Hi Team,
I am new member of this group and ofcourse this is my first post. :)
I have configured SSSD manually by updating sssd.conf , smb.conf and krb5.conf. Used authconfig to update pam files and also manually done.
System joins to domain but AD user login fails.
while running sometimes i get error Kerberos pre-authentication failed ..sometimes its joined without error. But both times AD login fails.
KRB5.CONF
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TEST.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
WIPRO.COM = {
kdc = sss.test.com
admin_server = sss.test.com
}
[domain_realm]
.test.com = TEST.COM
test.com = TEST.COM
SSSD.CONF
config_file_version = 2
# Number of times services should attempt to reconnect in the
# event of a crash or restart before they give up
reconnection_retries = 3
# If a back end is particularly slow you can raise this timeout here
sbus_timeout = 30
services = nss, pam
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
domains = TEST.COM
#domains = LOCAL
[domain/TETS.COM]
id_provider = ad
access_provider = ad
ldap_schema = ad
override_homedir = /home/%d/%u
ldap_id_mapping = false
[nss]
# The following prevents SSSD from searching for the root user/group in
# all domains (you can add here a comma-separated list of system accounts that
# are always going to be /etc/passwd users, or that you want to filter out).
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75
# The entry_cache_nowait_percentage indicates the percentage of the
# entry_cache_timeout to wait before updating the cache out-of-band.
# (NSS requests will still be returned from cache until the full
# entry_cache_timeout). Setting this value to 0 turns this feature
# off (default).
; entry_cache_nowait_percentage = 300
[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
SMB.CONF
[global]
#--authconfig--start-line--
# Generated by authconfig on 2017/02/07 12:37:55
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future
workgroup = TETS
password server = *
realm = TEST.COM
security = ads
idmap config * : range = 16777216-33554431
template shell = /bin/bash
winbind use default domain = false
winbind offline logon = false
As part of troubleshooting ,i have tried with sssd debug mode etc. Major error message i get is related to Kerberos.Hope this forum gives me success.
Regards
Pavan
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
