1

I have some intermittent authentication issues on my Ubuntu 15.04 servers. I have asked about this issue directly here: Kerberos encryption type error

My Windows DCs are mixed versions for now (we're working to eliminate the older DCs and upgrade to the latest version.) How can I verify which DC each Ubuntu box is authenticating to? It just uses DNS to find a DC. Will each box always use the same DC as long as it's available, or will it use some sort of round robin? Since the issue is intermittent I'm curious to know if it's related to only certain DCs.

Community
  • 1
mrwboilers
  • 83
  • 1
  • 2
  • 6

3 Answers3

1

By default your system will perform round robin lookups, including for Kerberos. If you want to troubleshoot this with specific domain controllers I suggest adding a HOSTS file entry for yourdomain.com and point it to a specifc controller. That tends to be a safer method than updating your whole kerberos configuration.

Edit:

In response to Andy's answer editing sssd.conf will work if the system in question uses sssd and the issue lies within sssd. The danger is other apps that may also be using the domain name to bind. As a result you can get inconsistent results. That is precisely why I suggest the hosts file method. It impacts the whole server, not just one service. I have found this to be useful in environments with multiple admins, especially when /etc isn't under verion control.

Tim Brigham
  • 15,465
  • 7
  • 72
  • 113
  • Thanks for the reply! I'll test that out and return with the results. – mrwboilers Oct 30 '15 at 20:21
  • The hosts file change doesn't seem to help. The issue lies with kerberos. I think I have a work around by defining the domain and each valid kdc in /etc/krb5.conf rather than letting kerberos use DNS to lookup the KDCs. At least this seems to work on the one box I've tested it on so far. Do you know if there are any services that can be restarted to get the new krb5.conf to take effect? Or is a reboot necessary. – mrwboilers Nov 04 '15 at 15:11
0

It should be possible to specify a dc using the "ad_server" option in sssd.conf:

ad_server = dctotest.example.org
Andy
  • 1,101
  • 1
  • 7
  • 10
  • I've had this set all along in sssd.conf, but it doesn't see to work. Kerberos still seems to round-robin all available DCs. – mrwboilers Nov 04 '15 at 15:13
0

In addition to what everyone else said, the krb5_child.log shows very verbose information (to the extent libkrb5 gives):

{ (Sun Nov 1 21:08:05 2015) [[sssd[ldap_child[22284]]]] [sss_child_krb5_trace_cb] (0x4000): [22284] 1446412085.69409: Sending request (274 bytes) to WIN.TRUST.TEST

(Sun Nov 1 21:08:05 2015) [[sssd[ldap_child[22284]]]] [sss_child_krb5_trace_cb] (0x4000): [22284] 1446412085.69457: Sending initial UDP request to dgram 192.168.122.90:88

(Sun Nov 1 21:08:05 2015) [[sssd[ldap_child[22284]]]] [sss_child_krb5_trace_cb] (0x4000): [22284] 1446412085.70323: Received answer (100 bytes) from dgram 192.168.122.90:88

(Sun Nov 1 21:08:05 2015) [[sssd[ldap_child[22284]]]] [sss_child_krb5_trace_cb] (0x4000): [22284] 1446412085.70394: Response was from master KDC

enter code h(Sun Nov  1 21:08:05 2015) [[sssd[ldap_child[22284]]]] [sss_child_krb5_trace_cb] (0x4000): [22284] 1446412085.69409: Sending request (274 bytes) to WIN.TRUST.TEST

(Sun Nov 1 21:08:05 2015) [[sssd[ldap_child[22284]]]] [sss_child_krb5_trace_cb] (0x4000): [22284] 1446412085.69457: Sending initial UDP request to dgram 192.168.122.90:88

(Sun Nov 1 21:08:05 2015) [[sssd[ldap_child[22284]]]] [sss_child_krb5_trace_cb] (0x4000): [22284] 1446412085.70323: Received answer (100 bytes) from dgram 192.168.122.90:88

(Sun Nov 1 21:08:05 2015) [[sssd[ldap_child[22284]]]] [sss_child_krb5_trace_cb] (0x4000): [22284] 1446412085.70394: Response was from master KDC

jhrozek
  • 1,320
  • 6
  • 5