#2692 GPO: Access denied due to using wrong sam_account_name
Closed: Fixed None Opened 5 years ago by lslebodn.

If the left most label of hostname is longer than 16 characters then samba-utils(net) and realmd will register machine in AD with netbios name which has just 15 characters. SSSD tries to search longer version which results in pam system error for PAM_ACCT_MGMT

[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=user)(sAMAccountName=HP-DL380PGEN8-02-VM-5$))][dc=sssdad,dc=com]

Output of keytab:

Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 06/24/2015 09:25:23 HP-DL380PGEN8-0$@SSSDAD.COM
   2 06/24/2015 09:25:23 HP-DL380PGEN8-0$@SSSDAD.COM
   2 06/24/2015 09:25:23 HP-DL380PGEN8-0$@SSSDAD.COM
   2 06/24/2015 09:25:23 HP-DL380PGEN8-0$@SSSDAD.COM
   2 06/24/2015 09:25:23 HP-DL380PGEN8-0$@SSSDAD.COM
   2 06/24/2015 09:25:23 HP-DL380PGEN8-0$@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 HOST/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/HP-DL380PGEN8-0@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM
   2 06/24/2015 09:25:23 RestrictedKrbHost/hp-dl380pgen8-02-vm-5.lab.example.com@SSSDAD.COM

Marked as blocker because it prevents enabling GPO by default in fedora 22 (sssd-1.13)

priority: major => blocker

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13

Fields changed

milestone: SSSD 1.13.2 => SSSD 1.13.1
owner: somebody => lslebodn

Fields changed

owner: lslebodn =>

Fields changed

rhbz: => todo

Fields changed

owner: => sbose
status: new => assigned

Fields changed

patch: 0 => 1

resolution: => fixed
status: assigned => closed

Fields changed

rhbz: todo => 0

Metadata Update from @lslebodn:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.13.1

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3733

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata