On (07/08/17 11:08), Supratik Goswami via FreeIPA-users wrote:
>Hi
>
>I am using trust between AD and IPA
>
>AD domain: ad.corp.example.com
>IPA domain: ipa.corp.example.com
>
>I am able to login using SSH to the IPA server using the AD user, when I am
>trying to login using
>SSH to the Linux client which is a member of the IPA domain it does not
>work.
>
>Please find my /etc/krb5.conf in the client machine below
>
>[libdefaults]
>  #default_realm = IPA.CORP.EXAMPLE.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  rdns = false
>  ticket_lifetime = 24h
>  forwardable = yes
>  udp_preference_limit = 0
>#  default_ccache_name = KEYRING:persistent:%{uid}
>
>
>[realms]
>  IPA.CORP.EXAMPLE.COM = {
>    kdc = ipa01.ipa.corp.example.com:88
>    master_kdc = ipa01.ipa.corp.example.com:88
>    admin_server = ipa01.ipa.corp.example.com:749
>    #default_domain = ipa.corp.example.com
>    pkinit_anchors = FILE:/etc/ipa/ca.crt
>    auth_to_local = RULE:[1:$1@$0](^.*@AD.CORP.EXAMPLE.COM$)s/@
>AD.CORP.EXAMPLE.COM/@ad.corp.example.com/
>    auth_to_local = DEFAULT
>
>  }
>
>  AD.CORP.EXAMPLE.COM = {
>    kdc = ad01.ad.corp.example.com:88
>    master_kdc = ad01.ad.corp.example.com:88
>  }
>
>[domain_realm]
> .ipa.corp.example.com = IPA.CORP.EXAMPLE.COM
> ipa.corp.example.com = IPA.CORP.EXAMPLE.COM
> .ad.corp.example.com = AD.CORP.EXAMPLE.COM
> ad.corp.example.com = AD.CORP.EXAMPLE.COM
>
>
>Please find my SSD config below
>
>[sssd]
>config_file_version = 2
>services = nss, sudo, pam, ssh
>domains = ipa.corp.exampl.com
>
>[nss]
>homedir_substring = /home
>
>[domain/ipa.corp.example.com]
>debug_level = 9
>krb5_store_password_if_offline = True
>id_provider = ipa
>auth_provider = ipa
>access_provider = ipa
>cache_credentials = True
>krb5_store_password_if_offline = True
>ipa_domain = ipa.corp.example.com
>ipa_hostname = host01.ipa.corp.example.com
>ipa_server = _srv_, ipa01.ipa.corp.example.com
>chpass_provider = ipa
>ldap_tls_cacert = /etc/ipa/ca.crt
>dns_discovery_domain = ipa.corp.example.com
>
>[pam]
>
>[sudo]
>
>[autofs]
>
>[ssh]
>
>[pac]
>
>[ifp]
>
>
>Please find the krb5_child.log attached.
>
Which version of sssd do you use?

BTW here might be a reason:
(Mon Aug  7 05:30:11 2017) [[sssd[krb5_child[26785]]]] [main] (0x0400): Will 
perform online auth                                                             
                              
(Mon Aug  7 05:30:11 2017) [[sssd[krb5_child[26785]]]] [tgt_req_child] 
(0x1000): Attempting to get a TGT                                               
                                    
(Mon Aug  7 05:30:11 2017) [[sssd[krb5_child[26785]]]] [get_and_save_tgt] 
(0x0400): Attempting kinit for realm [AD.CORP.EXAMPLE.COM]                      
                                 
(Mon Aug  7 05:30:11 2017) [[sssd[krb5_child[26785]]]] 
[sss_child_krb5_trace_cb] (0x4000): [26785] 1502083811.711333: Getting initial 
credentials for supratik.gosw...@ad.corp.example.com 
                                                                                
                                                                                
                           
(Mon Aug  7 05:30:11 2017) [[sssd[krb5_child[26785]]]] 
[sss_child_krb5_trace_cb] (0x4000): [26785] 1502083811.711406: FAST armor 
ccache:                                                   
+MEMORY:/var/lib/sss/db/fast_ccache_IPA.CORP.EXAMPLE.COM                        
                                                                                
                           
                                                                                
                                                                                
                           
(Mon Aug  7 05:30:11 2017) [[sssd[krb5_child[26785]]]] 
[sss_child_krb5_trace_cb] (0x4000): [26785] 1502083811.711468: Retrieving 
host/sup01.sg.aws.example....@ipa.corp.example.com ->     
+krb5_ccache_conf_data/fast_avail/krbtgt\/AD.CORP.EXAMPLE.COM\@AD.CORP.EXAMPLE.COM@X-CACHECONF:
 from MEMORY:/var/lib/sss/db/fast_ccache_IPA.CORP.EXAMPLE.COM with result:      
            
+-1765328243/Matching credential not found                                      
                                                                                
                           
                                                                                
                                                                                
                           
(Mon Aug  7 05:30:11 2017) [[sssd[krb5_child[26785]]]] 
[sss_child_krb5_trace_cb] (0x4000): [26785] 1502083811.711534: Sending request 
(192 bytes) to AD.CORP.EXAMPLE.COM                   
                                                                                
                                                                                
                           
(Mon Aug  7 05:30:11 2017) [[sssd[krb5_child[26785]]]] 
[sss_child_krb5_trace_cb] (0x4000): [26785] 1502083811.711658: Resolving 
hostname ad01.ad.corp.example.com                          
                                                                                
                                                                                
                           
(Mon Aug  7 05:30:11 2017) [[sssd[krb5_child[26785]]]] [get_and_save_tgt] 
(0x0020): 1234: [-1765328228][Cannot contact any KDC for realm 
'AD.CORP.EXAMPLE.COM']                            
(Mon Aug  7 05:30:11 2017) [[sssd[krb5_child[26785]]]] [map_krb5_error] 
(0x0020): 1303: [-1765328228][Cannot contact any KDC for realm 
'AD.CORP.EXAMPLE.COM']                              
(Mon Aug  7 05:30:11 2017) [[sssd[krb5_child[26785]]]] [k5c_send_data] 
(0x0200): Received error code 1432158222                                        
                                    


"Cannot contact any KDC for realm 'AD.CORP.EXAMPLE.COM'" is main problem
Failures wit permission denied was when sssd was in offline mode.

I would also recommend to follow instructions on following page
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html

LS
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to