On Tue, Feb 25, 2020 at 04:16:53AM -0000, Michael Solodovnikov via FreeIPA-users wrote: > Hi. > > > Can you run the same commands as > > > > KRB5_TRACE=/dev/stdout kinit solodovnikov(a)win.gtf.kz > > KRB5_TRACE=/dev/stdout klist > > KRB5_TRACE=/dev/stdout kvno -S host dc1.nix.gtf.kz > > KRB5_TRACE=/dev/stdout klist > > > > and send the output? > > KRB5_TRACE - https://paste.centos.org/view/848348bc > > > Here the all upper-case version is requested and not found. Please note > > the Kerberos according to the RFCs is case-sensitive and the IPA KDC > > treats principal names case-sensitive in contrast to AD DCs. > > Yes, I pay attention to it. > > > The cross-realm TGT is needed for the Kerberos ticket validation. You > > can disable this for testing by setting 'krb5_validate = False' in the > > [domain/...] section of sssd.conf. But since validation is a useful > > security feature, especially in an environment with trust, I'd recommend > > to still find the real cause of the issue and not use 'krb5_validate = > > False' permanently. > > Add 'krb5_validate = False' option, not working. > > In server disabled options: > > [domain/nix.gtf.kz/win.gtf.kz] > subdomain_inherit = ldap_user_principal > ldap_user_principal = nosuchattr > > And enable: > > krb5_validate = False > > [domain/nix.gtf.kz] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = nix.gtf.kz > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = dc1.nix.gtf.kz > chpass_provider = ipa > ipa_server = dc1.nix.gtf.kz > ipa_server_mode = True > ldap_tls_cacert = /etc/ipa/ca.crt > krb5_validate = False > debug_level=9 > > [sssd] > services = sudo, nss, ifp, pam, ssh > domains = nix.gtf.kz > debug_level=9 > ... > > Clean and restart. > # service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start > # systemctl restart ipa > > [root@dc1 ~]# su - test > Last login: Wed Feb 19 16:41:14 +07 2020 on pts/0 > [test@dc1 ~]$ su - solodovnikov(a)win.gtf.kz > Password: > su: Authentication failure > > In krb5kdc.log - https://paste.centos.org/view/b921a40b > > > This looks like the client cannot properly detect that enterprise > > principal should be used. To understand why it would be good to see the > > full SSSD domain log of the client. As a workaround you can add > > 'krb5_use_enterprise_principal = True' to the [domain/...] section of > > sssd.conf on the IPA client. Given the issue from above you might have > > to add 'krb5_validate = False' as well. > > In client add krb5_use_enterprise_principal = True and krb5_validate = False > > [domain/nix.gtf.kz] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = nix.gtf.kz > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = sqlg.nix.gtf.kz > chpass_provider = ipa > ipa_server = _srv_, dc1.nix.gtf.kz > ldap_tls_cacert = /etc/ipa/ca.crt > > krb5_use_enterprise_principal = True > krb5_validate = False > > use_fully_qualified_names = True > re_expression = ((?P<name>.+)@(?P<domain>[^@]+$)) > > debug_level=9 > [sssd] > services = nss, sudo, pam, ssh > > domains = nix.gtf.kz > > debug_level=9 > ... > > # service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start > > [root@sqlg ~]# su - test > Last login: Wed Feb 19 16:45:57 +07 2020 on pts/0 > [test@sqlg ~]$ su - solodovnikov(a)win.gtf.kz > Password: > su: Authentication failure > > In sssd log - https://paste.centos.org/view/359115b9 > In messages - https://paste.centos.org/view/f459ec56 > In krb5kdc.log on server - https://paste.centos.org/view/960eab78
Hi, can you paste krb5_child.log from the server and client attempt as well? bye, Sumit > > Michael. > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
