On ke, 14 joulu 2022, Carlos Mogas da Silva wrote:
On 2022-12-14 14:34, Alexander Bokovoy via FreeIPA-users wrote:
Thanks. I also asked for krb5 configuration: /etc/krb5.conf and files
included from it, I think they are in /etc/krb5.conf.d and
/var/lib/sss/pubconf/krb5.include.d
You can see a full list of the directories with
grep includedir /etc/krb5.conf
# egrep -v "^\s*#|^$" /etc/krb5.conf.d/*
/etc/krb5.conf.d/crypto-policies:[libdefaults]
/etc/krb5.conf.d/crypto-policies:permitted_enctypes =
aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192
aes128-cts-hmac-sha256-128 aes128-cts-hmac-sha1-96
/etc/krb5.conf.d/enable_sssd_conf_dir:includedir
/var/lib/sss/pubconf/krb5.include.d/
/etc/krb5.conf.d/freeipa:[libdefaults]
/etc/krb5.conf.d/freeipa: spake_preauth_groups = edwards25519
/etc/krb5.conf.d/kcm_default_ccache:[libdefaults]
/etc/krb5.conf.d/kcm_default_ccache: default_ccache_name = KCM:
/etc/krb5.conf.d/sssd_enable_idp:[plugins]
/etc/krb5.conf.d/sssd_enable_idp: clpreauth = {
/etc/krb5.conf.d/sssd_enable_idp: module =
idp:/usr/lib64/sssd/modules/sssd_krb5_idp_plugin.so
/etc/krb5.conf.d/sssd_enable_idp: }
/etc/krb5.conf.d/sssd_enable_idp: kdcpreauth = {
/etc/krb5.conf.d/sssd_enable_idp: module =
idp:/usr/lib64/sssd/modules/sssd_krb5_idp_plugin.so
/etc/krb5.conf.d/sssd_enable_idp: }
# egrep -v "^\s*#|^$" /var/lib/sss/pubconf/krb5.include.d/*
/var/lib/sss/pubconf/krb5.include.d/domain_realm_int_r3pek_org:[domain_realm]
/var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults:[libdefaults]
/var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults: canonicalize =
true
/var/lib/sss/pubconf/krb5.include.d/localauth_plugin:[plugins]
/var/lib/sss/pubconf/krb5.include.d/localauth_plugin: localauth = {
/var/lib/sss/pubconf/krb5.include.d/localauth_plugin: module =
sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
/var/lib/sss/pubconf/krb5.include.d/localauth_plugin: }
While also testing some stuff out, if I force the IP address of the
mail01.r3pek.org server to be the internal one, the auth works. Am I
missing something or is the normal?
You have canonicalization set to true, this is default configuration in
IPA, so krb5 will do 'mail01.int.r3pek.org' -> IP address -> hostname
transformation. This means whatever hostname is obtained afterwards is
used then. If it is mail01.r3pek.org, then Kerberos realm of r3pek.org
domain would be used. Is it R3PEK.ORG or INT.R3PEK.ORG? It can be
changed via _kerberos TXT record.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
