Am Sun, Jun 13, 2021 at 01:00:28PM -0000 schrieb Konstantin Ignatev via FreeIPA-users: > Good day. > IPA - 4.9.4. > OS - Fedora 34. > I have established a trust relationship with the AD domain. > The list of domains is easily obtained by the command ipa trust-fetch-domains > "example.com" > I can get a ticket using kinit [email protected] in CLI. > I can not log into the server using the AD account from UI. > With exactly the same installation but on the Centos 7 + IPA 4.6.8 there are > no similar problemsю > > > In /var/log/httpd/error_log > [Sun Jun 13 15:51:14.045718 2021] [wsgi:error] [pid 2312:tid 2815] [remote > 172.17.51.252:8946] ipa: INFO: 401 Unauthorized: Major (851968): Unspecified > GSS failure. Minor code may provide more information, Minor (2598844988): > KDC returned error string: PROCESS_TGS
Hi, this looks similar to the issue discussed in https://bugzilla.redhat.com/show_bug.cgi?id=1748072. Please look at the latest comments in this ticket and check in AD the encryption types attribute for the trusted domain object of the IPA domain. bye, Sumit > > In /var/log/krb5kdc.log > Jun 13 15:51:13 freeipa-master.ipa.example.com krb5kdc[2256](info): AS_REQ (3 > etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), > DEPRECATED:arcfour-hmac(23)}) 172.17.252.121: REFERRAL: > aduser\@[email protected] for > krbtgt/[email protected], Realm not local to KDC > > /etc/krb.conf > includedir /etc/krb5.conf.d/ > includedir /var/lib/sss/pubconf/krb5.include.d/ > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = IPA.EXAMPLE.COM > dns_lookup_realm = false > dns_lookup_kdc = true > rdns = false > ticket_lifetime = 24h > forwardable = true > udp_preference_limit = 0 > default_ccache_name = KEYRING:persistent:%{uid} > default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac arcfour-hmac-md5 > des-cbc-md5 des-cbc-crc > > [realms] > IPA.EXAMPLE.COM = { > kdc = freeipa-master.ipa.example.com:88 > master_kdc = freeipa-master.ipa.example.com:88 > admin_server = freeipa-master.ipa.example.com:749 > default_domain = ipa.example.com > pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem > pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem > auth_to_local = RULE:[1:$1@$0](^.*@EXAMPLE.COM$)s/@EXAMPLE.COM/@example.com/ > auth_to_local = DEFAULT > > } > > [domain_realm] > .ipa.example.com = IPA.EXAMPLE.COM > ipa.example.com = IPA.EXAMPLE.COM > freeipa-master.ipa.example.com = IPA.EXAMPLE.COM > > [dbmodules] > IPA.EXAMPLE.COM = { > db_library = ipadb.so > } > > [plugins] > certauth = { > module = ipakdb:kdb/ipadb.so > enable_only = ipakdb > } > > /etc/sssd/sssd.conf > [domain/ipa.example.com] > krb5_use_kdcinfo = False > krb5_use_fast = never > id_provider = ipa > ipa_server_mode = True > ipa_server = freeipa-master.ipa.example.com > ipa_domain = ipa.example.com > ipa_hostname = freeipa-master.ipa.example.com > auth_provider = ipa > chpass_provider = ipa > access_provider = ipa > cache_credentials = True > ldap_tls_cacert = /etc/ipa/ca.crt > krb5_store_password_if_offline = True > [sssd] > services = nss, pam, ifp, ssh, sudo > > domains = ipa.example.com > [nss] > homedir_substring = /home > memcache_timeout = 600 > > [pam] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > [ifp] > allowed_uids = ipaapi, root > > [secrets] > > [session_recording] > > I would be grateful for any help > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
