On Wed, Feb 19, 2020 at 07:26:51AM -0000, Michael Solodovnikov via FreeIPA-users wrote: > I have a fresh installed FreeIPA 4.6.5, sssd 1.16.4, krb5 1.15.1-37, samba > 4.9.1-10, on CentOS 7.7.1908, can’t login as AD user. > FreeIPA configured one-way trust AD(win.gtf.kz),AD user have UPN > [email protected]. FreeIPA realm nix.gtf.kz. > > ============ ... > > AD user. > > [root@dc1 ~]# getent passwd [email protected] > [email protected]:*:1573974455:1573974455:ФПП:/home/win.gtf.kz/solodovnikov: > > [root@dc1 ~]# kinit [email protected] > Password for [email protected]: > [root@dc1 ~]# klist > Ticket cache: KEYRING:persistent:0:krb_ccache_FrKYVBm > Default principal: [email protected] > > Valid starting Expires Service principal > 02/19/2020 11:05:16 02/19/2020 21:05:16 krbtgt/[email protected] > renew until 02/20/2020 11:05:10 > > [root@dc1 ~]# kvno -S host dc1.nix.gtf.kz > host/[email protected]: kvno = 2 > [root@dc1 ~]# klist > Ticket cache: KEYRING:persistent:0:krb_ccache_FrKYVBm > Default principal: [email protected] > > Valid starting Expires Service principal > 02/19/2020 11:07:34 02/19/2020 21:05:16 host/[email protected] > renew until 02/20/2020 11:05:10 > 02/19/2020 11:07:34 02/19/2020 21:05:16 krbtgt/[email protected] > renew until 02/20/2020 11:05:10 > 02/19/2020 11:05:16 02/19/2020 21:05:16 krbtgt/[email protected] > renew until 02/20/2020 11:05:10
Hi, the lower-case components in the krbtgt principals 'krbtgt/[email protected]' and 'krbtgt/[email protected]' are looking odd, especially since the latter was 'krbtgt/[email protected]' after calling kinit. Can you run the same commands as KRB5_TRACE=/dev/stdout kinit [email protected] KRB5_TRACE=/dev/stdout klist KRB5_TRACE=/dev/stdout kvno -S host dc1.nix.gtf.kz KRB5_TRACE=/dev/stdout klist and send the output? > > ============ > ... > In krb5kdc.log: > > Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10267](info): AS_REQ (8 etypes {18 17 > 20 19 16 23 25 26}) 192.168.8.7: REFERRAL: m.solodovnikov\@[email protected] > for krbtgt/[email protected], Realm not local to KDC > Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10267](info): closing down fd 11 > Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10268](info): TGS_REQ (8 etypes {18 17 > 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, > host/[email protected] for krbtgt/[email protected], Server not > found in Kerberos database > Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10268](info): closing down fd 11 > Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10269](info): TGS_REQ (8 etypes {18 17 > 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, > host/[email protected] for krbtgt/[email protected], Server not > found in Kerberos database > Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10269](info): closing down fd 11 > Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): AS_REQ (8 etypes {18 17 > 20 19 16 23 25 26}) 192.168.8.7: REFERRAL: m.solodovnikov\@[email protected] > for krbtgt/[email protected], Realm not local to KDC > Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): closing down fd 11 > Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): TGS_REQ (8 etypes {18 17 > 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, > host/[email protected] for krbtgt/[email protected], Server not > found in Kerberos database > Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): closing down fd 11 > Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10268](info): TGS_REQ (8 etypes {18 17 > 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, > host/[email protected] for krbtgt/[email protected], Server not > found in Kerberos database Here the all upper-case version is requested and not found. Please note the Kerberos according to the RFCs is case-sensitive and the IPA KDC treats principal names case-sensitive in contrast to AD DCs. The cross-realm TGT is needed for the Kerberos ticket validation. You can disable this for testing by setting 'krb5_validate = False' in the [domain/...] section of sssd.conf. But since validation is a useful security feature, especially in an environment with trust, I'd recommend to still find the real cause of the issue and not use 'krb5_validate = False' permanently. > Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10268](info): closing down fd 11 > > > ============ > > Сonfigs on client FreeIPA(sqlg.nix.gtf.kz) > > [root@sqlg ~]# cat /etc/redhat-release > CentOS Linux release 7.7.1908 (Core) > [root@sqlg ~]# ipa --version > VERSION: 4.6.5, API_VERSION: 2.231 > > [root@sqlg ~]# cat /etc/krb5.conf > #File modified by ipa-client-install > > includedir /etc/krb5.conf.d/ > includedir /var/lib/sss/pubconf/krb5.include.d/ > > [libdefaults] > default_realm = NIX.GTF.KZ > dns_lookup_realm = true > dns_lookup_kdc = true > rdns = false > dns_canonicalize_hostname = false > ticket_lifetime = 24h > forwardable = true > udp_preference_limit = 0 > default_ccache_name = KEYRING:persistent:%{uid} > > > [realms] > NIX.GTF.KZ = { > pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem > pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem > > } > > > [domain_realm] > .nix.gtf.kz = NIX.GTF.KZ > nix.gtf.kz = NIX.GTF.KZ > sqlg.nix.gtf.kz = NIX.GTF.KZ > > > [root@sqlg ~]# cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_nix_gtf_kz > [domain_realm] > .win.gtf.kz = WIN.GTF.KZ > win.gtf.kz = WIN.GTF.KZ > [capaths] > WIN.GTF.KZ = { > NIX.GTF.KZ = WIN.GTF.KZ > } > NIX.GTF.KZ = { > WIN.GTF.KZ = WIN.GTF.KZ > } > > > [root@sqlg ~]# cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_nix_gtf_kz > [domain_realm] > .win.gtf.kz = WIN.GTF.KZ > win.gtf.kz = WIN.GTF.KZ > [capaths] > WIN.GTF.KZ = { > NIX.GTF.KZ = WIN.GTF.KZ > } > NIX.GTF.KZ = { > WIN.GTF.KZ = WIN.GTF.KZ > } > > > > > [root@sqlg ~]# cat /etc/sssd/sssd.conf > [domain/nix.gtf.kz] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = nix.gtf.kz > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = sqlg.nix.gtf.kz > chpass_provider = ipa > ipa_server = _srv_, dc1.nix.gtf.kz > ldap_tls_cacert = /etc/ipa/ca.crt > > # if do not add these options, then does not find the AD user > use_fully_qualified_names = True > re_expression = ((?P<name>.+)@(?P<domain>[^@]+$)) > > [sssd] > services = nss, sudo, pam, ssh > > domains = nix.gtf.kz > [nss] > homedir_substring = /home > > [pam] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > [ifp] > > [secrets] > > [session_recording] > > > [root@sqlg ~]# getent passwd [email protected] > [email protected]:*:1573974455:1573974455:ФПП:/home/win.gtf.kz/solodovnikov: > > [root@sqlg ~]# kinit [email protected] > Password for [email protected]: > [root@sqlg ~]# klist > Ticket cache: KEYRING:persistent:0:0 > Default principal: [email protected] > > Valid starting Expires Service principal > 02/19/2020 12:37:47 02/19/2020 22:37:47 krbtgt/[email protected] > renew until 02/20/2020 12:37:42 > [root@sqlg ~]# kvno -S host dc1.nix.gtf.kz > host/[email protected]: kvno = 2 > [root@sqlg ~]# klist > Ticket cache: KEYRING:persistent:0:0 > Default principal: [email protected] > > Valid starting Expires Service principal > 02/19/2020 12:38:30 02/19/2020 22:37:47 host/[email protected] > renew until 02/20/2020 12:37:42 > 02/19/2020 12:38:30 02/19/2020 22:37:47 krbtgt/[email protected] > renew until 02/20/2020 12:37:42 > 02/19/2020 12:37:47 02/19/2020 22:37:47 krbtgt/[email protected] > renew until 02/20/2020 12:37:42 > [root@sqlg ~]# > > > [root@sqlg ~]# su - test > Last login: Wed Feb 19 11:50:14 +07 2020 on pts/0 > [test@sqlg ~]$ su - [email protected] > Password: > su: Authentication failure > > > In sssd log: > > (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] > [check_failed_login_attempts] (0x4000): Failed login attempts [0], allowed > failed login attempts [0], failed login delay [5]. > (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [sysdb_cache_auth] > (0x0100): Cached credentials not available. > (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [ldb] (0x4000): cancel ldb > transaction (nesting: 0) > (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_cache_creds] > (0x0020): Offline authentication failed > (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [check_wait_queue] > (0x1000): Wait queue for user [[email protected]] is empty. > (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [krb5_auth_queue_done] > (0x1000): krb5_auth_queue request [0x55b69c74baf0] done. > (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [dp_req_done] (0x0400): DP > Request [PAM Authenticate #12]: Request handler finished [0]: Success > (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [_dp_req_recv] (0x0400): DP > Request [PAM Authenticate #12]: Receiving request data. > (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] > (0x0400): DP Request [PAM Authenticate #12]: Request removed. > (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [dp_req_destructor] > (0x0400): Number of active DP request: 0 > (Wed Feb 19 12:40:42 2020) [sssd[be[nix.gtf.kz]]] [dp_pam_reply] (0x1000): DP > Request [PAM Authenticate #12]: Sending result [6][win.gtf.kz] > > In /var/log/messages > > Feb 19 12:40:08 sqlg su: (to test) root on pts/0 > Feb 19 12:40:42 sqlg [sssd[krb5_child[6513]]]: Cannot find KDC for realm > "FGT.KZ" > Feb 19 12:40:42 sqlg [sssd[krb5_child[6513]]]: Cannot find KDC for realm > "FGT.KZ" This looks like the client cannot properly detect that enterprise principal should be used. To understand why it would be good to see the full SSSD domain log of the client. As a workaround you can add 'krb5_use_enterprise_principal = True' to the [domain/...] section of sssd.conf on the IPA client. Given the issue from above you might have to add 'krb5_validate = False' as well. HTH bye, Sumit _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
