On Срд, 14 жні 2024, Michael Schindhelm via FreeIPA-users wrote:
Hi,
I'm trying to setup freeipa as replacment for our old NIS infrastructure.
The setup looks like this:
AD domain = domain.com
IPA domain = ipa.domain.com
IPA server = freeipa.domain.com
Client = ubuntu-test.domain.com
I've installed the freeipa server and AD trust. Everything is working
on the freeipa server (login of IPA users, login of AD users). On the
clients (tested 2 different clients, both ubuntu 22.04) neither login
of IPA users or AD users works.
That's expected. Have you read
https://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain
?
This is the same as
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/installing_trust_between_idm_and_ad/assembly_configuring-idm-clients-in-an-active-directory-dns-domain_installing-trust-between-idm-and-ad#assembly_configuring-idm-clients-in-an-active-directory-dns-domain_installing-trust-between-idm-and-ad,
although may be a bit more technical.
In general, don't put IPA servers (not clients!) into DNS domains owned
by Active Directory deployments. This is a direct way to hard to
diagnoze and sometimes impossible to fix problems. It is not supported.
From the client logs:
(2024-08-14 08:55:52): [be[ipa.domain.com]] [sasl_bind_send] (0x0100): [RID#13]
Executing sasl bind mech: GSSAPI, user: host/ubuntu-test.domain.com
(2024-08-14 08:55:52): [be[ipa.domain.com]] [sasl_bind_send] (0x0020): [RID#13]
ldap_sasl_interactive_bind_s failed (-2)[Local error]
(2024-08-14 08:55:52): [be[ipa.domain.com]] [sasl_bind_send] (0x0080): [RID#13]
Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure. Minor code may provide more information (Server
krbtgt/[email protected] not found in Kerberos database)]
(2024-08-14 08:55:52): [be[ipa.domain.com]] [sdap_cli_connect_recv] (0x0040):
[RID#13] Unable to establish connection [1432158227]: Authentication Failed
From the freeipa krb5kdc logs:
Aug 14 08:55:52 freeipa.domain.com krb5kdc[1238](info): TGS_REQ (8 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23),
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.42.0.167:
UNKNOWN_SERVER: authtime 0, host/[email protected] for
krbtgt/[email protected], Server not found in Kerberos database
Both use the same NTP server. DNS is working fine (SRV and TXT entries
are there and resolvable from the server and the client). I've read the
documentation about installation, troubleshooting and AD trust on the
freeipa page and also at RedHat Idm.
Do you have any ideas how I can further troubleshoot and fix this? I'm out of
ideas.
Your client thinks IPA LDAP server belongs to AD realm and thus to contact it,
the client needs a cross-realm ticket which it tried first to obtain from
IPA realm. You probably only have a one-way trust (AD -> IPA) and IPA
KDC cannot give this ticket. Even it were a two-way trust, then
obtaining that ticket wouldn't help either: next step the client would
request a service ticket to ldap/[email protected] which
your AD DC will not be able to answer because it has no clue about
freeipa.domain.com machine.
So your deployment choices to have freeipa.domain.com server in AD
deployment's DNS domain shoot you into the feet.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
