It is example.com and ad.example.com, but all DNS is handled by an external
server so I assumed neither was a subdomain.  I don't understand DNS much
and it seems to work just fine with Fedora 25 ipa clients and ad users.

On Mon, Aug 14, 2017 at 1:36 PM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On ma, 14 elo 2017, Steve Weeks wrote:
>
>> No, the IPA and AD domains are separate, but do have a cross-trust.
>>
>> We are running IPA 4.4.  This all works fine on Fedora 25 systems.
>>
> Can you be more specific? In your logs below you choose ad.example.com
> and example.com. This is known to not work. If this is not your
> configuration then why did you choose it to obfuscate? Details matter.
>
>
>
>
>> On Mon, Aug 14, 2017 at 12:14 PM, Alexander Bokovoy <aboko...@redhat.com>
>> wrote:
>>
>> On ma, 14 elo 2017, Steve Weeks via FreeIPA-users wrote:
>>>
>>> I'm having trouble logging in via the gui console to an Ubuntu 16 Desktop
>>>> host that is affiliated with a FreeIPA server, which in turn is
>>>> affiliated
>>>> with an Active Directory server.
>>>>
>>>> When I try to log in with debugging turned up on the SSSD I see an
>>>> underlying error in the krb5_child log file: Cannot find KDC for realm "
>>>> EXAMPLE.COM" while getting credentials for host/
>>>> myhost.example....@example.com
>>>>
>>>> Following an example from the freeipa-users mailing list, I am just
>>>> working
>>>> with kinit and kvno to identify the underlying problem. I get the same
>>>> error, which I suppose is good. But I don't know how to resolve it from
>>>> here. The transcript is below. On the first try at kvno, I get the same
>>>> error. On the second try, it works. Any idea why? I suspect the failure
>>>> on
>>>> the first try is the real problem with authentication from the console.
>>>>
>>>> Any hints what to try next?
>>>>
>>>> Do you really have AD as a subdomain of IPA?
>>>
>>> I suspect you hit https://bugzilla.redhat.com/show_bug.cgi?id=1421869
>>> There is no currently resolution for this. If you'd use different
>>> domain trees (example.com v example.org) it would work. It would work
>>> also for AD owning example.com and IPA being in ipa.example.com.
>>>
>>>
>>> Thanks
>>>>
>>>> ----- /etc/krb5.conf -----
>>>> #File modified by ipa-client-install
>>>>
>>>> includedir */var/lib/sss/pubconf/krb5.include.d/*
>>>>
>>>>
>>>> [libdefaults]
>>>>  default_realm = EXAMPLE.COM
>>>>  dns_lookup_realm = true
>>>>  dns_lookup_kdc = true
>>>>  rdns = false
>>>>  ticket_lifetime = 24h
>>>>  forwardable = true
>>>>  udp_preference_limit = 0
>>>>  default_ccache_name = KEYRING:persistent:%{uid}
>>>>
>>>>
>>>> [realms]
>>>>  EXAMPLE.COM = {
>>>>    pkinit_anchors = FILE:/etc/ipa/ca.crt
>>>>
>>>>  }
>>>>
>>>>
>>>> [domain_realm]
>>>>  .example.com = EXAMPLE.COM
>>>>  example.com = EXAMPLE.COM
>>>>
>>>>
>>>>
>>>> ----- Transcript -----
>>>>
>>>>
>>>> $ kdestroy -A
>>>>
>>>>
>>>> $ kinit adu...@ad.example.com
>>>> Password for adu...@ad.example.com:
>>>>
>>>>
>>>> $ klist
>>>> Ticket cache: KEYRING:persistent:1000:1000
>>>> Default principal: adu...@ad.example.com
>>>>
>>>> Valid starting       Expires              Service principal
>>>> 08/14/2017 09:59:22  08/14/2017 19:59:22  krbtgt/AD.EXAMPLE.COM@AD.EXAMP
>>>> LE.COM
>>>>         renew until 08/15/2017 09:59:17
>>>>
>>>>
>>>> $ KRB5_TRACE=/dev/stdout kvno host/myhost.example....@example.com
>>>> [1994] 1502719211.714019: Getting credentials adu...@ad.example.com ->
>>>> host/myhost.example....@example.com using ccache
>>>> KEYRING:persistent:1000:1000
>>>> [1994] 1502719211.714237: Retrieving adu...@ad.example.com ->
>>>> host/myhost.example....@example.com from KEYRING:persistent:1000:1000
>>>> with result: -1765328243/Matching credential not found
>>>> [1994] 1502719211.714318: Retrieving adu...@ad.example.com ->
>>>> krbtgt/example....@example.com from KEYRING:persistent:1000:1000 with
>>>> result: -1765328243/Matching credential not found
>>>> [1994] 1502719211.714376: Retrieving adu...@ad.example.com ->
>>>> krbtgt/ad.example....@ad.example.com from KEYRING:persistent:1000:1000
>>>> with result: 0/Success
>>>> [1994] 1502719211.714395: Starting with TGT for client realm:
>>>> adu...@ad.example.com -> krbtgt/ad.example....@ad.example.com
>>>> [1994] 1502719211.714439: Retrieving adu...@ad.example.com ->
>>>> krbtgt/example....@example.com from KEYRING:persistent:1000:1000 with
>>>> result: -1765328243/Matching credential not found
>>>> [1994] 1502719211.714456: Requesting TGT
>>>> krbtgt/example....@ad.example.com using TGT
>>>> krbtgt/ad.example....@ad.example.com
>>>> [1994] 1502719211.714486: Generated subkey for TGS request:
>>>> aes256-cts/020C
>>>> [1994] 1502719211.714525: etypes requested in TGS request: aes256-cts,
>>>> aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
>>>> [1994] 1502719211.714605: Encoding request body and padata into FAST
>>>> request
>>>> [1994] 1502719211.714662: Sending request (1686 bytes) to
>>>> AD.EXAMPLE.COM
>>>> [1994] 1502719211.717532: Resolving hostname ad-host.ad.example.com.
>>>> [1994] 1502719211.719053: Sending initial UDP request to dgram
>>>> 192.168.1.2:88
>>>> [1994] 1502719211.742171: Received answer (309 bytes) from dgram
>>>> 192.168.1.2:88
>>>> [1994] 1502719211.743066: Response was not from master KDC
>>>> [1994] 1502719211.743082: Decoding FAST response
>>>> [1994] 1502719211.743109: Request or response is too big for UDP;
>>>> retrying with TCP
>>>> [1994] 1502719211.743113: Sending request (1686 bytes) to
>>>> AD.EXAMPLE.COM (tcp only)
>>>> [1994] 1502719211.743971: Resolving hostname ad-host.ad.example.com.
>>>> [1994] 1502719211.744908: Initiating TCP connection to stream
>>>> 192.168.1.2:88
>>>> [1994] 1502719211.764062: Sending TCP request to stream 192.168.1.2:88
>>>> [1994] 1502719211.805666: Received answer (1643 bytes) from stream
>>>> 192.168.1.2:88
>>>> [1994] 1502719211.805678: Terminating TCP connection to stream
>>>> 192.168.1.2:88
>>>> [1994] 1502719211.806709: Response was not from master KDC
>>>> [1994] 1502719211.806735: Decoding FAST response
>>>> [1994] 1502719211.806789: FAST reply key: aes256-cts/820C
>>>> [1994] 1502719211.806808: TGS reply is for adu...@ad.example.com ->
>>>> krbtgt/example....@ad.example.com with session key aes256-cts/B56C
>>>> [1994] 1502719211.806822: TGS request result: 0/Success
>>>> [1994] 1502719211.806826: Storing adu...@ad.example.com ->
>>>> krbtgt/example....@ad.example.com in KEYRING:persistent:1000:1000
>>>> [1994] 1502719211.806912: Received TGT for service realm:
>>>> krbtgt/example....@ad.example.com
>>>> [1994] 1502719211.806915: Requesting tickets for
>>>> host/myhost.example....@example.com, referrals on
>>>> [1994] 1502719211.806924: Generated subkey for TGS request:
>>>> aes256-cts/D365
>>>> [1994] 1502719211.806940: etypes requested in TGS request: aes256-cts,
>>>> aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
>>>> [1994] 1502719211.806968: Encoding request body and padata into FAST
>>>> request
>>>> [1994] 1502719211.806994: Sending request (1676 bytes) to EXAMPLE.COM
>>>> (tcp only)
>>>> kvno: Cannot find KDC for realm "EXAMPLE.COM" while getting
>>>> credentials for host/myhost.example....@example.com
>>>>
>>>>
>>>> $ KRB5_TRACE=/dev/stdout kvno host/myhost.example....@example.com
>>>> [1995] 1502719219.601419: Getting credentials adu...@ad.example.com ->
>>>> host/myhost.example....@example.com using ccache
>>>> KEYRING:persistent:1000:1000
>>>> [1995] 1502719219.601516: Retrieving adu...@ad.example.com ->
>>>> host/myhost.example....@example.com from KEYRING:persistent:1000:1000
>>>> with result: -1765328243/Matching credential not found
>>>> [1995] 1502719219.601556: Retrieving adu...@ad.example.com ->
>>>> krbtgt/example....@example.com from KEYRING:persistent:1000:1000 with
>>>> result: 0/Success
>>>> [1995] 1502719219.601559: Found cached TGT for service realm:
>>>> adu...@ad.example.com -> krbtgt/example....@ad.example.com
>>>> [1995] 1502719219.601561: Requesting tickets for
>>>> host/myhost.example....@example.com, referrals on
>>>> [1995] 1502719219.601573: Generated subkey for TGS request:
>>>> aes256-cts/5EC1
>>>> [1995] 1502719219.601592: etypes requested in TGS request: aes256-cts,
>>>> aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
>>>> [1995] 1502719219.601639: Encoding request body and padata into FAST
>>>> request
>>>> [1995] 1502719219.601666: Sending request (1676 bytes) to EXAMPLE.COM
>>>> [1995] 1502719219.603587: Resolving hostname idsg-test16.example.com.
>>>> [1995] 1502719219.604856: Sending initial UDP request to dgram
>>>> 192.168.1.1:88
>>>> [1995] 1502719219.621855: Received answer (1680 bytes) from dgram
>>>> 192.168.1.1:88
>>>> [1995] 1502719219.622767: Response was not from master KDC
>>>> [1995] 1502719219.622783: Decoding FAST response
>>>> [1995] 1502719219.622834: FAST reply key: aes256-cts/14A3
>>>> [1995] 1502719219.622852: TGS reply is for adu...@ad.example.com ->
>>>> host/myhost.example....@example.com with session key aes256-cts/B41C
>>>> [1995] 1502719219.622866: TGS request result: 0/Success
>>>> [1995] 1502719219.622868: Received creds for desired service
>>>> host/myhost.example....@example.com
>>>> [1995] 1502719219.622871: Storing adu...@ad.example.com ->
>>>> host/myhost.example....@example.com in
>>>> KEYRING:persistent:1000:1000host/myhost.example....@example.com: kvno
>>>> = 7
>>>>
>>>>
>>> _______________________________________________
>>>
>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>>>> rahosted.org
>>>>
>>>>
>>>
>>> --
>>> / Alexander Bokovoy
>>>
>>>
> --
> / Alexander Bokovoy
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to