On Wed, 15 Oct 2014, crony wrote:
I've been following the AD integration guide for IPAv3:

My setup is:
• 5 domain controllers with Windows 2008 R2 AD DC -> example.com as Forest
Root Domain and acme.example.com as transitive child domain
• RHEL7 as IPA server with domain: linux.acme.example.com
• RHEL6.5 as IPA client server ipatst03.linux.acme.example.com

Everything works correctly around IPA Server, but the problem is within IPA

I can not login by SSH or by su -:

[leszek@ipatst03 ~]$ su - us...@acme.example.com
su: incorrect password

I found this error in /var/log/sssd/krb5_child.log :

(Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [validate_tgt]
(0x0020): TGT failed verification using key for [host/
(Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [get_and_save_tgt]
(0x0020): 988: [-1765328341][Illegal cross-realm ticket]
(Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [map_krb5_error]
(0x0020): 1043: [-1765328341][Illegal cross-realm ticket]
(Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [k5c_send_data]
(0x0200): Received error code 1432158209
(Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]]
[pack_response_packet] (0x2000): response packet size: [20]
(Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [k5c_send_data]
(0x4000): Response sent.
(Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [main] (0x0400):
krb5_child completed successfully
Yes, this is known issue for transitive trusts. MIT Kerberos requires
for non-hierarchical trusts that [capaths] section contains proper map
of relationships between the realms. We've got an API to manage this map
from IPA KDC driver and we also write it down on the IPA masters with
the help of SSSD for KDC to use but on IPA clients it is not generated
as we hoped that receiving referrals from KDC would be enough.

You can see that this is the issue by copying
/var/lib/sss/pubconf/krb5conf.d/domain_realm_linux_acme_example_com to
your client and placing it as

On next authentication attempt things will work.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to