example.org forest on its own, trusted by ipa.example.com and example.com (full forest trust)
----- Original Message ----- From: "freeipa-users" <freeipa-users@lists.fedorahosted.org> To: "freeipa-users" <freeipa-users@lists.fedorahosted.org> Cc: "Sumit Bose" <sb...@redhat.com> Sent: Friday, May 26, 2017 4:13:49 AM Subject: [Freeipa-users]Re: Illegal cross-realm ticket On Thu, May 25, 2017 at 04:55:16PM -0400, Jake via FreeIPA-users wrote: > Hey Guys, > > Centos7.3 > FreeIPA 4.4.0 > > > I'm having a strange issue with cross-realm tickets that I'm having a hard > time troubleshooting. it looks similar to an issue posted back in 2014. > https://www.redhat.com/archives/freeipa-users/2014-October/msg00207.html but > this routes file seems to exist. > > My Setup. > > example.org = legacy (all users exist here) (transitive trust with > example.com) > example.com = forest root (transitive trust with example.com) > ipa.example.com = ipa domain (one-way trust with example.com & example.org) > with route filters. > ad.example.com = domain in forest for servers/users Is example.org a forest on its own or is it part of the example.com forest? bye, Sumit > > If I get a kerberos ticket on a non-ipa joined client with kinit as a user @ > legacy , I can use kerberos to authenticate. > > If I log into an ipa-joined server on ipa.example.com as a user @ legacy and > attempt to use kerberos auth to another server, I received this error: > > debug3: authmethod_lookup gssapi-keyex > debug3: remaining preferred: gssapi-with-mic,keyboard-interactive > debug3: authmethod_is_enabled gssapi-keyex > debug1: Next authentication method: gssapi-keyex > debug1: No valid Key exchange context > debug2: we did not send a packet, disable method > debug3: authmethod_lookup gssapi-with-mic > debug3: remaining preferred: keyboard-interactive > debug3: authmethod_is_enabled gssapi-with-mic > debug1: Next authentication method: gssapi-with-mic > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: Delegating credentials > debug1: Delegating credentials > debug1: Unspecified GSS failure. Minor code may provide more information > Illegal cross-realm ticket > > > Any help would be apprecaited, I checked capaths and it looks correct. > > cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_ipa_example_com > [domain_realm] > .EXAMPLE.COM = EXAMPLE.COM > EXAMPLE.COM = EXAMPLE.COM > .AD.EXAMPLE.COM = AD.EXAMPLE.COM > AD.EXAMPLE.COM = AD.EXAMPLE.COM > .EXAMPLE.ORG = EXAMPLE.ORG > EXAMPLE.ORG = EXAMPLE.ORG > [capaths] > EXAMPLE.COM = { > IPA.EXAMPLE.COM = EXAMPLE.COM > } > AD.EXAMPLE.COM = { > IPA.EXAMPLE.COM = EXAMPLE.COM > } > EXAMPLE.ORG = { > IPA.EXAMPLE.COM = EXAMPLE.ORG > } > IPA.EXAMPLE.COM = { > EXAMPLE.COM = EXAMPLE.COM > AD.EXAMPLE.COM = EXAMPLE.COM > EXAMPLE.ORG = EXAMPLE.ORG > } > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org