating the cache out-of-band. (NSS requests will still
>>>>>> # be returned from cache until the full entry_cache_timeout). Setting this
>>>>>> # value to 0 turns this feature off (default).
>>>>>> # entry_cache_timeout = 600
>>>>>> # entry_cache_nowait_timeout = 300
>>>>>>
>>>>>> [pam]
>>>>>> reconnection_retries = 3
>>>>>>
>>>>>> [domain/D.ETHZ.CH]
>>>>>> #debug_level=5
>>>>>> id_provider = ad
>>>>>> ad_domain = d.ethz.ch
>>>>>> dns_discovery_domain = d.ethz.ch
>>>>>> krb5_realm = D.ETHZ.CH
>>>>>> ldap_user_principal = xyz.example
>>>>>> ldap_id_mapping = false
>>>>>>
>>>>>>
>>>>>> Greets
>>>>>> Marcus
>>>>>>
>>>>>
>>>>> SSSD tries to get a TGT for ldapmap1/d.ethz.ch@D.ETHZ.CH which looks a
>>>>> bit odd and the AD KDC returns (Server not found in Kerberos database)
>>>>> for this principal. Please try to add the hostname of the client in the
>>>>> ad_hostname option.
>>>>
>>>> I am using a keytab and have not joined the machine. ldapmap1 is correct.
>>>
>>> Does
>>>
>>> kinit -k 'ldapmap1/d.ethz.ch@D.ETHZ.CH'
>>>
>>> work on the command line?
>>>
>>> How did you create the keytab? If ldapmap1 is just an SPN it might not
>>> be possible to get a TGT for this principal.
>>
>> Yes, it all works and it also works when reverse lookup is set up
>> correctly, so it must be somewhat related to that.
>
> By "when reverse lookup is set up correctly" you mean correctly set up
> on the DNS server?
>
> Have you set the rdns option in your krb5.conf? Setting it to false
> should skip all attempts to do reverse lookups in libkrb5.
That was the option that was missing. Thanks for pointing it out.
Greets
Marcus
["smime.p7s" (application/pkcs7-signature)]
[Attachment #6 (text/plain)]
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic