Thank you very much for taking the time on IRC to learn me. Part of the issue is I did not include all the necessary information to diagnose the issue.
I have multiple subdomains that are joined to ipa.example.com, which are under example.com (ad realm) This requires me to add a custom routes file for subdomain handling (I've already done this on the AD Servers with the trusts) created a file called /var/lib/sss/pubconf/krb5.include.d/custom_ipa_example_com and added each domain that is part of the IPA.EXAMPLE.COM realm. this included [domain_realm] sub1.example.com = IPA.EXAMPLE.COM .sub1.example.com = IPA.EXAMPLE.COM sub2.example.com = IPA.EXAMPLE.COM .sub2.example.com = IPA.EXAMPLE.COM sub3.example.com = IPA.EXAMPLE.COM .sub3.example.com = IPA.EXAMPLE.COM sub4.example.com = IPA.EXAMPLE.COM .sub4.example.com = IPA.EXAMPLE.COM the reason this was working for systems in the same subdomain is the /etc/krb5.conf config is modified with the (2) domains [domain_realm] ipa.example.com = IPA.EXAMPLE.COM .ipa.example.com = IPA.EXAMPLE.COM sub1.example.com = IPA.EXAMPLE.COM .sub1.example.com = IPA.EXAMPLE.COM kerberos ticket requests for sub1 from sub2 would go to the example.com AD realm, and not the IPA realm. Thanks again! - Jake ----- Original Message ----- From: "Simo Sorce" <[email protected]> To: "Jake" <[email protected]>, "freeipa-users" <[email protected]> Sent: Friday, May 26, 2017 11:45:38 AM Subject: Re: [Freeipa-users] Illegal cross-realm ticket On Thu, 2017-05-25 at 16:55 -0400, Jake via FreeIPA-users wrote: > Hey Guys, > > Centos7.3 > FreeIPA 4.4.0 > > > I'm having a strange issue with cross-realm tickets that I'm having a > hard time troubleshooting. it looks similar to an issue posted back > in 2014. https://www.redhat.com/archives/freeipa-users/2014-October/m > sg00207.html but this routes file seems to exist. > > My Setup. > > example.org = legacy (all users exist here) (transitive trust with > example.com) > example.com = forest root (transitive trust with example.com) > ipa.example.com = ipa domain (one-way trust with example.com & > example.org) with route filters. > ad.example.com = domain in forest for servers/users > > If I get a kerberos ticket on a non-ipa joined client with kinit as > a user @ legacy, I can use kerberos to authenticate. > > If I log into an ipa-joined server on ipa.example.com as a user @ > legacy and attempt to use kerberos auth to another server, I received > this error: > > debug3: authmethod_lookup gssapi-keyex > debug3: remaining preferred: gssapi-with-mic,keyboard-interactive > debug3: authmethod_is_enabled gssapi-keyex > debug1: Next authentication method: gssapi-keyex > debug1: No valid Key exchange context > debug2: we did not send a packet, disable method > debug3: authmethod_lookup gssapi-with-mic > debug3: remaining preferred: keyboard-interactive > debug3: authmethod_is_enabled gssapi-with-mic > debug1: Next authentication method: gssapi-with-mic > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: Delegating credentials > debug1: Delegating credentials > debug1: Unspecified GSS failure. Minor code may provide more > information > Illegal cross-realm ticket > > > Any help would be apprecaited, I checked capaths and it looks > correct. In which domain are the services you want to get tickets for ? > cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_ipa_example_com > [domain_realm] > .EXAMPLE.COM = EXAMPLE.COM > EXAMPLE.COM = EXAMPLE.COM > .AD.EXAMPLE.COM = AD.EXAMPLE.COM > AD.EXAMPLE.COM = AD.EXAMPLE.COM > .EXAMPLE.ORG = EXAMPLE.ORG > EXAMPLE.ORG = EXAMPLE.ORG > [capaths] > EXAMPLE.COM = { > IPA.EXAMPLE.COM = EXAMPLE.COM > } > AD.EXAMPLE.COM = { > IPA.EXAMPLE.COM = EXAMPLE.COM > } > EXAMPLE.ORG = { > IPA.EXAMPLE.COM = EXAMPLE.ORG > } > IPA.EXAMPLE.COM = { > EXAMPLE.COM = EXAMPLE.COM > AD.EXAMPLE.COM = EXAMPLE.COM > EXAMPLE.ORG = EXAMPLE.ORG > } Aren't you missing EXAMPLE.ORG -> EXAMPLE.COM here ? _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
