Kerberos credential cache missing service principal after installing adsys
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
krb5 (Ubuntu) |
Confirmed
|
Medium
|
Heitor Alves de Siqueira |
Bug Description
After installing adsys, login using a domain user fails. This seems to be related to the credential cache missing a service principal for specific domains, as demonstrated by testing below:
ubuntu@
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
cli_credentials
Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_
gensec_
gensec_update_send: spnego[
gensec_update_done: spnego[
Failed to bind - LDAP client internal error: NT_STATUS_
Failed to connect to 'ldap:/
Failed to connect to ldap://
Using a fresh kinit works:
ubuntu@
Password for <email address hidden>:
ubuntu@
Comparing the credential caches:
ubuntu@
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: <email address hidden>
Valid starting Expires Service principal
07/26/23 13:28:03 07/26/23 23:28:03 <email address hidden>
renew until 07/27/23 13:28:01
07/26/23 13:28:41 07/26/23 23:28:03 <email address hidden>
renew until 07/27/23 13:28:01
ubuntu@
Ticket cache: FILE:/tmp/
Default principal: <email address hidden>
Valid starting Expires Service principal
07/26/23 13:16:48 07/26/23 23:16:48 <email address hidden>
renew until 07/27/23 13:16:48
I think you'll find that the missing service principal is a symptom not
a cause.
In particular, if you run klist after kinit but before the ldapsearch,
you'll find that the service principal is created by the ldapsearch
call (when it works).
You're going to need better debugging out of the spnego mechanism you
are using to figure out what's going wrong.
--Sam