On Fri, May 26, 2017 at 01:30:36PM -0400, Jake wrote:
> `ipa realmdomains-show` lists all domains already, so that isn't used for 
> some reason.

oops, looks likes SSSD does not read those entries, I added
https://pagure.io/SSSD/sssd/issue/3412 to track this.

bye,
Sumit

> 
> ----- Original Message -----
> From: "freeipa-users" <freeipa-users@lists.fedorahosted.org>
> To: "freeipa-users" <freeipa-users@lists.fedorahosted.org>
> Cc: "Sumit Bose" <sb...@redhat.com>
> Sent: Friday, May 26, 2017 1:14:18 PM
> Subject: [Freeipa-users]Re: [SOLVED] Re: Illegal cross-realm ticket
> 
> On Fri, May 26, 2017 at 12:59:23PM -0400, Simo Sorce via FreeIPA-users wrote:
> > You are welcome, perhaps this is something that we need to make easier
> > to discover with a tool or something.
> > We can't necessarily automaticaly add random domains, but definitely
> > make it easy for the admin to find out via some diagnostics.
> > 
> > One thing came to mind after we solved this. You may be able to solve
> > this alternatively by adding _kerberos TXT entries to each subdomain
> > pointing to IPA.EXAMPLE.COM ...
> 
> I think the realmdomains command can be used to add additional DNS
> domains to the IPA realm. This should also make sure those domains are
> reported to AD properly. Please see 'ipa help realmdomains' for details.
> 
> HTH
> 
> bye,
> Sumit
> 
> > 
> > Simo.
> > 
> > On Fri, 2017-05-26 at 12:41 -0400, Jake wrote:
> > > Thank you very much for taking the time on IRC to learn me.  Part of
> > > the issue is I did not include all the necessary information to
> > > diagnose the issue.
> > > 
> > > I have multiple subdomains that are joined to ipa.example.com, which
> > > are under example.com (ad realm)
> > > 
> > > This requires me to add a custom routes file for subdomain handling
> > > (I've already done this on the AD Servers with the trusts)
> > > 
> > > created a file called
> > > /var/lib/sss/pubconf/krb5.include.d/custom_ipa_example_com
> > > 
> > > and added each domain that is part of the IPA.EXAMPLE.COM realm.
> > > 
> > > this included
> > > 
> > > [domain_realm]
> > >   sub1.example.com = IPA.EXAMPLE.COM
> > >   .sub1.example.com = IPA.EXAMPLE.COM
> > >   sub2.example.com = IPA.EXAMPLE.COM
> > >   .sub2.example.com = IPA.EXAMPLE.COM
> > >   sub3.example.com = IPA.EXAMPLE.COM
> > >   .sub3.example.com = IPA.EXAMPLE.COM
> > >   sub4.example.com = IPA.EXAMPLE.COM
> > >   .sub4.example.com = IPA.EXAMPLE.COM
> > > 
> > > the reason this was working for systems in the same subdomain is the
> > > /etc/krb5.conf config is modified with the (2) domains
> > > 
> > > [domain_realm]
> > >   ipa.example.com = IPA.EXAMPLE.COM
> > >   .ipa.example.com = IPA.EXAMPLE.COM
> > >   sub1.example.com = IPA.EXAMPLE.COM
> > >   .sub1.example.com = IPA.EXAMPLE.COM
> > > 
> > > kerberos ticket requests for sub1 from sub2 would go to the
> > > example.com AD realm, and not the IPA realm.
> > > 
> > > Thanks again!
> > > - Jake
> > > 
> > > ----- Original Message -----
> > > From: "Simo Sorce" <s...@redhat.com>
> > > To: "Jake" <em...@ml.jacobdevans.com>, "freeipa-users" <freeipa-users
> > > @lists.fedorahosted.org>
> > > Sent: Friday, May 26, 2017 11:45:38 AM
> > > Subject: Re: [Freeipa-users] Illegal cross-realm ticket
> > > 
> > > On Thu, 2017-05-25 at 16:55 -0400, Jake via FreeIPA-users wrote:
> > > > Hey Guys,
> > > > 
> > > > Centos7.3
> > > > FreeIPA 4.4.0
> > > > 
> > > > 
> > > > I'm having a strange issue with cross-realm tickets that I'm having
> > > > a
> > > > hard time troubleshooting.  it looks similar to an issue posted
> > > > back
> > > > in 2014. https://www.redhat.com/archives/freeipa-users/2014-October
> > > > /m
> > > > sg00207.html  but this routes file seems to exist.
> > > > 
> > > > My Setup.
> > > > 
> > > > example.org = legacy (all users exist here) (transitive trust with
> > > > example.com)
> > > > example.com = forest root  (transitive trust with example.com)
> > > > ipa.example.com = ipa domain (one-way trust with example.com &
> > > > example.org) with route filters.
> > > > ad.example.com = domain in forest for servers/users
> > > > 
> > > > If I get a kerberos ticket on a non-ipa joined client with kinit
> > > >  as
> > > > a user @ legacy, I can use kerberos to authenticate.
> > > > 
> > > > If I log into an ipa-joined server on ipa.example.com as a user @
> > > > legacy and attempt to use kerberos auth to another server, I
> > > > received
> > > > this error:
> > > > 
> > > > debug3: authmethod_lookup gssapi-keyex
> > > > debug3: remaining preferred: gssapi-with-mic,keyboard-interactive
> > > > debug3: authmethod_is_enabled gssapi-keyex
> > > > debug1: Next authentication method: gssapi-keyex
> > > > debug1: No valid Key exchange context
> > > > debug2: we did not send a packet, disable method
> > > > debug3: authmethod_lookup gssapi-with-mic
> > > > debug3: remaining preferred: keyboard-interactive
> > > > debug3: authmethod_is_enabled gssapi-with-mic
> > > > debug1: Next authentication method: gssapi-with-mic
> > > > debug2: we sent a gssapi-with-mic packet, wait for reply
> > > > debug1: Delegating credentials
> > > > debug1: Delegating credentials
> > > > debug1: Unspecified GSS failure.  Minor code may provide more
> > > > information
> > > > Illegal cross-realm ticket
> > > > 
> > > > 
> > > > Any help would be apprecaited, I checked capaths and it looks
> > > > correct.
> > > 
> > > In which domain are the services you want to get tickets for ?
> > > 
> > > > cat
> > > > /var/lib/sss/pubconf/krb5.include.d/domain_realm_ipa_example_com
> > > > [domain_realm]
> > > > .EXAMPLE.COM = EXAMPLE.COM
> > > > EXAMPLE.COM = EXAMPLE.COM
> > > > .AD.EXAMPLE.COM = AD.EXAMPLE.COM
> > > > AD.EXAMPLE.COM = AD.EXAMPLE.COM
> > > > .EXAMPLE.ORG = EXAMPLE.ORG
> > > > EXAMPLE.ORG = EXAMPLE.ORG
> > > > [capaths]
> > > > EXAMPLE.COM = {
> > > >   IPA.EXAMPLE.COM = EXAMPLE.COM
> > > > }
> > > > AD.EXAMPLE.COM = {
> > > >   IPA.EXAMPLE.COM = EXAMPLE.COM
> > > > }
> > > > EXAMPLE.ORG = {
> > > >   IPA.EXAMPLE.COM = EXAMPLE.ORG
> > > > }
> > > > IPA.EXAMPLE.COM = {
> > > >   EXAMPLE.COM = EXAMPLE.COM
> > > >   AD.EXAMPLE.COM = EXAMPLE.COM
> > > >   EXAMPLE.ORG = EXAMPLE.ORG
> > > > }
> > > 
> > > Aren't you missing EXAMPLE.ORG -> EXAMPLE.COM here ?
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to