Authentication with sssd and kerberos - Authentication failure


I am hoping somebody here can help me. I am trying to authenticate with kerberos. If I use kinit I get a valid ticket if I try

sssctl user-checks -a=auth robin

I get

user: robin@xxx.yyy.zzz
action: auth
service: system-auth

SSSD nss user lookup result:
 - user name: robin
 - user id: 5001
  - group id: 5001
  - gecos: robin
  - home directory: /home/robin
  - shell: /bin/bash

 SSSD InfoPipe user lookup result:
   - name: robin
   - uidNumber: 5001
   - gidNumber: 5001
   - gecos: robin
   - homeDirectory: /home/robin
   - loginShell: /bin/bash

 testing pam_authenticate

  pam_authenticate for user [robin@xxx.yyyy.zzz]: Authentication failure
 PAM Environment:

My configuration file fore sssd is the following

config_file_version = 2
domains = xxx.yyy.zzz
services = nss, pam

 debug_level = 5

id_provider = ldap
ldap_uri = ldap://
ldap_search_base = dc=xxx,dc=yyy,dc=zzz
ldap_schema = rfc2307bis

auth_provider = krb5
krb5_server =
krb5_kpasswd =
krb5_realm = XXX.YYY.ZZZ
krb5_map_user = robin:robin

chpass_provider = none



filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300

reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

Actual domain was replaced by xxx.yyy.zzz. I am using Fedora 32 and have no more ideas how to fix the problem and would appreciate any help and hints you can give me.

Thank you

1 Like

Is that Samba DC, or AD DC, or something else?

No, it’s only ldap and kerberos. Previously I only used kerberos and the user information was located in the passwd file. But this seams no longer possible (at least that is what the internet told me :wink: ). I need a kerberos ticket for the user for a nfs share and ssh.

1 Like

Hi Robin,

Which of the config files is the one you included? To wit, are you using nsswitch or realmd? What’s the LDAP server? Was this setup working before and stopped or are you trying to configure a new machine? If it’s a new machine, has the host been enrolled in the domain server? Most domain servers (LDAP, IPA or AD) will require that the host be configured as a client before your login will work from that machine.

I get similar results except for authentication success on my test against a current FreeIPA server.