#3753 sssd krb5_child using wrong domain to authenticate
Closed: wontfix a year ago by pbrezina. Opened 2 years ago by cristi.

I'm trying to login after enrolling a machine in AD with realm.

The machine was successfully added in AD in domain origdomain.net.

I'm trying to login with the user falcas@secdomain.net.

It seems to find the user, because id finds the correct groups:

# id falcas@secdomain
uid=1523029953(falcas@secdomain.net) gid=1523029953(falcas@secdomain.net) groups=1523029953(falcas@secdomain.net),1523015303(rd-application management@secdomain.net),1523026406(rd-st-software systems@secdomain.net).......

But when trying to login with ssh, sssd tries to use as the login this user:

Client 'Falcas\@ORIGDOMAIN.COM@ORIGDOMAIN.NET' not found in Kerberos database

Which is very weird for me. Mostly, what is ORIGDOMAIN.COM? From where it got this?

Here are the logs from sssd:

(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): domain: secdomain.net
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): user: falcas
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): rhost: 10.160.0.200
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 7651
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): logon name: falcas@secdomain
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD_GC'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.AWS-Ireland._sites.origdomain.net'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'ie-aws-opt-dc.origdomain.net' in files
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'ie-aws-opt-dc.origdomain.net' in files
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'ie-aws-opt-dc.origdomain.net' in DNS
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_gc._tcp.AWS-Ireland._sites.origdomain.net'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_gc._tcp.origdomain.net'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'AD_GC' as 'resolved'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://IE-AWS-OPT-DC.origdomain.net'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://IE-AWS-OPT-DC.origdomain.net:3268'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [4]
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Thu May 31 15:24:12 2018) [[sssd[ldap_child[7652]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [IP-172-31-51-22$@ORIGDOMAIN.NET]
(Thu May 31 15:24:12 2018) [[sssd[ldap_child[7652]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab]
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: IP-172-31-51-22$
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [child_sig_handler] (0x0100): child [7652] finished successfully.
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [fo_set_port_status] (0x0100): Marking port 3268 of server 'IE-AWS-OPT-DC.origdomain.net' as 'working'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [set_server_common_status] (0x0100): Marking server 'IE-AWS-OPT-DC.origdomain.net' as 'working'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'sd_secdomain.net'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.AWS-Ireland._sites.secdomain.net'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'v-aws-ie-dom-01.secdomain.net' in files
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'v-aws-ie-dom-01.secdomain.net' in files
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'v-aws-ie-dom-01.secdomain.net' in DNS
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.AWS-Ireland._sites.secdomain.net'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.secdomain.net'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'sd_secdomain.net' as 'resolved'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'v-aws-ie-dom-01.secdomain.net' in files
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [set_server_common_status] (0x0100): Marking server 'v-aws-ie-dom-01.secdomain.net' as 'resolving name'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'v-aws-ie-dom-01.secdomain.net' in files
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'v-aws-ie-dom-01.secdomain.net' in DNS
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [set_server_common_status] (0x0100): Marking server 'v-aws-ie-dom-01.secdomain.net' as 'name resolved'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://v-aws-ie-dom-01.secdomain.net'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://v-aws-ie-dom-01.secdomain.net'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [sdap_set_search_base] (0x0100): Setting option [ldap_host_search_base] to [DC=secdomain,DC=net].
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [common_parse_search_base] (0x0100): Search base added: [HOST][DC=secdomain,DC=net][SUBTREE][]
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [4]
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'sd_secdomain.net'
(Thu May 31 15:24:12 2018) [[sssd[ldap_child[7653]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [IP-172-31-51-22$@ORIGDOMAIN.NET]
(Thu May 31 15:24:12 2018) [[sssd[ldap_child[7653]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab]
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: IP-172-31-51-22$
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [child_sig_handler] (0x0100): child [7653] finished successfully.
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'v-aws-ie-dom-01.secdomain.net' as 'working'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [set_server_common_status] (0x0100): Marking server 'v-aws-ie-dom-01.secdomain.net' as 'working'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-21-1893866445-283916645-10498456-20013
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-21-1893866445-283916645-10498456-513
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-32-545
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data:
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): domain: secdomain.net
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): user: Falcas@secdomain.net
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): rhost: 10.160.0.200
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 7651
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): logon name: falcas@secdomain
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [dp_pam_handler] (0x0100): Got request with the following data
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): domain: secdomain.net
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): user: Falcas@secdomain.net
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): service: sshd
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): tty: ssh
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): ruser: 
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): rhost: 10.160.0.200
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): authtok type: 1
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): priv: 1
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): cli_pid: 7651
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): logon name: not set
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [krb5_auth_send] (0x0100): Home directory for user [Falcas@secdomain.net] not known.
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://IE-AWS-OPT-DC.origdomain.net'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://IE-AWS-OPT-DC.origdomain.net'
(Thu May 31 15:24:12 2018) [[sssd[krb5_child[7654]]]] [unpack_buffer] (0x0100): cmd [241] uid [1523029953] gid [1523029953] validate [true] enterprise principal [true] offline [false] UPN [Falcas@ORIGDOMAIN.COM]
(Thu May 31 15:24:12 2018) [[sssd[krb5_child[7654]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:1523029953] old_ccname: [KEYRING:persistent:1523029953] keytab: [/etc/krb5.keytab]
(Thu May 31 15:24:12 2018) [[sssd[krb5_child[7654]]]] [check_use_fast] (0x0100): Not using FAST.
(Thu May 31 15:24:12 2018) [[sssd[krb5_child[7654]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
(Thu May 31 15:24:12 2018) [[sssd[krb5_child[7654]]]] [set_lifetime_options] (0x0100): No specific renewable lifetime requested.
(Thu May 31 15:24:12 2018) [[sssd[krb5_child[7654]]]] [set_lifetime_options] (0x0100): No specific lifetime requested.
(Thu May 31 15:24:12 2018) [[sssd[krb5_child[7654]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true]
(Thu May 31 15:24:12 2018) [[sssd[krb5_child[7654]]]] [sss_krb5_get_init_creds_password] (0x0020): 1618: [-1765328378][Client 'Falcas\@ORIGDOMAIN.COM@ORIGDOMAIN.NET' not found in Kerberos database]
(Thu May 31 15:24:12 2018) [[sssd[krb5_child[7654]]]] [get_and_save_tgt] (0x0020): 1695: [-1765328378][Client 'Falcas\@ORIGDOMAIN.COM@ORIGDOMAIN.NET' not found in Kerberos database]
(Thu May 31 15:24:12 2018) [[sssd[krb5_child[7654]]]] [map_krb5_error] (0x0020): 1808: [-1765328378][Client 'Falcas\@ORIGDOMAIN.COM@ORIGDOMAIN.NET' not found in Kerberos database]
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [krb5_auth_done] (0x0040): The krb5_child process returned an error. Please inspect the krb5_child.log file or the journal for more information
(Thu May 31 15:24:12 2018) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal.
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [child_sig_handler] (0x0100): child [7654] finished successfully.
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [sdap_sudo_load_sudoers_done] (0x0040): Received 0 sudo rules
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): domain: secdomain.net
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): user: falcas
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): rhost: 10.160.0.200
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 7655
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): logon name: falcas@secdomain
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data:
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): domain: secdomain.net
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): user: Falcas@secdomain.net
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): rhost: 10.160.0.200
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 7655
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): logon name: falcas@secdomain
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
(Thu May 31 15:24:15 2018) [sssd[be[origdomain.net]]] [dp_pam_handler] (0x0100): Got request with the following data
(Thu May 31 15:24:15 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(Thu May 31 15:24:15 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): domain: secdomain.net
(Thu May 31 15:24:15 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): user: Falcas@secdomain.net
(Thu May 31 15:24:15 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): service: sshd
(Thu May 31 15:24:15 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): tty: ssh
(Thu May 31 15:24:15 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): ruser: 
(Thu May 31 15:24:15 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): rhost: 10.160.0.200
(Thu May 31 15:24:15 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): authtok type: 0
(Thu May 31 15:24:15 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu May 31 15:24:15 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): priv: 1
(Thu May 31 15:24:15 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): cli_pid: 7655
(Thu May 31 15:24:15 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): logon name: not set
(Thu May 31 15:24:15 2018) [sssd[be[origdomain.net]]] [krb5_auth_send] (0x0020): Illegal zero-length authtok for user [Falcas@secdomain.net]
(Thu May 31 15:24:15 2018) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal.

The important part in the krb5_child.log is enterprise=true. Then, the strange-looking principal "Falcas\@ORIGDOMAIN.COM@ORIGDOMAIN.NET" means that the user's principal name Falcas@ORIGDOMAIN.COM in the realm ORIGDOMAIN.NET. Typically, this is the case if the userPrincipalName attribute on the LDAP side contains a UPN with a different realm (maybe realms were merged at one point..) that the usual realm in that domain.

Can you check what is the value of userPrincipalName of that user?

I don't know why wouldn't the principal be found if the UPN was set to a certain value, does kinit work with the UPN from the command line (You might need to add -C -E to kinit).

I checked and the userPrincipalName is Falcas@origdomain.com

After adding the domain to /etc/krb5.conf I managed to login with 'kinit -C -E falcas@secdomain.net' . I only added this:

[realms]
 SECDOMAIN.NET = {
 }
[domain_realm]
 secdomain.net = SECDOMAIN.NET
 .secdomain.net = SECDOMAIN.NET

sssd still tries to use "Falcas\@ORIGDOMAIN.COM@ORIGDOMAIN.NET"

Can I make sssd to login with the user provided (falcas@secdomain.net) instead of UPN?

The conf file /etc/sssd/sssd.conf has only the origdomain defined.

Even after adding the SECDOMAIN to sssd.conf, krb5_child still tries to login with "Falcas\@ORIGDOMAIN.COM@ORIGDOMAIN.NET"

First, sssd should write the domain-realm mappings itself to a file in /var/lib/sss/pubconf/krb5.include.d But depending on how you enrolled the client, this directory might not be included with an "includedir" directive from krb5.conf.

Second, as I said, the principal should be usable, I don't think there's anything wrong with it.

Finally, ignoring the UPN and letting SSSD construct the principal with username@REALM fallback is possible by setting the ldap_user_principal option to a value that does not exist so that SSSD does not find the UPN and falls back to the username@REALM value.

Metadata Update from @pbrezina:
- Issue tagged with: Canditate to close

a year ago

Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfill this request I am closing the issue as wontfix.

If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.

Thank you for understanding.

Metadata Update from @pbrezina:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

a year ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4759

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata