I followed the Configuration 3 from the RedHat AD integration (https://access.redhat.com/sites/default/files/attachments/rhel-ad-integration-deployment-guidelines-v1.5.pdf); but I am stuck.
I am on Centos 6.8.
I have a working AD connection:
service sssd stop
rm -r /var/lib/sss/db/*
rm -r /var/lib/sss/mc/*
service sssd start
getent passwd robau@MYNETWORK.LOCAL
This returns a sensible line:
robau:*:102201201:102200513:Rob Audenaerde:/:
However, when I try to connect over SSH, I can't login. I enabled SSSD debugging on all components level 5 in the sssd.conf
.
The error I see (in var/log/sssd/krb5_child.log
) is:
(Fri Jun 17 17:23:18 2016) [[sssd[krb5_child[3561]]]] [validate_tgt] (0x0020): TGT failed verification using key for [host/server-new.mynetwork.nl@MYNETWORK.LOCAL].
(Fri Jun 17 17:23:18 2016) [[sssd[krb5_child[3561]]]] [get_and_save_tgt] (0x0020): 1240: [-1765328377][Server not found in Kerberos database]
(Fri Jun 17 17:23:18 2016) [[sssd[krb5_child[3561]]]] [map_krb5_error] (0x0020): 1301: [-1765328377][Server not found in Kerberos database]
(Fri Jun 17 17:23:18 2016) [[sssd[krb5_child[3561]]]] [k5c_send_data] (0x0200): Received error code 1432158209
The server is in the DNS, I can find it using nslookup
nslookup server-new.mynetwork.nl
Server: 192.168.110.56
Address: 192.168.110.56#53
Name: server-new.mynetwork.nl
Address: 192.168.210.94
And
kvno host/server-new.mynetwork.nl@MYNETWORK.LOCAL
kvno: Server not found in Kerberos database while getting credentials for host/server-new.mynetwork.nl@MYNETWORK.LOCAL
Any hints/tips for troubleshooting?
[EDIT]
I used authconfig
to setup the necessary pam
and nss
stuff:
authconfig --enablesssdauth --enablesssd --enablemkhomedir --update
Output of klist -kte
:
25 06/20/16 10:56:24 host/server-new.mynetwork.nl@MYNETWORK.LOCAL (des-cbc-crc)
25 06/20/16 10:56:24 host/server-new.mynetwork.nl@MYNETWORK.LOCAL (des-cbc-md5)
25 06/20/16 10:56:24 host/server-new.mynetwork.nl@MYNETWORK.LOCAL (aes128-cts-hmac-sha1-96)
25 06/20/16 10:56:24 host/server-new.mynetwork.nl@MYNETWORK.LOCAL (aes256-cts-hmac-sha1-96)
25 06/20/16 10:56:24 host/server-new.mynetwork.nl@MYNETWORK.LOCAL (arcfour-hmac)
25 06/20/16 10:56:24 host/server-new@MYNETWORK.LOCAL (des-cbc-crc)
25 06/20/16 10:56:24 host/server-new@MYNETWORK.LOCAL (des-cbc-md5)
25 06/20/16 10:56:25 host/server-new@MYNETWORK.LOCAL (aes128-cts-hmac-sha1-96)
25 06/20/16 10:56:25 host/server-new@MYNETWORK.LOCAL (aes256-cts-hmac-sha1-96)
25 06/20/16 10:56:25 host/server-new@MYNETWORK.LOCAL (arcfour-hmac)
25 06/20/16 10:56:25 SERVER-NEW$@MYNETWORK.LOCAL (des-cbc-crc)
25 06/20/16 10:56:25 SERVER-NEW$@MYNETWORK.LOCAL (des-cbc-md5)
25 06/20/16 10:56:25 SERVER-NEW$@MYNETWORK.LOCAL (aes128-cts-hmac-sha1-96)
25 06/20/16 10:56:25 SERVER-NEW$@MYNETWORK.LOCAL (aes256-cts-hmac-sha1-96)
25 06/20/16 10:56:26 SERVER-NEW$@MYNETWORK.LOCAL (arcfour-hmac)
Output of klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: SERVER-NEW$@MYNETWORK.LOCAL
Valid starting Expires Service principal
06/20/16 10:56:41 06/20/16 20:56:41 krbtgt/MYNETWORK.LOCAL@MYNETWORK.LOCAL
renew until 06/27/16 10:56:41
06/20/16 11:36:07 06/20/16 20:56:41 ldap/my-ad.mynetwork.local@MYNETWORK.LOCAL
renew until 06/27/16 10:56:41
[EDIT 2]
If I add krb5_validate
at the end of the sssd.conf
section [domain/mynetwork.local] then I am able to login. However, I also set-up another server that did not need this step, so I'm reluctant to leave it like this.
[EDIT 3]
During the net ads join -k
I get an error/warning:
DNS Update for failed: ERROR_DNS_GSS_ERROR
DNS update failed!
[EDIT 4]
I see the output of net ads info
is not using the main Domain controller I specified in my config files (and is 2003R2 and not 2008R2). Is there a way to 'force' the net ads join -k
to use a specific domain controller?