#2692 GPO: Access denied due to using wrong sam_account_name
Closed: Fixed None Opened 3 years ago by lslebodn.

If the left most label of hostname is longer than 16 characters then samba-utils(net) and realmd will register machine in AD with netbios name which has just 15 characters. SSSD tries to search longer version which results in pam system error for PAM_ACCT_MGMT

[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=user)(sAMAccountName=HP-DL380PGEN8-02-VM-5$))][dc=sssdad,dc=com]

Output of keytab:

Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 06/24/2015 09:25:23 HP-DL380PGEN8-0$@SSSDAD.COM
   2 06/24/2015 09:25:23 HP-DL380PGEN8-0$@SSSDAD.COM
   2 06/24/2015 09:25:23 HP-DL380PGEN8-0$@SSSDAD.COM
   2 06/24/2015 09:25:23 HP-DL380PGEN8-0$@SSSDAD.COM
   2 06/24/2015 09:25:23 HP-DL380PGEN8-0$@SSSDAD.COM
   2 06/24/2015 09:25:23 HP-DL380PGEN8-0$@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM

Marked as blocker because it prevents enabling GPO by default in fedora 22 (sssd-1.13)

priority: major => blocker

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13

Fields changed

milestone: SSSD 1.13.2 => SSSD 1.13.1
owner: somebody => lslebodn

Fields changed

owner: lslebodn =>

Fields changed

rhbz: => todo

Fields changed

owner: => sbose
status: new => assigned

Fields changed

patch: 0 => 1

resolution: => fixed
status: assigned => closed

Fields changed

rhbz: todo => 0

Metadata Update from @lslebodn:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.13.1

2 years ago

Login to comment on this ticket.

Metadata