Thank you very much for taking the time on IRC to learn me.  Part of the issue 
is I did not include all the necessary information to diagnose the issue.

I have multiple subdomains that are joined to ipa.example.com, which are under 
example.com (ad realm)

This requires me to add a custom routes file for subdomain handling (I've 
already done this on the AD Servers with the trusts)

created a file called /var/lib/sss/pubconf/krb5.include.d/custom_ipa_example_com

and added each domain that is part of the IPA.EXAMPLE.COM realm.

this included

[domain_realm]
  sub1.example.com = IPA.EXAMPLE.COM
  .sub1.example.com = IPA.EXAMPLE.COM
  sub2.example.com = IPA.EXAMPLE.COM
  .sub2.example.com = IPA.EXAMPLE.COM
  sub3.example.com = IPA.EXAMPLE.COM
  .sub3.example.com = IPA.EXAMPLE.COM
  sub4.example.com = IPA.EXAMPLE.COM
  .sub4.example.com = IPA.EXAMPLE.COM

the reason this was working for systems in the same subdomain is the 
/etc/krb5.conf config is modified with the (2) domains

[domain_realm]
  ipa.example.com = IPA.EXAMPLE.COM
  .ipa.example.com = IPA.EXAMPLE.COM
  sub1.example.com = IPA.EXAMPLE.COM
  .sub1.example.com = IPA.EXAMPLE.COM

kerberos ticket requests for sub1 from sub2 would go to the example.com AD 
realm, and not the IPA realm.

Thanks again!
- Jake

----- Original Message -----
From: "Simo Sorce" <s...@redhat.com>
To: "Jake" <em...@ml.jacobdevans.com>, "freeipa-users" 
<freeipa-users@lists.fedorahosted.org>
Sent: Friday, May 26, 2017 11:45:38 AM
Subject: Re: [Freeipa-users] Illegal cross-realm ticket

On Thu, 2017-05-25 at 16:55 -0400, Jake via FreeIPA-users wrote:
> Hey Guys,
> 
> Centos7.3
> FreeIPA 4.4.0
> 
> 
> I'm having a strange issue with cross-realm tickets that I'm having a
> hard time troubleshooting.  it looks similar to an issue posted back
> in 2014. https://www.redhat.com/archives/freeipa-users/2014-October/m
> sg00207.html  but this routes file seems to exist.
> 
> My Setup.
> 
> example.org = legacy (all users exist here) (transitive trust with
> example.com)
> example.com = forest root  (transitive trust with example.com)
> ipa.example.com = ipa domain (one-way trust with example.com &
> example.org) with route filters.
> ad.example.com = domain in forest for servers/users
> 
> If I get a kerberos ticket on a non-ipa joined client with kinit  as
> a user @ legacy, I can use kerberos to authenticate.
> 
> If I log into an ipa-joined server on ipa.example.com as a user @
> legacy and attempt to use kerberos auth to another server, I received
> this error:
> 
> debug3: authmethod_lookup gssapi-keyex
> debug3: remaining preferred: gssapi-with-mic,keyboard-interactive
> debug3: authmethod_is_enabled gssapi-keyex
> debug1: Next authentication method: gssapi-keyex
> debug1: No valid Key exchange context
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup gssapi-with-mic
> debug3: remaining preferred: keyboard-interactive
> debug3: authmethod_is_enabled gssapi-with-mic
> debug1: Next authentication method: gssapi-with-mic
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Delegating credentials
> debug1: Delegating credentials
> debug1: Unspecified GSS failure.  Minor code may provide more
> information
> Illegal cross-realm ticket
> 
> 
> Any help would be apprecaited, I checked capaths and it looks
> correct.

In which domain are the services you want to get tickets for ?

> cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_ipa_example_com
> [domain_realm]
> .EXAMPLE.COM = EXAMPLE.COM
> EXAMPLE.COM = EXAMPLE.COM
> .AD.EXAMPLE.COM = AD.EXAMPLE.COM
> AD.EXAMPLE.COM = AD.EXAMPLE.COM
> .EXAMPLE.ORG = EXAMPLE.ORG
> EXAMPLE.ORG = EXAMPLE.ORG
> [capaths]
> EXAMPLE.COM = {
>   IPA.EXAMPLE.COM = EXAMPLE.COM
> }
> AD.EXAMPLE.COM = {
>   IPA.EXAMPLE.COM = EXAMPLE.COM
> }
> EXAMPLE.ORG = {
>   IPA.EXAMPLE.COM = EXAMPLE.ORG
> }
> IPA.EXAMPLE.COM = {
>   EXAMPLE.COM = EXAMPLE.COM
>   AD.EXAMPLE.COM = EXAMPLE.COM
>   EXAMPLE.ORG = EXAMPLE.ORG
> }

Aren't you missing EXAMPLE.ORG -> EXAMPLE.COM here ?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to