On Thu, May 25, 2017 at 04:55:16PM -0400, Jake via FreeIPA-users wrote:
> Hey Guys,
>
> Centos7.3
> FreeIPA 4.4.0
>
>
> I'm having a strange issue with cross-realm tickets that I'm having a hard
> time troubleshooting. it looks similar to an issue posted back in 2014.
> https://www.redhat.com/archives/freeipa-users/2014-October/msg00207.html but
> this routes file seems to exist.
>
> My Setup.
>
> example.org = legacy (all users exist here) (transitive trust with
> example.com)
> example.com = forest root (transitive trust with example.com)
> ipa.example.com = ipa domain (one-way trust with example.com & example.org)
> with route filters.
> ad.example.com = domain in forest for servers/users
Is example.org a forest on its own or is it part of the example.com
forest?
bye,
Sumit
>
> If I get a kerberos ticket on a non-ipa joined client with kinit as a user @
> legacy , I can use kerberos to authenticate.
>
> If I log into an ipa-joined server on ipa.example.com as a user @ legacy and
> attempt to use kerberos auth to another server, I received this error:
>
> debug3: authmethod_lookup gssapi-keyex
> debug3: remaining preferred: gssapi-with-mic,keyboard-interactive
> debug3: authmethod_is_enabled gssapi-keyex
> debug1: Next authentication method: gssapi-keyex
> debug1: No valid Key exchange context
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup gssapi-with-mic
> debug3: remaining preferred: keyboard-interactive
> debug3: authmethod_is_enabled gssapi-with-mic
> debug1: Next authentication method: gssapi-with-mic
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Delegating credentials
> debug1: Delegating credentials
> debug1: Unspecified GSS failure. Minor code may provide more information
> Illegal cross-realm ticket
>
>
> Any help would be apprecaited, I checked capaths and it looks correct.
>
> cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_ipa_example_com
> [domain_realm]
> .EXAMPLE.COM = EXAMPLE.COM
> EXAMPLE.COM = EXAMPLE.COM
> .AD.EXAMPLE.COM = AD.EXAMPLE.COM
> AD.EXAMPLE.COM = AD.EXAMPLE.COM
> .EXAMPLE.ORG = EXAMPLE.ORG
> EXAMPLE.ORG = EXAMPLE.ORG
> [capaths]
> EXAMPLE.COM = {
> IPA.EXAMPLE.COM = EXAMPLE.COM
> }
> AD.EXAMPLE.COM = {
> IPA.EXAMPLE.COM = EXAMPLE.COM
> }
> EXAMPLE.ORG = {
> IPA.EXAMPLE.COM = EXAMPLE.ORG
> }
> IPA.EXAMPLE.COM = {
> EXAMPLE.COM = EXAMPLE.COM
> AD.EXAMPLE.COM = EXAMPLE.COM
> EXAMPLE.ORG = EXAMPLE.ORG
> }
>
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
