Issue #2692: GPO: Access denied due to using wrong sam_account_name - sssd

SSSD / sssd

#2692 GPO: Access denied due to using wrong sam_account_name

Closed: Fixed None Opened 8 years ago by lslebodn.

If the left most label of hostname is longer than 16 characters then samba-utils(net) and realmd will register machine in AD with netbios name which has just 15 characters. SSSD tries to search longer version which results in pam system error for PAM_ACCT_MGMT

[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=user)(sAMAccountName=HP-DL380PGEN8-02-VM-5$))][dc=sssdad,dc=com]

Output of keytab:

Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 06/24/2015 09:25:23 HP-DL380PGEN8-0$@SSSDAD.COM
   2 06/24/2015 09:25:23 HP-DL380PGEN8-0$@SSSDAD.COM
   2 06/24/2015 09:25:23 HP-DL380PGEN8-0$@SSSDAD.COM
   2 06/24/2015 09:25:23 HP-DL380PGEN8-0$@SSSDAD.COM
   2 06/24/2015 09:25:23 HP-DL380PGEN8-0$@SSSDAD.COM
   2 06/24/2015 09:25:23 HP-DL380PGEN8-0$@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM