after we made an ad-takeover from win2012r2 to UCS 4.3-3 sssd with gssapi isn’t working anymore.
we also tried the same sssd config with another UCS master system (without takeover) and that was working fine.
here the relevant part of sssd.conf:
# sssd.conf
[domain/test.test.cc]
case_sensitive = False
id_provider = ldap
ldap_search_base = dc=test,dc=test,dc=cc
ldap_uri = ldaps://srv-ucs-01.test.test.cc:7636
ldap_schema = rfc2307
ldap_sasl_mech = GSSAPI
ldap_tls_cacert = /etc/univention/ssl/ucsCA/CAcert.pem
ldap_force_upper_case_realm = true
ldap_id_mapping = false
ldap_krb5_keytab = /etc/krb5.keytab
auth_provider = krb5
chpass_provider = krb5
krb5_keytab = /etc/krb5.keytab
krb5_realm = test.test.cc
krb5_store_password_if_offline = true
root@debian:~# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
5 DEBIAN$@TEST.TEST.CC
5 DEBIAN$@TEST.TEST.CC
5 DEBIAN$@TEST.TEST.CC
5 DEBIAN$@TEST.TEST.CC
5 DEBIAN$@TEST.TEST.CC
5 host/DEBIAN@TEST.TEST.CC
5 host/DEBIAN@TEST.TEST.CC
5 host/DEBIAN@TEST.TEST.CC
5 host/DEBIAN@TEST.TEST.CC
5 host/DEBIAN@TEST.TEST.CC
5 host/debian@TEST.TEST.CC
5 host/debian@TEST.TEST.CC
5 host/debian@TEST.TEST.CC
5 host/debian@TEST.TEST.CC
5 host/debian@TEST.TEST.CC
5 RestrictedKrbHost/DEBIAN@TEST.TEST.CC
5 RestrictedKrbHost/DEBIAN@TEST.TEST.CC
5 RestrictedKrbHost/DEBIAN@TEST.TEST.CC
5 RestrictedKrbHost/DEBIAN@TEST.TEST.CC
5 RestrictedKrbHost/DEBIAN@TEST.TEST.CC
5 RestrictedKrbHost/debian@TEST.TEST.CC
5 RestrictedKrbHost/debian@TEST.TEST.CC
5 RestrictedKrbHost/debian@TEST.TEST.CC
5 RestrictedKrbHost/debian@TEST.TEST.CC
5 RestrictedKrbHost/debian@TEST.TEST.CC
root@debian:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@TEST.TEST.CC
Valid starting Expires Service principal
03/20/2019 10:22:34 03/20/2019 20:22:34 krbtgt/TEST.TEST.CC@TEST.TEST.CC
renew until 03/27/2019 10:22:30
03/20/2019 10:27:05 03/20/2019 20:22:34 ldap/srv-ucs-01.test.test.CC@TEST.TEST.CC
renew until 03/27/2019 10:22:30
# krb5.conf from client
[libdefaults]
default_realm = TEST.TEST.CC
clockskew = 300
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
proxiable = true
rdns = false
[realms]
TEST.TEST.CC = {
admin_server = srv-ucs-01.test.test.cc
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
test.test.cc = TEST.TEST.CC
.test.test.cc = TEST.TEST.CC
[appdefaults]
pam = {
ticket_lifetime = 25h
renew_lifetime = 25h
forwardable = true
proxiable = false
minimum_uid = 1
external = sshd
use_shmem = sshd
}
### sssd log
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [dp_get_account_info_handler] (0x0200): Got request for [0x5][BE_REQ_SERVICES][name=syslog]
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'srv-ucs-01.test.test.cc' in files
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [set_server_common_status] (0x0100): Marking server 'srv-ucs-01.test.test.cc' as 'resolving name'
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'srv-ucs-01.test.test.cc' in files
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'srv-ucs-01.test.test.cc' in DNS
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [set_server_common_status] (0x0100): Marking server 'srv-ucs-01.test.test.cc' as 'name resolved'
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [be_resolve_server_process] (0x0200): Found address for server srv-ucs-01.test.test.cc: [10.0.200.11] TTL 900
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [get_naming_context] (0x0200): Using value from [namingContexts] as naming context.
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [get_single_value_as_string] (0x0080): More than one value found.
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [sdap_set_config_options_with_rootdse] (0x0020): get_naming_context failed.
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [sdap_get_server_opts_from_rootdse] (0x0200): No known USN scheme is supported by this server!
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [sdap_get_server_opts_from_rootdse] (0x0200): Will use modification timestamp as usn!
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'KERBEROS'
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'debian' in files
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'debian' in files
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'debian' in DNS
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_KERBEROS._udp.test.test.cc'
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'KERBEROS' as 'resolved'
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [be_resolve_server_process] (0x0200): Found address for server srv-ucs-01.test.test.cc: [10.0.200.11] TTL 900
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [child_sig_handler] (0x0100): child [1643] finished successfully.
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: (null)
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (80)[Other (e.g., implementation specific) error]
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more infor
mation (No key table entry found matching ldap/srv-ucs-01.test.test.cc@)]
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [1432158225]: Authentication Failed
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [fo_set_port_status] (0x0100): Marking port 7636 of server 'srv-ucs-01.test.test.cc' as 'not working'
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [fo_resolve_service_send] (0x0020): No available servers for service 'LDAP'
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks.
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.TEST.TEST.CC], [2][No such file or directory]
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kdcinfo.TEST.TEST.CC], [2][No such file or directory]
(Wed Mar 20 12:09:26 2019) [sssd[be[test.test.cc]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.TEST.TEST.CC], [2][No such file or directory]
what is interesting is this -> No key table entry found matching ldap/srv-ucs-01.test.test.cc@
something is stripping the REALM/DOMAIN part at the end of the service principal.
can somebody give us any hints where we to debug this or which config we should check.
thanks