On Tue, Nov 22, 2016 at 11:17:37AM -0500, Chris Dagdigian wrote: > > > Sumit Bose wrote: > > Please send the full krb5_child.log with debug_level=10 in the > > [domain/...] section of sssd.conf. My current guess is the ticket > > validation fails. Which version of SSSD are you using? > > > > bye, > > Sumit > > > This is a CentOS 7 client running SSSD-1.13 > > Thank you. Lots of interesting info in this log. I've sanitized hostnames, > username and IP but that was it: > > ### log data below #### > > > (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [main] (0x0400): > krb5_child started. > (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [unpack_buffer] > (0x1000): total buffer size: [158] > (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [unpack_buffer] > (0x0100): cmd [241] uid [1843770609] gid [1843770609] validate [true] > enterprise principal [false] offline [false] UPN [[email protected]] > (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [unpack_buffer] > (0x0100): ccname: [KEYRING:persistent:1843770609] old_ccname: > [KEYRING:persistent:1843770609] keytab: [/etc/krb5.keytab] > (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [switch_creds] > (0x0200): Switch user to [1843770609][1843770609]. > (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] > [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. > (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [switch_creds] > (0x0200): Switch user to [0][0]. > (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [k5c_check_old_ccache] > (0x4000): Ccache_file is [KEYRING:persistent:1843770609] and is not active > and TGT is valid. > (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [k5c_precreate_ccache] > (0x4000): Recreating ccache > (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [k5c_setup_fast] > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to > [host/[email protected]] > (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] > [find_principal_in_keytab] (0x4000): Trying to find principal > host/[email protected] in keytab. > (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [match_principal] > (0x1000): Principal matched to the sample > (host/[email protected]). > (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [check_fast_ccache] > (0x0200): FAST TGT is still valid. > (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [become_user] > (0x0200): Trying to become user [1843770609][1843770609]. > (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [main] (0x2000): > Running as [1843770609][1843770609]. > (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [k5c_setup] (0x2000): > Running as [1843770609][1843770609]. > (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [set_lifetime_options] > (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. > (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [set_lifetime_options] > (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. > (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [main] (0x0400): Will > perform online auth > (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [tgt_req_child] > (0x1000): Attempting to get a TGT > (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [get_and_save_tgt] > (0x0400): Attempting kinit for realm [COMPANY.ORG] > (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830567.899271: Getting > initial credentials for [email protected] > > (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830567.899337: FAST armor > ccache: MEMORY:/var/lib/sss/db/fast_ccache_company-idm.org > > (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830567.899368: Retrieving > host/[email protected] -> > krb5_ccache_conf_data/fast_avail/krbtgt\/COMPANY.ORG\@COMPANY.ORG@X-CACHECONF: > from MEMORY:/var/lib/sss/db/fast_ccache_company-idm.org with result: > -1765328243/Matching credential not found > > (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830567.899415: Sending > request (169 bytes) to COMPANY.ORG > > (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830567.899575: Resolving > hostname COMPANY.ORG > > (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830567.900935: Initiating TCP > connection to stream 192.141.1.15:88 > > (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830567.987925: Sending TCP > request to stream 192.141.1.15:88 > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.75357: Received answer > (118 bytes) from stream 192.141.1.15:88 > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.75404: Terminating TCP > connection to stream 192.141.1.15:88 > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.75502: Response was > from master KDC > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.75529: Received error > from KDC: -1765328316/Realm not local to KDC > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.75544: Following > referral to realm NAFTA.COMPANY.ORG > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.75559: FAST armor > ccache: MEMORY:/var/lib/sss/db/fast_ccache_company-idm.org > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.75586: Retrieving > host/[email protected] -> > krb5_ccache_conf_data/fast_avail/krbtgt\/NAFTA.COMPANY.ORG\@NAFTA.COMPANY.ORG@X-CACHECONF: > from MEMORY:/var/lib/sss/db/fast_ccache_company-idm.org with result: > -1765328243/Matching credential not found > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.75621: Sending request > (181 bytes) to NAFTA.COMPANY.ORG > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.81119: Resolving > hostname usetwadsfsmo03.nafta.COMPANY.ORG. > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.81947: Sending initial > UDP request to dgram 192.189.131.30:88 > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.99200: Received answer > (205 bytes) from dgram 192.189.131.30:88 > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.100064: Response was > not from master KDC > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.100103: Received error > from KDC: -1765328359/Additional pre-authentication required > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.100136: Processing > preauth types: 16, 15, 19, 2 > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.100155: Selected etype > info: etype aes256-cts, salt "NAFTA.COMPANY.ORGusername", params "" > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.108691: AS key > obtained for encrypted timestamp: aes256-cts/3D3B > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.108766: Encrypted > timestamp (for 1479830568.478875): plain > 301AA011180F32303136313132323136303234385AA1050203074E9B, encrypted > 133359586FCB362BF70E6CC90D509C68D6B19903CE0113AD37826E22256090F77B2B7F0BE410C1D7E72F890C437A77FE4BE1DA21848F6209 > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.108787: Preauth module > encrypted_timestamp (2) (real) returned: 0/Success > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.108794: Produced > preauth for next request: 2 > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.108829: Sending > request (260 bytes) to NAFTA.COMPANY.ORG > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.114751: Resolving > hostname usetwadsfsmo03.nafta.COMPANY.ORG. > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.115601: Sending > initial UDP request to dgram 192.189.131.30:88 > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.133353: Received > answer (108 bytes) from dgram 192.189.131.30:88 > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.134326: Response was > not from master KDC > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.134360: Received error > from KDC: -1765328332/Response too big for UDP, retry with TCP > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.134370: Request or > response is too big for UDP; retrying with TCP > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.134379: Sending > request (260 bytes) to NAFTA.COMPANY.ORG (tcp only) > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.137246: Resolving > hostname friawadsgc12.nafta.COMPANY.ORG. > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.138084: Initiating TCP > connection to stream 192.141.1.52:88 > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.224054: Sending TCP > request to stream 192.141.1.52:88 > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.311440: Received > answer (2178 bytes) from stream 192.141.1.52:88 > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.311483: Terminating > TCP connection to stream 192.141.1.52:88 > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312325: Response was > not from master KDC > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312369: Processing > preauth types: 19 > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312381: Selected etype > info: etype aes256-cts, salt "NAFTA.COMPANY.ORGusername", params "" > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312390: Produced > preauth for next request: (empty) > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312401: AS key > determined by preauth: aes256-cts/3D3B > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312459: Decrypted AS > reply; session key is: aes256-cts/43A1 > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312498: FAST > negotiation: unavailable > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_krb5_expire_callback_func] (0x2000): exp_time: [3966060] > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] [validate_tgt] > (0x2000): Keytab entry with the realm of the credential not found in keytab. > Using the last entry. > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312579: Retrieving > host/[email protected] from > MEMORY:/etc/krb5.keytab (vno 0, enctype 0) with result: 0/Success > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312588: Resolving > unique ccache of type MEMORY > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312602: Initializing > MEMORY:Fnv4hCg with default princ [email protected] > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312621: Storing > [email protected] -> krbtgt/[email protected] in > MEMORY:Fnv4hCg > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312642: Getting > credentials [email protected] -> > host/[email protected] using ccache > MEMORY:Fnv4hCg > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312668: Retrieving > [email protected] -> > host/[email protected] from MEMORY:Fnv4hCg with > result: -1765328243/Matching credential not found > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312683: Retrieving > [email protected] -> krbtgt/[email protected] from > MEMORY:Fnv4hCg with result: -1765328243/Matching credential not found > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312698: Retrieving > [email protected] -> krbtgt/[email protected] > from MEMORY:Fnv4hCg with result: 0/Success > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312706: Starting with > TGT for client realm: [email protected] -> > krbtgt/[email protected] > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312721: Retrieving > [email protected] -> krbtgt/[email protected] from > MEMORY:Fnv4hCg with result: -1765328243/Matching credential not found > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312729: Requesting TGT > krbtgt/[email protected] using TGT > krbtgt/[email protected] > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312747: Generated > subkey for TGS request: aes256-cts/57A1 > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312787: etypes > requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, > camellia128-cts, camellia256-cts > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312840: Encoding > request body and padata into FAST request > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312894: Sending > request (2313 bytes) to NAFTA.COMPANY.ORG > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.318783: Resolving > hostname friawadsgc02.nafta.COMPANY.ORG. > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.319777: Sending > initial UDP request to dgram 192.141.1.11:88 > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.406882: Received > answer (105 bytes) from dgram 192.141.1.11:88 > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.407810: Response was > not from master KDC > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.407847: TGS request > result: -1765328377/Server not found in Kerberos database > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] > [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.407869: Destroying > ccache MEMORY:Fnv4hCg > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] [validate_tgt] > (0x0020): TGT failed verification using key for > [host/[email protected]].
ok, it is the ticket validation which fails. You can get around this for testing by setting 'krb5_validate = false' in the [domain/...] section of sssd.conf. But please use this only for testing because this error indicates that there are issues in your setup/configuration. But your host principal host/[email protected] looks odd as well. Why is the host in the AD DNS domain, this calls for trouble. Additionally I wonder why the realm part '@company-idm.org' was created in lower-case while joining the IPA this should be created upper-case. Or is this all due to sanitation? > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] [get_and_save_tgt] > (0x0020): 1242: [-1765328377][Server not found in Kerberos database] > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] [map_krb5_error] > (0x0020): 1303: [-1765328377][Server not found in Kerberos database] > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] [k5c_send_data] > (0x0200): Received error code 1432158209 > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] [pack_response_packet] > (0x2000): response packet size: [20] > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] [k5c_send_data] > (0x4000): Response sent. > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] [main] (0x0400): > krb5_child completed successfully > [root@usaeilvdip001 sssd]# > > The logs indicate that the user actually come from the member domain in the forest: [email protected]. But the [capath] section you added to krb5.conf only contains the forest root. > COMPANY-AWS.ORG = { > > > > > > > > COMPANY-IDM.ORG = COMPANY-AWS.ORG > > > > > > > > } > > > > > > > > COMPANY-IDM.ORG = { > > > > > > > > COMPANY-AWS.ORG = COMPANY-AWS.ORG > > > > > > > > } > > > > Please try to add the member domain as well. The result might look like this: (assuming COMPANY-AWS is the forest root, NAFTA is the member domain and COMPANY-IDM is the IPA domain) COMPANY-AWS.ORG = { COMPANY-IDM.ORG = COMPANY-AWS.ORG } COMPANY-IDM.ORG = { COMPANY-AWS.ORG = COMPANY-AWS.ORG NAFTA.COMPANY.ORG = COMPANY-AWS.ORG } NAFTA.COMPANY.ORG = { COMPANY-IDM.ORG = COMPANY-AWS.ORG } You can test the configuration independent of SSSD by calling kdestroy -A kinit [email protected] kvno host/[email protected] If kvno returns an error please rerun as KRB5_TRACE=/dev/stdout kvno host/[email protected] and send the output. HTH bye, Sumit -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
