Discussion:
[SSSD-users] Server not found in Kerberos database and debug level 11
JOHE (John Hearns)
2018-05-02 15:54:33 UTC
Permalink
I would appreciate some pointers.

I have a sandbox setup running on VMs. There is an AD controller using the VM image which Microsoft has available for testing.

I have created a domain called ad.test


On my client machine I am continually getting this error:

[sssd[be[adtest.private]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)



On the client klist-k | uniq returns


KVNO Principal
---- --------------------------------------------------------------------------
3 CLIENT1$@ADTEST.PRIVATE
3 host/***@ADTEST.PRIVATE
3 host/***@ADTEST.PRIVATE
3 RestrictedKrbHost/***@ADTEST.PRIVATE
3 RestrictedKrbHost/***@ADTEST.PRIVATE


The funny thing is ONLY kinit -k CLIENT1$\@ADTEST.PRIVATE will work.

I do get a tgt:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: CLIENT1$@ADTEST.PRIVATE


Just in the sandbox I am also setting:

ldap_auth_disable_tls_never_use_in_production = true


Any pointers please? I have cranked debug up to 8 and this error message seems to be the crucial one.


By the way, why does the debug level not go up to 11?
Jakub Hrozek
2018-05-03 07:43:33 UTC
Permalink
Post by JOHE (John Hearns)
I would appreciate some pointers.
I have a sandbox setup running on VMs. There is an AD controller using the VM image which Microsoft has available for testing.
I have created a domain called ad.test
[sssd[be[adtest.private]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
I find it easier to debug this kind of an issue with:
KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -H ldap://your.ad.dc -s base -b “”

Also, what version and on what OS are you running?
Post by JOHE (John Hearns)
On the client klist-k | uniq returns
KVNO Principal
---- --------------------------------------------------------------------------
Ticket cache: FILE:/tmp/krb5cc_0
ldap_auth_disable_tls_never_use_in_production = true
Please don’t use this, not only it is very insecure, but also it doesn’t make any sense, this option is only useful if you use auth_provider=ldap. With id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.
Post by JOHE (John Hearns)
Any pointers please? I have cranked debug up to 8 and this error message seems to be the crucial one.
By the way, why does the debug level not go up to 11?
Because 9 is the highest?
_______________________________________________
sssd-users mailing list -- sssd-***@lists.fedorahosted.org
To unsubscribe send an emai
JOHE (John Hearns)
2018-05-03 08:09:10 UTC
Permalink
This post might be inappropriate. Click to display it.
JOHE (John Hearns)
2018-05-03 09:06:02 UTC
Permalink
Post by Jakub Hrozek
Post by JOHE (John Hearns)
By the way, why does the debug level not go up to 11?
Because 9 is the highest?
http://knowyourmeme.com/memes/these-go-to-11-spinal-tap

[Loading Image...]<http://knowyourmeme.com/memes/these-go-to-11-spinal-tap>

These go to 11 / Spinal Tap | Know Your Meme<http://knowyourmeme.com/memes/these-go-to-11-spinal-tap>
knowyourmeme.com
Origin Background The movie This Is Spinal Tap was made to be a humorous mockumentary of rock n’ roll culture. To this day it is considered to be one of



________________________________
From: Jakub Hrozek <***@redhat.com>
Sent: 03 May 2018 09:43:33
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] Re: Server not found in Kerberos database and debug level 11
Post by Jakub Hrozek
I would appreciate some pointers.
I have a sandbox setup running on VMs. There is an AD controller using the VM image which Microsoft has available for testing.
I have created a domain called ad.test
[sssd[be[adtest.private]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
I find it easier to debug this kind of an issue with:
KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -H ldap://your.ad.dc -s base -b “”

Also, what version and on what OS are you running?
Post by Jakub Hrozek
On the client klist-k | uniq returns
KVNO Principal
---- --------------------------------------------------------------------------
Ticket cache: FILE:/tmp/krb5cc_0
ldap_auth_disable_tls_never_use_in_production = true
Please don’t use this, not only it is very insecure, but also it doesn’t make any sense, this option is only useful if you use auth_provider=ldap. With id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.
Post by Jakub Hrozek
Any pointers please? I have cranked debug up to 8 and this error message seems to be the crucial one.
By the way, why does the debug level not go up to 11?
Because 9 is the highest?
_______________________________________________
sssd-users mailing list -- sssd-***@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-***@lists.fedorahosted.org
JOHE (John Hearns)
2018-05-03 09:20:56 UTC
Permalink
Jakub,

thankyou for your reply. I have (almost!) got things working now.

I have removed the ldap parameters in the sssd.conf


I had a mixup with the AD controller hostname - it is ad.adtest.private and I think this was significant.

Now I am retrieving the user information from AD.

Still having problems with PAM, so I am sure I will be back (sorry!)





________________________________
From: JOHE (John Hearns)
Sent: 03 May 2018 11:06:02
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] Re: Server not found in Kerberos database and debug level 11
Post by Jakub Hrozek
Post by JOHE (John Hearns)
By the way, why does the debug level not go up to 11?
Because 9 is the highest?
http://knowyourmeme.com/memes/these-go-to-11-spinal-tap

[http://i0.kym-cdn.com/entries/icons/facebook/000/003/182/Spinal_Tap_05.jpg]<http://knowyourmeme.com/memes/these-go-to-11-spinal-tap>

These go to 11 / Spinal Tap | Know Your Meme<http://knowyourmeme.com/memes/these-go-to-11-spinal-tap>
knowyourmeme.com
Origin Background The movie This Is Spinal Tap was made to be a humorous mockumentary of rock n’ roll culture. To this day it is considered to be one of



________________________________
From: Jakub Hrozek <***@redhat.com>
Sent: 03 May 2018 09:43:33
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] Re: Server not found in Kerberos database and debug level 11
Post by Jakub Hrozek
I would appreciate some pointers.
I have a sandbox setup running on VMs. There is an AD controller using the VM image which Microsoft has available for testing.
I have created a domain called ad.test
[sssd[be[adtest.private]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
I find it easier to debug this kind of an issue with:
KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -H ldap://your.ad.dc -s base -b “”

Also, what version and on what OS are you running?
Post by Jakub Hrozek
On the client klist-k | uniq returns
KVNO Principal
---- --------------------------------------------------------------------------
Ticket cache: FILE:/tmp/krb5cc_0
ldap_auth_disable_tls_never_use_in_production = true
Please don’t use this, not only it is very insecure, but also it doesn’t make any sense, this option is only useful if you use auth_provider=ldap. With id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.
Post by Jakub Hrozek
Any pointers please? I have cranked debug up to 8 and this error message seems to be the crucial one.
By the way, why does the debug level not go up to 11?
Because 9 is the highest?
_______________________________________________
sssd-users mailing list -- sssd-***@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-***@lists.fedorahosted.org
John Hearns
2018-05-03 07:59:54 UTC
Permalink
This post might be inappropriate. Click to display it.
John Hearns
2018-05-03 08:08:34 UTC
Permalink
To explain, I just sent a reply from my personal Googlemail.

I am now getting this logged:
May 03 10:05:02 client1 [sssd[ldap_child[2481]: Failed to initialize
credentials using keytab [MEMORY:/etc/krb5.keytab]: Client
'host/***@ADTEST.PRIVATE' not
May 03 10:05:02 client1 [sssd[ldap_child[2481]: Client
'host/***@ADTEST.PRIVATE' not found in Kerberos database


I know the case is important in Kerberos, but client1 is certainly in the
Computers section of the adtest.private AD domain.
Post by JOHE (John Hearns)
Jakub, thankyou for your reply.
Client OS is Ubuntu Xenial. Yes, I know... pats favourite labrador
goodbye. Sound of drawer opening and service revolver being loaded...
I did realise that the option p_auth_disable_tls_never_use_in_production
= true
the problem I have is that there is a CA cert on the Active Directory
controller. But I cannot see if there is an SSL certificate.
I may well be misunderstanding things.
Please don’t use this, not only it is very insecure, but also it doesn’t
make any sense, this option is only useful if you use auth_provider=ldap.
With id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.
Aha. Thankyou for that information.
I then have to ask the assembled choir (as I am not at the pearly gates) -
does AD in the default configuration have SSL certificate capability?
I have installed the Active Directory Certificate Services role
Post by JOHE (John Hearns)
I would appreciate some pointers.
I have a sandbox setup running on VMs. There is an AD controller using
the VM image which Microsoft has available for testing.
Post by JOHE (John Hearns)
I have created a domain called ad.test
Unspecified GSS failure. Minor code may provide more information (Server
not found in Kerberos database)
KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -H ldap://your.ad.dc -s base
-b “”
Also, what version and on what OS are you running?
Post by JOHE (John Hearns)
On the client klist-k | uniq returns
KVNO Principal
---- ------------------------------------------------------------
--------------
principal, the rest are service principals.
Post by JOHE (John Hearns)
Ticket cache: FILE:/tmp/krb5cc_0
ldap_auth_disable_tls_never_use_in_production = true
Please don’t use this, not only it is very insecure, but also it doesn’t
make any sense, this option is only useful if you use auth_provider=ldap.
With id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.
Post by JOHE (John Hearns)
Any pointers please? I have cranked debug up to 8 and this error
message seems to be the crucial one.
Post by JOHE (John Hearns)
By the way, why does the debug level not go up to 11?
Because 9 is the highest?
_______________________________________________
Sumit Bose
2018-06-01 17:01:45 UTC
Permalink
Post by John Hearns
To explain, I just sent a reply from my personal Googlemail.
May 03 10:05:02 client1 [sssd[ldap_child[2481]: Failed to initialize
credentials using keytab [MEMORY:/etc/krb5.keytab]: Client
May 03 10:05:02 client1 [sssd[ldap_child[2481]: Client
I know the case is important in Kerberos, but client1 is certainly in the
Computers section of the adtest.private AD domain.
Ad makes a distinction between user and server principals. The former
can be used with kinit the latter not as you already have seen below.

The AD provider will use the keytab entry with the '$' by default, but
the LDAP provider will use the host name and add 'host/' in the
beginning and the realm at the end.

Please try to set 'ldap_sasl_authid = CLIENT1$@ADTEST.PRIVATE' to use
'CLIENT1$@ADTEST.PRIVATE' when requesting a TGT from AD.

HTH

bye,
Sumit
Post by John Hearns
Post by JOHE (John Hearns)
Jakub, thankyou for your reply.
Client OS is Ubuntu Xenial. Yes, I know... pats favourite labrador
goodbye. Sound of drawer opening and service revolver being loaded...
I did realise that the option p_auth_disable_tls_never_use_in_production
= true
the problem I have is that there is a CA cert on the Active Directory
controller. But I cannot see if there is an SSL certificate.
I may well be misunderstanding things.
Post by Jakub Hrozek
Please don’t use this, not only it is very insecure, but also it doesn’t
make any sense, this option is only useful if you use auth_provider=ldap.
With id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.
Aha. Thankyou for that information.
I then have to ask the assembled choir (as I am not at the pearly gates) -
does AD in the default configuration have SSL certificate capability?
I have installed the Active Directory Certificate Services role
Post by Jakub Hrozek
Post by JOHE (John Hearns)
I would appreciate some pointers.
I have a sandbox setup running on VMs. There is an AD controller using
the VM image which Microsoft has available for testing.
Post by JOHE (John Hearns)
I have created a domain called ad.test
Unspecified GSS failure. Minor code may provide more information (Server
not found in Kerberos database)
KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -H ldap://your.ad.dc -s base -b “”
Also, what version and on what OS are you running?
Post by JOHE (John Hearns)
On the client klist-k | uniq returns
KVNO Principal
---- ------------------------------------------------------------
--------------
principal, the rest are service principals.
Post by JOHE (John Hearns)
Ticket cache: FILE:/tmp/krb5cc_0
ldap_auth_disable_tls_never_use_in_production = true
Please don’t use this, not only it is very insecure, but also it doesn’t
make any sense, this option is only useful if you use auth_provider=ldap.
With id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.
Post by JOHE (John Hearns)
Any pointers please? I have cranked debug up to 8 and this error
message seems to be the crucial one.
Post by JOHE (John Hearns)
By the way, why does the debug level not go up to 11?
Because 9 is the highest?
_______________________________________________
_______________________________________________
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
_______________________________________________
sssd-users mailing list -- sssd-***@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-***@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/sssd-***@lists.fedorahosted.org/message/N6R6KQKLQI4FWLFL5OYPUJZTUGFLPF
Continue reading on narkive:
Search results for '[SSSD-users] Server not found in Kerberos database and debug level 11' (Questions and Answers)
5
replies
can i get question answer of asp.net ?
started 2006-10-11 00:02:47 UTC
software
Loading...