Good day.
IPA - 4.9.4.
OS - Fedora 34.
I have established a trust relationship with the AD domain.
The list of domains is easily obtained by the command ipa
trust-fetch-domains "example.com"
I can get a ticket using kinit [email protected] in CLI.
I can not log into the server using the AD account from UI.
With exactly the same installation but on the Centos 7 + IPA 4.6.8 there
are no similar problemsю
In /var/log/httpd/error_log
[Sun Jun 13 15:51:14.045718 2021] [wsgi:error] [pid 2312:tid 2815] [remote
172.17.51.252:8946] ipa: INFO: 401 Unauthorized: Major (851968):
Unspecified GSS failure. Minor code may provide more information, Minor
(2598844988): KDC returned error string: PROCESS_TGS
In /var/log/krb5kdc.log
Jun 13 15:51:13 freeipa-master.ipa.example.com krb5kdc[2256](info): AS_REQ
(3 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
DEPRECATED:arcfour-hmac(23)}) 172.17.252.121: REFERRAL: aduser\@
[email protected] for krbtgt/[email protected],
Realm not local to KDC
/etc/krb.conf
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = IPA.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac arcfour-hmac-md5
des-cbc-md5 des-cbc-crc
[realms]
IPA.EXAMPLE.COM = {
kdc = freeipa-master.ipa.example.com:88
master_kdc = freeipa-master.ipa.example.com:88
admin_server = freeipa-master.ipa.example.com:749
default_domain = ipa.example.com
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
auth_to_local = RULE:[1:$1@$0](^.*@EXAMPLE.COM$)s/@
EXAMPLE.COM/@example.com/
auth_to_local = DEFAULT
}
[domain_realm]
.ipa.example.com = IPA.EXAMPLE.COM
ipa.example.com = IPA.EXAMPLE.COM
freeipa-master.ipa.example.com = IPA.EXAMPLE.COM
[dbmodules]
IPA.EXAMPLE.COM = {
db_library = ipadb.so
}
[plugins]
certauth = {
module = ipakdb:kdb/ipadb.so
enable_only = ipakdb
}
/etc/sssd/sssd.conf
[domain/ipa.example.com]
krb5_use_kdcinfo = False
krb5_use_fast = never
id_provider = ipa
ipa_server_mode = True
ipa_server = freeipa-master.ipa.example.com
ipa_domain = ipa.example.com
ipa_hostname = freeipa-master.ipa.example.com
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ifp, ssh, sudo
domains = ipa.example.com
[nss]
homedir_substring = /home
memcache_timeout = 600
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
allowed_uids = ipaapi, root
[secrets]
[session_recording]
I would be grateful for any help
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
