#3753 sssd krb5_child using wrong domain to authenticate

Created 17 days ago by cristi
Modified 13 days ago

I'm trying to login after enrolling a machine in AD with realm.

The machine was successfully added in AD in domain origdomain.net.

I'm trying to login with the user falcas@secdomain.net.

It seems to find the user, because id finds the correct groups:

# id falcas@secdomain
uid=1523029953(falcas@secdomain.net) gid=1523029953(falcas@secdomain.net) groups=1523029953(falcas@secdomain.net),1523015303(rd-application management@secdomain.net),1523026406(rd-st-software systems@secdomain.net).......

But when trying to login with ssh, sssd tries to use as the login this user:

Client 'Falcas\@ORIGDOMAIN.COM@ORIGDOMAIN.NET' not found in Kerberos database

Which is very weird for me. Mostly, what is ORIGDOMAIN.COM? From where it got this?

Here are the logs from sssd:

(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): domain: secdomain.net
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): user: falcas
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): rhost: 10.160.0.200
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 7651
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): logon name: falcas@secdomain
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD_GC'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.AWS-Ireland._sites.origdomain.net'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'ie-aws-opt-dc.origdomain.net' in files
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'ie-aws-opt-dc.origdomain.net' in files
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'ie-aws-opt-dc.origdomain.net' in DNS
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_gc._tcp.AWS-Ireland._sites.origdomain.net'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_gc._tcp.origdomain.net'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'AD_GC' as 'resolved'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://IE-AWS-OPT-DC.origdomain.net'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://IE-AWS-OPT-DC.origdomain.net:3268'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [4]
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Thu May 31 15:24:12 2018) [[sssd[ldap_child[7652]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [IP-172-31-51-22$@ORIGDOMAIN.NET]
(Thu May 31 15:24:12 2018) [[sssd[ldap_child[7652]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab]
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: IP-172-31-51-22$
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [child_sig_handler] (0x0100): child [7652] finished successfully.
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [fo_set_port_status] (0x0100): Marking port 3268 of server 'IE-AWS-OPT-DC.origdomain.net' as 'working'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [set_server_common_status] (0x0100): Marking server 'IE-AWS-OPT-DC.origdomain.net' as 'working'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'sd_secdomain.net'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.AWS-Ireland._sites.secdomain.net'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'v-aws-ie-dom-01.secdomain.net' in files
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'v-aws-ie-dom-01.secdomain.net' in files
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'v-aws-ie-dom-01.secdomain.net' in DNS
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.AWS-Ireland._sites.secdomain.net'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.secdomain.net'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'sd_secdomain.net' as 'resolved'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'v-aws-ie-dom-01.secdomain.net' in files
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [set_server_common_status] (0x0100): Marking server 'v-aws-ie-dom-01.secdomain.net' as 'resolving name'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'v-aws-ie-dom-01.secdomain.net' in files
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'v-aws-ie-dom-01.secdomain.net' in DNS
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [set_server_common_status] (0x0100): Marking server 'v-aws-ie-dom-01.secdomain.net' as 'name resolved'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://v-aws-ie-dom-01.secdomain.net'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://v-aws-ie-dom-01.secdomain.net'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [sdap_set_search_base] (0x0100): Setting option [ldap_host_search_base] to [DC=secdomain,DC=net].
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [common_parse_search_base] (0x0100): Search base added: [HOST][DC=secdomain,DC=net][SUBTREE][]
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [4]
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'sd_secdomain.net'
(Thu May 31 15:24:12 2018) [[sssd[ldap_child[7653]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [IP-172-31-51-22$@ORIGDOMAIN.NET]
(Thu May 31 15:24:12 2018) [[sssd[ldap_child[7653]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab]
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: IP-172-31-51-22$
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [child_sig_handler] (0x0100): child [7653] finished successfully.
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'v-aws-ie-dom-01.secdomain.net' as 'working'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [set_server_common_status] (0x0100): Marking server 'v-aws-ie-dom-01.secdomain.net' as 'working'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-21-1893866445-283916645-10498456-20013
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-21-1893866445-283916645-10498456-513
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-32-545
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data:
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): domain: secdomain.net
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): user: Falcas@secdomain.net
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): rhost: 10.160.0.200
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 7651
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_print_data] (0x0100): logon name: falcas@secdomain
(Thu May 31 15:24:12 2018) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [dp_pam_handler] (0x0100): Got request with the following data
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): domain: secdomain.net
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): user: Falcas@secdomain.net
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): service: sshd
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): tty: ssh
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): ruser: 
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): rhost: 10.160.0.200
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): authtok type: 1
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): priv: 1
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): cli_pid: 7651
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): logon name: not set
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [krb5_auth_send] (0x0100): Home directory for user [Falcas@secdomain.net] not known.
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://IE-AWS-OPT-DC.origdomain.net'
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://IE-AWS-OPT-DC.origdomain.net'
(Thu May 31 15:24:12 2018) [[sssd[krb5_child[7654]]]] [unpack_buffer] (0x0100): cmd [241] uid [1523029953] gid [1523029953] validate [true] enterprise principal [true] offline [false] UPN [Falcas@ORIGDOMAIN.COM]
(Thu May 31 15:24:12 2018) [[sssd[krb5_child[7654]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:1523029953] old_ccname: [KEYRING:persistent:1523029953] keytab: [/etc/krb5.keytab]
(Thu May 31 15:24:12 2018) [[sssd[krb5_child[7654]]]] [check_use_fast] (0x0100): Not using FAST.
(Thu May 31 15:24:12 2018) [[sssd[krb5_child[7654]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
(Thu May 31 15:24:12 2018) [[sssd[krb5_child[7654]]]] [set_lifetime_options] (0x0100): No specific renewable lifetime requested.
(Thu May 31 15:24:12 2018) [[sssd[krb5_child[7654]]]] [set_lifetime_options] (0x0100): No specific lifetime requested.
(Thu May 31 15:24:12 2018) [[sssd[krb5_child[7654]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true]
(Thu May 31 15:24:12 2018) [[sssd[krb5_child[7654]]]] [sss_krb5_get_init_creds_password] (0x0020): 1618: [-1765328378][Client 'Falcas\@ORIGDOMAIN.COM@ORIGDOMAIN.NET' not found in Kerberos database]
(Thu May 31 15:24:12 2018) [[sssd[krb5_child[7654]]]] [get_and_save_tgt] (0x0020): 1695: [-1765328378][Client 'Falcas\@ORIGDOMAIN.COM@ORIGDOMAIN.NET' not found in Kerberos database]
(Thu May 31 15:24:12 2018) [[sssd[krb5_child[7654]]]] [map_krb5_error] (0x0020): 1808: [-1765328378][Client 'Falcas\@ORIGDOMAIN.COM@ORIGDOMAIN.NET' not found in Kerberos database]
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [krb5_auth_done] (0x0040): The krb5_child process returned an error. Please inspect the krb5_child.log file or the journal for more information
(Thu May 31 15:24:12 2018) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal.
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [child_sig_handler] (0x0100): child [7654] finished successfully.
(Thu May 31 15:24:12 2018) [sssd[be[origdomain.net]]] [sdap_sudo_load_sudoers_done] (0x0040): Received 0 sudo rules
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): domain: secdomain.net
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): user: falcas
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): rhost: 10.160.0.200
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 7655
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): logon name: falcas@secdomain
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data:
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): domain: secdomain.net
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): user: Falcas@secdomain.net
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): rhost: 10.160.0.200
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 7655
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_print_data] (0x0100): logon name: falcas@secdomain
(Thu May 31 15:24:15 2018) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
(Thu May 31 15:24:15 2018) [sssd[be[origdomain.net]]] [dp_pam_handler] (0x0100): Got request with the following data
(Thu May 31 15:24:15 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(Thu May 31 15:24:15 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): domain: secdomain.net
(Thu May 31 15:24:15 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): user: Falcas@secdomain.net
(Thu May 31 15:24:15 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): service: sshd
(Thu May 31 15:24:15 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): tty: ssh
(Thu May 31 15:24:15 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): ruser: 
(Thu May 31 15:24:15 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): rhost: 10.160.0.200
(Thu May 31 15:24:15 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): authtok type: 0
(Thu May 31 15:24:15 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu May 31 15:24:15 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): priv: 1
(Thu May 31 15:24:15 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): cli_pid: 7655
(Thu May 31 15:24:15 2018) [sssd[be[origdomain.net]]] [pam_print_data] (0x0100): logon name: not set
(Thu May 31 15:24:15 2018) [sssd[be[origdomain.net]]] [krb5_auth_send] (0x0020): Illegal zero-length authtok for user [Falcas@secdomain.net]
(Thu May 31 15:24:15 2018) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal.

The important part in the krb5_child.log is enterprise=true. Then, the strange-looking principal "Falcas\@ORIGDOMAIN.COM@ORIGDOMAIN.NET" means that the user's principal name Falcas@ORIGDOMAIN.COM in the realm ORIGDOMAIN.NET. Typically, this is the case if the userPrincipalName attribute on the LDAP side contains a UPN with a different realm (maybe realms were merged at one point..) that the usual realm in that domain.

Can you check what is the value of userPrincipalName of that user?

I don't know why wouldn't the principal be found if the UPN was set to a certain value, does kinit work with the UPN from the command line (You might need to add -C -E to kinit).

I checked and the userPrincipalName is Falcas@origdomain.com

After adding the domain to /etc/krb5.conf I managed to login with 'kinit -C -E falcas@secdomain.net' . I only added this:

[realms]
 SECDOMAIN.NET = {
 }
[domain_realm]
 secdomain.net = SECDOMAIN.NET
 .secdomain.net = SECDOMAIN.NET

sssd still tries to use "Falcas\@ORIGDOMAIN.COM@ORIGDOMAIN.NET"

Can I make sssd to login with the user provided (falcas@secdomain.net) instead of UPN?

The conf file /etc/sssd/sssd.conf has only the origdomain defined.

Edited 14 days ago by cristi

Even after adding the SECDOMAIN to sssd.conf, krb5_child still tries to login with "Falcas\@ORIGDOMAIN.COM@ORIGDOMAIN.NET"

First, sssd should write the domain-realm mappings itself to a file in /var/lib/sss/pubconf/krb5.include.d But depending on how you enrolled the client, this directory might not be included with an "includedir" directive from krb5.conf.

Second, as I said, the principal should be usable, I don't think there's anything wrong with it.

Finally, ignoring the UPN and letting SSSD construct the principal with username@REALM fallback is possible by setting the ldap_user_principal option to a value that does not exist so that SSSD does not find the UPN and falls back to the username@REALM value.

Login to comment on this ticket.

cancel