[Freeipa-users] Re: Freeipa-client authentication against AD

Thu, 19 Nov 2020 05:19:07 -0800 

On Thu, Nov 19, 2020 at 01:01:41PM -0000, kotelnikova9314--- via FreeIPA-users 
wrote:
> Hi Sumit,
> 
> thank you for the comprehensive answer. 

Hi,

thanks for the feedback. I guess before running 'ipa-client-install' the
option 'dns_lookup_kdc = True' was not set in krb5.conf. With this
option libkrb5 would use DNS lookups to find suitable AD DCs.

bye,
Sumit

> 
> > On Tue, Nov 10, 2020 at 03:56:48PM -0000, kotelnikova9314--- via 
> > FreeIPA-users wrote:
> > 
> > The client will get user and group information from the FreeIPA server
> > but for authentication (Kerberos) they will talk with AD DCs directly.
> 
> Ok, i see, thank you for the explanation.
> 
> > For a start no specific configuration is needed, ipa-client-install
> > should set all needed options.
> 
> Found my mistake. My clients were configured without trust, thus the 
> krb5.conf had such configurations in [realm] section.
>     kdc = ipaserver.ipadomain.com:88
>     master_kdc = ipaserver.ipadomain.com:88
>     admin_server = ipaserver.ipadomain.com:749
>     kpasswd_server = ipaserver.ipadomain.com:464
>     default_domain = ipadomain.com
>  
> After re-installing clients with ipa-client-install, when the trust was 
> established, these lines were removed and authentication for AD users 
> succeeded. 
> 
> Without reinstalling, the definition of AD trust domain in [realm] sections 
> also helped:
>   AD.DOMAIN = {
>     kdc = ad-controlled.ad.domain:88
>   }
> 
> > Please add 'debug_level = 9' to the [pam] and [domain/...] section in
> > sssd.conf, restart SSSD, try to authenticate again and send the logs.
> 
> No need, i found already, that the problem was in SSSD cache, i had to wait a 
> bit or remove the cache in order to the updated HBAC rules were applied. 
> 
> > bye,
> > Sumit
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]

Reply via email to