I've been trying to setup SSSD on a CentOS 7 machine to join with a windows AD for user management.
I've managed to get Kerberos working independently of this setup, using LDAPS as the transport protocol. I have also successfully joined the machine to the domain using realm join.
This automatically configured sssd.conf, but after starting sssd I found that the backend failed to start.
The only thing I can see in the logs that seems relevant is:
(Thu Mar 21 19:45:43 2019) [sssd[be[SERC.LOCAL]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)]
I've verified that rdns is disabled for Kerberos on the machine in question. I've also made sure that the server in question exists on the domain. The times on both machines are also in sync.
There appears to be no trouble getting a TGT from the domain controller for the server account, though the only server-side verification is a 4768 event which appears to be a failure. The SSSD logs suggest that it succeeded, however:
(Fri Mar 22 01:29:44 2019) [[sssd[ldap_child[13180]]]] [ldap_child_get_tgt_sync] (0x2000): credentials initialized
(Fri Mar 22 01:29:44 2019) [[sssd[ldap_child[13180]]]] [ldap_child_get_tgt_sync] (0x2000): keytab ccname: [FILE:/var/lib/sss/db/ccache_MYDOMAIN.LOCAL_TUJGh8]
(Fri Mar 22 01:29:44 2019) [[sssd[ldap_child[13180]]]] [sss_child_krb5_trace_cb] (0x4000): [13180] 1553178584.546015: Initializing FILE:/var/lib/sss/db/ccache_MYDOMAIN.LOCAL_TUJGh8 with default princ SOME_COMPUTER$@MYDOMAIN.LOCAL
(Fri Mar 22 01:29:44 2019) [[sssd[ldap_child[13180]]]] [sss_child_krb5_trace_cb] (0x4000): [13180] 1553178584.546016: Storing SOME_COMPUTER$@MYDOMAIN.LOCAL -> krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL in FILE:/var/lib/sss/db/ccache_MYDOMAIN.LOCAL_TUJGh8
(Fri Mar 22 01:29:44 2019) [[sssd[ldap_child[13180]]]] [ldap_child_get_tgt_sync] (0x2000): credentials stored
(Fri Mar 22 01:29:44 2019) [[sssd[ldap_child[13180]]]] [ldap_child_get_tgt_sync] (0x2000): Got KDC time offset
It seems to be a TLS issue to me. configuring sssd for AD appears to force port 389, with GSSAPI for encryption. I tried setting ldap_uri to explicitly connect using ldaps, but this is ignored unless I revert the config to use ldap for everything, which works fine, but the AD schema isn't recognised.
I'm not sure what else to try here. The online solutions all point to a DNS issue but I'm certain DNS is configured fine.
SSSD config if it helps (some of this was added to get ldap to function so there may be some vestigial options):
[domain/MY_DOMAIN.LOCAL]
debug_level=10
# enumerate = true
ad_hostname = SOME_COMPUTER.F.Q.D.N
ad_server = DOMAIN_CONTROLLER
ad_domain = MY_DOMAIN.LOCAL
auth_provider = ad
chpass_provider = ad
access_provider = ad
ldap_uri = ldaps://DOMAIN_CONTROLLER:636
ldap_tls_cacert = /etc/openldap/certs/mycert.cer
ldap_sasl_authid=SOME_COMPUTER$@MY_DOMAIN.LOCAL
ldap_sasl_canonicalize = false
ldap_schema = ad
# #krb5_realm = MY_DOMAIN.LOCAL
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
# #krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ldap
ldap_schema = rfc2307bis
Thanks in advance.