On Fri, May 26, 2017 at 01:30:36PM -0400, Jake wrote: > `ipa realmdomains-show` lists all domains already, so that isn't used for > some reason.
oops, looks likes SSSD does not read those entries, I added https://pagure.io/SSSD/sssd/issue/3412 to track this. bye, Sumit > > ----- Original Message ----- > From: "freeipa-users" <[email protected]> > To: "freeipa-users" <[email protected]> > Cc: "Sumit Bose" <[email protected]> > Sent: Friday, May 26, 2017 1:14:18 PM > Subject: [Freeipa-users]Re: [SOLVED] Re: Illegal cross-realm ticket > > On Fri, May 26, 2017 at 12:59:23PM -0400, Simo Sorce via FreeIPA-users wrote: > > You are welcome, perhaps this is something that we need to make easier > > to discover with a tool or something. > > We can't necessarily automaticaly add random domains, but definitely > > make it easy for the admin to find out via some diagnostics. > > > > One thing came to mind after we solved this. You may be able to solve > > this alternatively by adding _kerberos TXT entries to each subdomain > > pointing to IPA.EXAMPLE.COM ... > > I think the realmdomains command can be used to add additional DNS > domains to the IPA realm. This should also make sure those domains are > reported to AD properly. Please see 'ipa help realmdomains' for details. > > HTH > > bye, > Sumit > > > > > Simo. > > > > On Fri, 2017-05-26 at 12:41 -0400, Jake wrote: > > > Thank you very much for taking the time on IRC to learn me. Part of > > > the issue is I did not include all the necessary information to > > > diagnose the issue. > > > > > > I have multiple subdomains that are joined to ipa.example.com, which > > > are under example.com (ad realm) > > > > > > This requires me to add a custom routes file for subdomain handling > > > (I've already done this on the AD Servers with the trusts) > > > > > > created a file called > > > /var/lib/sss/pubconf/krb5.include.d/custom_ipa_example_com > > > > > > and added each domain that is part of the IPA.EXAMPLE.COM realm. > > > > > > this included > > > > > > [domain_realm] > > > sub1.example.com = IPA.EXAMPLE.COM > > > .sub1.example.com = IPA.EXAMPLE.COM > > > sub2.example.com = IPA.EXAMPLE.COM > > > .sub2.example.com = IPA.EXAMPLE.COM > > > sub3.example.com = IPA.EXAMPLE.COM > > > .sub3.example.com = IPA.EXAMPLE.COM > > > sub4.example.com = IPA.EXAMPLE.COM > > > .sub4.example.com = IPA.EXAMPLE.COM > > > > > > the reason this was working for systems in the same subdomain is the > > > /etc/krb5.conf config is modified with the (2) domains > > > > > > [domain_realm] > > > ipa.example.com = IPA.EXAMPLE.COM > > > .ipa.example.com = IPA.EXAMPLE.COM > > > sub1.example.com = IPA.EXAMPLE.COM > > > .sub1.example.com = IPA.EXAMPLE.COM > > > > > > kerberos ticket requests for sub1 from sub2 would go to the > > > example.com AD realm, and not the IPA realm. > > > > > > Thanks again! > > > - Jake > > > > > > ----- Original Message ----- > > > From: "Simo Sorce" <[email protected]> > > > To: "Jake" <[email protected]>, "freeipa-users" <freeipa-users > > > @lists.fedorahosted.org> > > > Sent: Friday, May 26, 2017 11:45:38 AM > > > Subject: Re: [Freeipa-users] Illegal cross-realm ticket > > > > > > On Thu, 2017-05-25 at 16:55 -0400, Jake via FreeIPA-users wrote: > > > > Hey Guys, > > > > > > > > Centos7.3 > > > > FreeIPA 4.4.0 > > > > > > > > > > > > I'm having a strange issue with cross-realm tickets that I'm having > > > > a > > > > hard time troubleshooting. it looks similar to an issue posted > > > > back > > > > in 2014. https://www.redhat.com/archives/freeipa-users/2014-October > > > > /m > > > > sg00207.html but this routes file seems to exist. > > > > > > > > My Setup. > > > > > > > > example.org = legacy (all users exist here) (transitive trust with > > > > example.com) > > > > example.com = forest root (transitive trust with example.com) > > > > ipa.example.com = ipa domain (one-way trust with example.com & > > > > example.org) with route filters. > > > > ad.example.com = domain in forest for servers/users > > > > > > > > If I get a kerberos ticket on a non-ipa joined client with kinit > > > > as > > > > a user @ legacy, I can use kerberos to authenticate. > > > > > > > > If I log into an ipa-joined server on ipa.example.com as a user @ > > > > legacy and attempt to use kerberos auth to another server, I > > > > received > > > > this error: > > > > > > > > debug3: authmethod_lookup gssapi-keyex > > > > debug3: remaining preferred: gssapi-with-mic,keyboard-interactive > > > > debug3: authmethod_is_enabled gssapi-keyex > > > > debug1: Next authentication method: gssapi-keyex > > > > debug1: No valid Key exchange context > > > > debug2: we did not send a packet, disable method > > > > debug3: authmethod_lookup gssapi-with-mic > > > > debug3: remaining preferred: keyboard-interactive > > > > debug3: authmethod_is_enabled gssapi-with-mic > > > > debug1: Next authentication method: gssapi-with-mic > > > > debug2: we sent a gssapi-with-mic packet, wait for reply > > > > debug1: Delegating credentials > > > > debug1: Delegating credentials > > > > debug1: Unspecified GSS failure. Minor code may provide more > > > > information > > > > Illegal cross-realm ticket > > > > > > > > > > > > Any help would be apprecaited, I checked capaths and it looks > > > > correct. > > > > > > In which domain are the services you want to get tickets for ? > > > > > > > cat > > > > /var/lib/sss/pubconf/krb5.include.d/domain_realm_ipa_example_com > > > > [domain_realm] > > > > .EXAMPLE.COM = EXAMPLE.COM > > > > EXAMPLE.COM = EXAMPLE.COM > > > > .AD.EXAMPLE.COM = AD.EXAMPLE.COM > > > > AD.EXAMPLE.COM = AD.EXAMPLE.COM > > > > .EXAMPLE.ORG = EXAMPLE.ORG > > > > EXAMPLE.ORG = EXAMPLE.ORG > > > > [capaths] > > > > EXAMPLE.COM = { > > > > IPA.EXAMPLE.COM = EXAMPLE.COM > > > > } > > > > AD.EXAMPLE.COM = { > > > > IPA.EXAMPLE.COM = EXAMPLE.COM > > > > } > > > > EXAMPLE.ORG = { > > > > IPA.EXAMPLE.COM = EXAMPLE.ORG > > > > } > > > > IPA.EXAMPLE.COM = { > > > > EXAMPLE.COM = EXAMPLE.COM > > > > AD.EXAMPLE.COM = EXAMPLE.COM > > > > EXAMPLE.ORG = EXAMPLE.ORG > > > > } > > > > > > Aren't you missing EXAMPLE.ORG -> EXAMPLE.COM here ? > > _______________________________________________ > > FreeIPA-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
