[prev in list] [next in list] [prev in thread] [next in thread]
List: sssd-users
Subject: Re: [SSSD-users] sssd in a mixed 2003/2008 servers AD environment
From: "YVAN MASSON" <yvan.masson () educagri ! fr>
Date: 2015-03-31 10:51:02
Message-ID: fc.000f5d972f52a42c000f5d972f4e1ad9.2f52a9d4 () educagri ! fr
[Download RAW message or body]
Hi,
End-user discussions about the System Security Services Daemon
<sssd-users@lists.fedorahosted.org> le Mar, Mar 31, 2015 Ã 9:56 a
écrit:On Mon, Mar 30, 2015 at 06:41:37PM +0200, YVAN MASSON wrote:
> Hi everybody,
>
> First, thanks for this great tool !
> With a very simple setup, it allows me to use dozens of *Ubuntu 14.04
> (sssd version 1.11.5-1ubuntu3) computers in the AD environment of my
> school, where I have two 2003 servers.
>
> I tried to help a collegue to do the same in another school (where there
> is a mix of 2003 and 2008 servers), but I failed : the problem seems to
> come from Kerberos, because I found messages of this type in the sssd
logs
> : "... has no support for encryption type". The enrollment of the
computer
> in the realm was OK, but users login sometimes fails.
> In some blog I can't find anymore, it was written that old encryption
> types (DES) was not supported anymore on 2008 servers, so I tried to
force
> some Kerberos options ("krb5_use_kdcinfo = false" in sssd.conf and
Setting this should not be needed. With the default setting SSSD will
try to use the same AD DC as long as possible for Kerberos related
operations. With your settings it might use a different AD DC for every
operation.What you say seems strange to me from what I read... but I trust
you on this point !
> "allow_weak_crypto = 1" in /etc/krb5.conf).
Please try 'allow_weak_crypto = true' I'm not sure if '1' evaluates to
'true' as well.
> The sssd logs let think that /etc/krb5.conf is looked, but the result is
> the same.
>
> The only thing "working" was to prevent the computer to talk with the
2003
> server with iptables, but this is a horrible and annoying hack.
>
> So my question are :
> - Does anyone alredy managed to use sssd in this type of environment ?
> - Would you have any idea where to look for better debugging ?
SSSD's krb5_child.log should have all the details if you use
debug_level=10 in the domain section of sssd.conf.This is very
interesting, I did not thought about it. As I said in my other email, I
will look more deeply when I will have a remote access to a test computer,
and I will let you know.
Thanks very much,
Yvan
HTH
bye,
Sumit
>
> Thanks very much,
> Yvan Masson
>
> _______________________________________________
> sssd-users mailing list
> mailto:sssd-users@lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
mailto:sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic