Hi. > Can you run the same commands as > > KRB5_TRACE=/dev/stdout kinit solodovnikov(a)win.gtf.kz > KRB5_TRACE=/dev/stdout klist > KRB5_TRACE=/dev/stdout kvno -S host dc1.nix.gtf.kz > KRB5_TRACE=/dev/stdout klist > > and send the output?
KRB5_TRACE - https://paste.centos.org/view/848348bc > Here the all upper-case version is requested and not found. Please note > the Kerberos according to the RFCs is case-sensitive and the IPA KDC > treats principal names case-sensitive in contrast to AD DCs. Yes, I pay attention to it. > The cross-realm TGT is needed for the Kerberos ticket validation. You > can disable this for testing by setting 'krb5_validate = False' in the > [domain/...] section of sssd.conf. But since validation is a useful > security feature, especially in an environment with trust, I'd recommend > to still find the real cause of the issue and not use 'krb5_validate = > False' permanently. Add 'krb5_validate = False' option, not working. In server disabled options: [domain/nix.gtf.kz/win.gtf.kz] subdomain_inherit = ldap_user_principal ldap_user_principal = nosuchattr And enable: krb5_validate = False [domain/nix.gtf.kz] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = nix.gtf.kz id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = dc1.nix.gtf.kz chpass_provider = ipa ipa_server = dc1.nix.gtf.kz ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt krb5_validate = False debug_level=9 [sssd] services = sudo, nss, ifp, pam, ssh domains = nix.gtf.kz debug_level=9 ... Clean and restart. # service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start # systemctl restart ipa [root@dc1 ~]# su - test Last login: Wed Feb 19 16:41:14 +07 2020 on pts/0 [test@dc1 ~]$ su - solodovnikov(a)win.gtf.kz Password: su: Authentication failure In krb5kdc.log - https://paste.centos.org/view/b921a40b > This looks like the client cannot properly detect that enterprise > principal should be used. To understand why it would be good to see the > full SSSD domain log of the client. As a workaround you can add > 'krb5_use_enterprise_principal = True' to the [domain/...] section of > sssd.conf on the IPA client. Given the issue from above you might have > to add 'krb5_validate = False' as well. In client add krb5_use_enterprise_principal = True and krb5_validate = False [domain/nix.gtf.kz] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = nix.gtf.kz id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = sqlg.nix.gtf.kz chpass_provider = ipa ipa_server = _srv_, dc1.nix.gtf.kz ldap_tls_cacert = /etc/ipa/ca.crt krb5_use_enterprise_principal = True krb5_validate = False use_fully_qualified_names = True re_expression = ((?P<name>.+)@(?P<domain>[^@]+$)) debug_level=9 [sssd] services = nss, sudo, pam, ssh domains = nix.gtf.kz debug_level=9 ... # service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start [root@sqlg ~]# su - test Last login: Wed Feb 19 16:45:57 +07 2020 on pts/0 [test@sqlg ~]$ su - solodovnikov(a)win.gtf.kz Password: su: Authentication failure In sssd log - https://paste.centos.org/view/359115b9 In messages - https://paste.centos.org/view/f459ec56 In krb5kdc.log on server - https://paste.centos.org/view/960eab78 Michael. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
