On Thu, 06 Feb 2014, Steve Dainard wrote:
On Thu, Feb 6, 2014 at 12:42 PM, Alexander Bokovoy <aboko...@redhat.com>wrote:

On Thu, 06 Feb 2014, Steve Dainard wrote:

   In newer versions (FreeIPA 3.3+, SSSD 1.11+) this is done on IPA master
   automatically by setting       ipa_master_mode = True

   On RHEL 6.x one needs to add the parameters manually.

2. /etc/krb5.conf has to contain auth_to_local rules that map AD
   principals to lower-cased versions because some applications (SSH)
   are very picky about user/principal name mapping. This has to be done
   on both IPA masters and IPA clients.


This was done on the IPA server, but the RHEL 6.5 client doesn't have this
file.

On the IPA server:

[realms]
MIOLINUX.CORP = {
 kdc = ipa1.miolinux.corp:88
 master_kdc = ipa1.miolinux.corp:88
 admin_server = ipa1.miolinux.corp:749
 default_domain = miolinux.corp
 pkinit_anchors = FILE:/etc/ipa/ca.crt
auth_to_local = RULE:[1:$1@$0](^.*@MIOVISION$)s/@MIOVISION/@miovision/
auth_to_local = DEFAULT

[root@ipa1 ~]# kinit sdain...@miovision.corp
Password for sdain...@miovision.corp:
kinit: KDC reply did not match expectations while getting initial
credentials

MIT Kerberos is case-sensitive for the realm, so it should always be
 kinit sdain...@miovision.corp

make also sure that your rule above has proper realm. If your realm is
MIOVISION.CORP, then auth_to_local rule is

auth_to_local = RULE:[1:$1@$0](^.*@MIOVISION.CORP$)s/@MIOVISION.CORP/@
miovision.corp/


OK that makes sense. I wasn't sure if it was NETBIOS or not. Changed.
It is realm, always, since krb5.conf rules deal with principal names.


In MIT Kerberos 1.13 we'll have an interface that will allow SSSD to
automatically generate (and supply) these rules. Prior to that we have
to have explicit configuration on all clients and servers.


Excellent, do you work with whomever is maintaining the Ubuntu PPA on this
as well? One of our dev teams is exclusively on Ubuntu 12.04 and I've had
some serious issues with the joining clients from distro.
Talk to Timo Aaltonen (Canonical) who maintains FreeIPA bits in Ubuntu
(and Debian). I believe he is on the list.

In any way, MIT 1.13 will be due this year and for sure will not be
available on Ubuntu 12.04 so you'll need to make sure there is a
delivery process for configuration management at your site (puppet, etc)
that will distribute proper krb5.conf and sssd.conf changes.

Done, sending logs outside of list.

There are some communications errors. I dropped the firewall on the IPA
server to test the last couple runs at 'getent passwd
sdain...@miovision.corp'.
Ok, waiting.

--
/ Alexander Bokovoy

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to