https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186
--- Comment #45 from Cy Schubert <[email protected]> --- How did you add the FreeBSD servers to the FreeIPA Kerberos realm? After you added the host principals to the Kerberos realm, did you export (using xst in kadmin) the principals to keytab files and copy those files to each FreeBSD server? FreeIPA includes an ipa-join command to join (like an Active Directory join) the servers to the Kerberos realm. If you have not done this you will never be able to use a TGT to log into those servers. This is true of vanilla all KRB5s (MIT and Heimdal). In MIT one needs to ank -randkey xst host/[email protected], then -randkey host/[email protected]. In Active Directory one needs to (using winbind) net ads join. I see in FreeIPA one needs to run ipa-join. ipa-join is a Linux ELF binary. Did you copy that binary to the FreeBSD servers and run it under Linux emulation (which I doubt will work properly) or did you manage to join the servers to the realm in a different way? For example, you will need a host principal like the one for a server in my Kerberos realm. kadmin: getprinc host/slippy Principal: host/[email protected] Expiration date: [never] Last password change: Mon Aug 14 20:21:24 PDT 2017 Password expiration date: [never] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Mon Aug 14 20:21:24 PDT 2017 (root/[email protected]) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 4 Key: vno 3, DEPRECATED:des3-cbc-sha1 Key: vno 3, DEPRECATED:arcfour-hmac Key: vno 3, aes128-cts-hmac-sha1-96 Key: vno 3, aes256-cts-hmac-sha1-96 MKey: vno 1 Attributes: Policy: [none] The above is a host principal for one of the machines in my realm. Below is its keytab: ktutil: rkt /etc/krb5.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 3 ftp/[email protected] 2 3 ftp/[email protected] 3 3 ftp/[email protected] 4 3 ftp/[email protected] 5 3 ftp/[email protected] 6 3 ftp/[email protected] 7 3 ftp/[email protected] 8 3 ftp/[email protected] 9 3 ftp/[email protected] 10 3 ftp/[email protected] 11 3 ftp/[email protected] 12 3 ftp/[email protected] 13 3 ftp/[email protected] 14 3 ftp/[email protected] 15 3 ftp/[email protected] 16 3 ftp/[email protected] 17 3 ftp/[email protected] 18 3 ftp/[email protected] 19 3 ftp/[email protected] 20 3 ftp/[email protected] 21 3 ftp/[email protected] 22 3 ftp/[email protected] 23 3 ftp/[email protected] 24 3 ftp/[email protected] 25 3 ftp/[email protected] 26 3 ftp/[email protected] 27 3 ftp/[email protected] 28 3 ftp/[email protected] 29 3 ftp/[email protected] 30 3 ftp/[email protected] 31 3 ftp/[email protected] 32 3 ftp/[email protected] 33 3 host/[email protected] 34 3 host/[email protected] 35 3 host/[email protected] 36 3 host/[email protected] 37 3 host/[email protected] 38 3 host/[email protected] 39 3 host/[email protected] 40 3 host/[email protected] 41 3 host/[email protected] 42 3 host/[email protected] 43 3 host/[email protected] 44 3 host/[email protected] 45 3 host/[email protected] 46 3 host/[email protected] 47 3 host/[email protected] 48 3 host/[email protected] 49 3 host/[email protected] 50 3 host/[email protected] 51 3 host/[email protected] 52 3 host/[email protected] 53 3 host/[email protected] 54 3 host/[email protected] 55 3 host/[email protected] 56 3 host/[email protected] 57 3 host/[email protected] 58 3 host/[email protected] 59 3 host/[email protected] 60 3 host/[email protected] 61 3 host/[email protected] 62 3 host/[email protected] 63 3 host/[email protected] 64 3 host/[email protected] 65 3 kadmin/[email protected] 66 3 kadmin/[email protected] 67 3 kadmin/[email protected] 68 3 kadmin/[email protected] 69 3 kiprop/[email protected] 70 3 kiprop/[email protected] 71 3 kiprop/[email protected] 72 3 kiprop/[email protected] ktutil: Notice I have principals for each service offered on this machine, for each key deprecated and valid keys. (My KDC database is cluttered with keys as it was originally created in 1995 and exported and imported multiple times as the database format was updated and re-encrypted using more secure ciphers over the years.) You should see the same in your KDC and you should also be able to load and list the contents of your keytab (unless FreeIPA behaves the same as Active Directory stashing this in the winbind, or whatever FreeIPA uses, cache.) Without adding host principals to your realm and saving a copy of those principals in that server's keytab you will never, even under MIT KRB5 or Heimdal KRB5, be able to log into those servers using a TGT. Does FreeIPA also use its LDAP directory like Active Directory does? Because one cannot use MIT KRB5 natively with Active Directory and if FreeIPA behaves the same then one would need to port the entire FreeIPA software stack to FreeBSD. Trying FreeIPA out on a Fedora box, its similarities with Active Directory are noticeable. -- You are receiving this mail because: You are the assignee for the bug.
