sssd going offline with "SASL: GSSAPI Error"

[milanraf]

Hi all

as reported also by another user in this RH ticket:
access.redhat.com/solutions/3398641
I have problems with sssd not correctly connecting to my Windows 2003 domain server.

I had no problem joining the domain wth "realm join mydomain.com" and even the ldap client seems working fine when analyzing ldap_child.log. The domain results correctly joined with "realm list" and "net ads testjoin".
At the same time sssd seems to fail when authenticating with the domain server. The error is exactly as reported in the above link.

Here is my sssd_conf:
[sssd]
domains = mydomain.com
config_file_version = 2
services = nss, pam

[domain/mydomain.com]
ad_domain = mydomain.com
krb5_realm = mydomain.com
ad_server = srv-rocca.mydomain.com
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
debug_level = 10

May be something wrong with sasl library? But don't know where to look for.

Thank you

Bye

Raf

[hunter86_bg]

If you want to reinstall it:

Code: Select all

find /lib64 -type f -iname *sasl* -print
rpm -qf /path/to/sasl
rpm -V package from previous command
yum reinstall sasl-package

Also keep in mind that when sssd dies/fails to do it's job -CentOS automatically switches to nslcd, so install the relevant packages, so you won't loose connectivity to AD

Also the Windows Server 2003 has no longer support - so consider changing it.

[milanraf]

thank you hunter86

I've checked cyrus-sasl-lib-2.1.26-21.el7.x86_64 installation and looks good, just reinstalled but nothing changed.

Diving in journalctl I found this error:
sssd[be[mydomain.com]][10668]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC has no support for encryption type)

I've also discovered that something is wrong with kerberos.
The realm is correctly listed:

mydomain.com
type: kerberos
realm-name: mydomain.com
domain-name: mydomain.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U@mydomain.com
login-policy: allow-realm-logins

but klist returns an error:
klist: Credentials cache keyring 'persistent:0:0' not found

and kinit does not seem to work properly:
kinit: Client 'root@mydomain.com' not found in Kerberos database while getting initial credentials

Moreover, trying to make cyrus-imap work with winbind (that I'm temporarily using as a failback until sssd will be ok), I found a similar GSSAPI error:
GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: KEYRING:persistent:0))

At this I'm figuring out two genre of problems:
- authentication related (but sasl seems good)
- kerberos related (but realm is correctly listed and joined)

I'm quite confused now...

Thank you

Raf

[hunter86_bg]

kinit for the root user will never work.
Just

Code: Select all

su -  adtestuser
id
kinit || kinit adtestuser@REALM

Does this work:

Code: Select all

getent passwd adtestuser

Note: adtestuser is an existing ,unlocked ad user.

[milanraf]

Yes, you're right.

In fact, in the meanwhile, I've slightly changed my krb5.conf file and added:

Code: Select all

allow_weak_crypto = true
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5

while set to capital letters every domain entry in the same file.

Now the kinit works.

Thank you

Bye