Authentication with sssd and kerberso - Authentication failure


I am hoping somebody here can help me. I am trying to authenticate with kerberos. If I use kinit I get a valid ticket if I try

sssctl user-checks -a=auth robin

I get

user: robin@xxx.yyy.zzz
action: auth
service: system-auth

SSSD nss user lookup result:
 - user name: robin
 - user id: 5001
  - group id: 5001
  - gecos: robin
  - home directory: /home/robin
  - shell: /bin/bash

 SSSD InfoPipe user lookup result:
   - name: robin
   - uidNumber: 5001
   - gidNumber: 5001
   - gecos: robin
   - homeDirectory: /home/robin
   - loginShell: /bin/bash

 testing pam_authenticate

  pam_authenticate for user [robin@xxx.yyyy.zzz]: Authentication failure
 PAM Environment:

My configuration file fore sssd is the following

config_file_version = 2
domains = xxx.yyy.zzz
services = nss, pam

 debug_level = 5

id_provider = ldap
ldap_uri = ldap://
ldap_search_base = dc=xxx,dc=yyy,dc=zzz
ldap_schema = rfc2307bis

auth_provider = krb5
krb5_server =
krb5_kpasswd =
krb5_realm = XXX.YYY.ZZZ
krb5_map_user = robin:robin

chpass_provider = none



filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300

reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

Actual domain was replaced by xxx.yyy.zzz. I am using Fedora 32 and have no more ideas how to fix the problem and would appreciate any help and hints you can give me.

Thank you

1 Like

Is that Samba DC, or AD DC, or something else?

No, it’s only ldap and kerberos. Previously I only used kerberos and the user information was located in the passwd file. But this seams no longer possible (at least that is what the internet told me :wink: ). I need a kerberos ticket for the user for a nfs share and ssh.

1 Like