On Thu, 2017-05-25 at 16:55 -0400, Jake via FreeIPA-users wrote: > Hey Guys, > > Centos7.3 > FreeIPA 4.4.0 > > > I'm having a strange issue with cross-realm tickets that I'm having a > hard time troubleshooting. it looks similar to an issue posted back > in 2014. https://www.redhat.com/archives/freeipa-users/2014-October/m > sg00207.html but this routes file seems to exist. > > My Setup. > > example.org = legacy (all users exist here) (transitive trust with > example.com) > example.com = forest root (transitive trust with example.com) > ipa.example.com = ipa domain (one-way trust with example.com & > example.org) with route filters. > ad.example.com = domain in forest for servers/users > > If I get a kerberos ticket on a non-ipa joined client with kinit as > a user @ legacy, I can use kerberos to authenticate. > > If I log into an ipa-joined server on ipa.example.com as a user @ > legacy and attempt to use kerberos auth to another server, I received > this error: > > debug3: authmethod_lookup gssapi-keyex > debug3: remaining preferred: gssapi-with-mic,keyboard-interactive > debug3: authmethod_is_enabled gssapi-keyex > debug1: Next authentication method: gssapi-keyex > debug1: No valid Key exchange context > debug2: we did not send a packet, disable method > debug3: authmethod_lookup gssapi-with-mic > debug3: remaining preferred: keyboard-interactive > debug3: authmethod_is_enabled gssapi-with-mic > debug1: Next authentication method: gssapi-with-mic > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: Delegating credentials > debug1: Delegating credentials > debug1: Unspecified GSS failure. Minor code may provide more > information > Illegal cross-realm ticket > > > Any help would be apprecaited, I checked capaths and it looks > correct.
In which domain are the services you want to get tickets for ? > cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_ipa_example_com > [domain_realm] > .EXAMPLE.COM = EXAMPLE.COM > EXAMPLE.COM = EXAMPLE.COM > .AD.EXAMPLE.COM = AD.EXAMPLE.COM > AD.EXAMPLE.COM = AD.EXAMPLE.COM > .EXAMPLE.ORG = EXAMPLE.ORG > EXAMPLE.ORG = EXAMPLE.ORG > [capaths] > EXAMPLE.COM = { > IPA.EXAMPLE.COM = EXAMPLE.COM > } > AD.EXAMPLE.COM = { > IPA.EXAMPLE.COM = EXAMPLE.COM > } > EXAMPLE.ORG = { > IPA.EXAMPLE.COM = EXAMPLE.ORG > } > IPA.EXAMPLE.COM = { > EXAMPLE.COM = EXAMPLE.COM > AD.EXAMPLE.COM = EXAMPLE.COM > EXAMPLE.ORG = EXAMPLE.ORG > } Aren't you missing EXAMPLE.ORG -> EXAMPLE.COM here ? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org