[Freeipa-users] Re: Freeipa-client authentication against AD

Fri, 20 Nov 2020 05:32:46 -0800 

Hi Sumit,

i stacked also with authentication of AD users against IPA replica. The 
configuration in krb5.conf is as follow:
```
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
  default_realm = IPA.DOMAIN.COM
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  dns_canonicalize_hostname = false
  ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 0
[realms]
  IPA.DOMAIN.COM = {
    pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
  }
[domain_realm]
  .ipa.domain.com = IPA.DOMAIN.COM
  ipa.domain.com = IPA.DOMAIN.COM
  host-1.ipa.domain.com = IPA.DOMAIN.COM
``` 

1. So in case if the Freeipa server is unavailable it should fallback to 
another server, which is in _kerberos._tcp.ipa.domain.com record. The 
authentication against local domain via IPA replica with such configuration is 
successful. But the AD users can not be authenticated.

The errors in journalctl:
```
pam_sss(sshd:auth): received for user [email protected]: 6 (Permission denied)
error: PAM: Authentication failure for  [email protected] from 10.10.10.1
```
2. In /var/log/krb5kdc.log on IPA replica, there are no records regarding this 
connection.

3. When i disable dns_lookup_kdc = false and explicitly set the configuration 
of both domains in krb5.conf, the authentication is succeeded.

4. AD, IPA and IPA replica all have needed SRV records, but they all have the 
same weight and priority, could it be problem in that?

5. Both IPA and IPA Replica are Trusted controllers and Trusted agents

Should krb5.conf or sssd.conf have any specific options in order to 
authenticate AD users via IPA replica in case when IPA server is unavailible?

P.S. Should i open another thread for this question or we can discuss it here?

With best regards,
Nadiia
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]

Reply via email to