On 4.12.2014 12:07, Alexander Bokovoy wrote: > On Thu, 04 Dec 2014, Andreas Ladanyi wrote: >> Am 03.12.2014 um 14:53 schrieb Alexander Bokovoy: >>> On Wed, 03 Dec 2014, Andreas Ladanyi wrote: >>>> Hi, >>>> >>>> iam trying to setup a cross-realm relationship. >>>> >>>> Generated krbtgt cross-realm principals on both KDCs with the same >>>> password and kvno: >>>> >>>> krbtgt/REALM_B (MIT Kerberos)@REALM_A (FreeIPA 3.3.5) >>>> krbtgt/REALM_A@REALM_B >>>> >>>> getprinc on REALM_A KDC for principal krbtgt/REALM_B@REALM_A: >>>> >>>> Number of keys: 4 >>>> Key: vno 1, aes256-cts-hmac-sha1-96, Version 5 >>>> Key: vno 1, aes128-cts-hmac-sha1-96, Version 5 >>>> Key: vno 1, des3-cbc-sha1, Version 5 >>>> Key: vno 1, arcfour-hmac, Version 5 >>>> MKey: vno 1 >>>> >>>> getprinc on REALM_A KDC for principal krbtgt/REALM_A@REALM_B: >>>> >>>> Number of keys: 4 >>>> Key: vno 1, aes256-cts-hmac-sha1-96, Version 5 >>>> Key: vno 1, aes128-cts-hmac-sha1-96, Version 5 >>>> Key: vno 1, des3-cbc-sha1, Version 5 >>>> Key: vno 1, arcfour-hmac, Version 5 >>>> MKey: vno 1 >>>> >>>> getprinc on REALM_B KDC for principal krbtgt/REALM_B@REALM_A: >>>> >>>> Number of keys: 6 >>>> Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt >>>> Key: vno 1, DES cbc mode with CRC-32, no salt >>>> Key: vno 1, DES cbc mode with RSA-MD5, Version 4 >>>> Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm >>>> Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only >>>> Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3 >>>> MKey: vno 1 >>>> >>>> getprinc on REALM_B KDC for principal krbtgt/REALM_A@REALM_B: >>>> >>>> Number of keys: 6 >>>> Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt >>>> Key: vno 1, DES cbc mode with CRC-32, no salt >>>> Key: vno 1, DES cbc mode with RSA-MD5, Version 4 >>>> Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm >>>> Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only >>>> Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3 >>>> MKey: vno 1 >>>> >>>> >>>> I set up the [capaths] section in the krb5.conf client config: >>>> >>>> [capaths] >>>> REALM_A = { >>>> REALM_B = . >>>> } >>>> REALM_B = { >>>> REALM_A = . >>>> } >>> You need this section on both realm's KDCs. >>> >>> >> >> I have done this now on all (2) KDCs without a restart of kerberos >> service. The error message is the same like in my first mail. > I'm also getting errors but they are different to yours. Here is what I > did: > > (on master.f21.test, realm F21.TEST): > [root@master ~]# kadmin.local -x ipa-setup-override-restrictions -r F21.TEST > Authenticating as principal root/ad...@f21.test with password. > kadmin.local: addprinc -requires_preauth krbtgt/IPA5.TEST > WARNING: no policy specified for krbtgt/ipa5.t...@f21.test; defaulting to no > policy > Enter password for principal "krbtgt/ipa5.t...@f21.test": Re-enter password > for principal "krbtgt/ipa5.t...@f21.test": Principal > "krbtgt/ipa5.t...@f21.test" created. > kadmin.local: addprinc -requires_preauth krbtgt/f21.t...@ipa5.test > WARNING: no policy specified for krbtgt/f21.t...@ipa5.test; defaulting to no > policy > Enter password for principal "krbtgt/f21.t...@ipa5.test": Re-enter password > for principal "krbtgt/f21.t...@ipa5.test": Principal > "krbtgt/f21.t...@ipa5.test" created. > kadmin.local: q > > added following to the /etc/krb5.conf: > [libdefaults] > dns_lookup_realm = true > > [domain_realms] > .ipa5.test = IPA5.TEST > ipa5.test = IPA5.TEST > > [capaths] > F21.TEST = { IPA5.TEST = . } > IPA5.TEST = { F21.TEST = . } > > > > (on ipa-05-m.ipa5.test, realm IPA5.TEST): > [root@ipa-05-m ~]# kadmin.local -x ipa-setup-override-restrictions -r > IPA5.TEST > Authenticating as principal admin/ad...@ipa5.test with password. > kadmin.local: addprinc -requires_preauth krbtgt/F21.TEST > WARNING: no policy specified for krbtgt/f21.t...@ipa5.test; defaulting to no > policy > Enter password for principal "krbtgt/f21.t...@ipa5.test": Re-enter password > for principal "krbtgt/f21.t...@ipa5.test": Principal > "krbtgt/f21.t...@ipa5.test" created. > kadmin.local: addprinc -requires_preauth krbtgt/ipa5.t...@f21.test > WARNING: no policy specified for krbtgt/ipa5.t...@f21.test; defaulting to no > policy > Enter password for principal "krbtgt/ipa5.t...@f21.test": Re-enter password > for principal "krbtgt/ipa5.t...@f21.test": Principal > "krbtgt/ipa5.t...@f21.test" created. > kadmin.local: q > > and similar changes to /etc/krb5.conf. > > Then I tried to get a ticket to host/master.f21.t...@f21.test while > being an ad...@ipa5.test: > > [root@ipa-05-m ~]# kinit admin > Password for ad...@ipa5.test: [root@ipa-05-m ~]# KRB5_TRACE=/dev/stderr kvno > -S host master.f21.test > [22351] 1417689782.154516: Convert service host (service with host as > instance) on host master.f21.test to principal > [22351] 1417689782.158724: Remote host after forward canonicalization: > master.f21.test > [22351] 1417689782.158814: Remote host after reverse DNS processing: > master.f21.test > [22351] 1417689782.158849: Get host realm for master.f21.test > [22351] 1417689782.158899: Use local host master.f21.test to get host realm > [22351] 1417689782.158946: Look up master.f21.test in the domain_realm map > [22351] 1417689782.158999: Look up .f21.test in the domain_realm map > [22351] 1417689782.159023: Temporary realm is F21.TEST > [22351] 1417689782.159044: Got realm F21.TEST for host master.f21.test > [22351] 1417689782.159071: Got service principal host/master.f21.t...@f21.test > [22351] 1417689782.159098: Getting credentials ad...@ipa5.test -> > host/master.f21.t...@f21.test using ccache KEYRING:persistent:0:0 > [22351] 1417689782.159237: Retrieving ad...@ipa5.test -> > host/master.f21.t...@f21.test from KEYRING:persistent:0:0 with result: > -1765328243/Matching credential not found > [22351] 1417689782.159297: Retrieving ad...@ipa5.test -> > krbtgt/f21.t...@ipa5.test from KEYRING:persistent:0:0 with result: > -1765328243/Matching credential not found > [22351] 1417689782.159411: Retrieving ad...@ipa5.test -> > krbtgt/ipa5.t...@ipa5.test from KEYRING:persistent:0:0 with result: 0/Success > [22351] 1417689782.159453: Starting with TGT for client realm: ad...@ipa5.test > -> krbtgt/ipa5.t...@ipa5.test > [22351] 1417689782.159502: Retrieving ad...@ipa5.test -> > krbtgt/f21.t...@ipa5.test from KEYRING:persistent:0:0 with result: > -1765328243/Matching credential not found > [22351] 1417689782.159530: Requesting TGT krbtgt/f21.t...@ipa5.test using TGT > krbtgt/ipa5.t...@ipa5.test > [22351] 1417689782.159576: Generated subkey for TGS request: aes256-cts/54E6 > [22351] 1417689782.159628: etypes requested in TGS request: aes256-cts, > aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts > [22351] 1417689782.159726: Encoding request body and padata into FAST request > [22351] 1417689782.159784: Sending request (890 bytes) to IPA5.TEST > [22351] 1417689782.159909: Sending initial UDP request to dgram > 192.168.5.109:88 > [22351] 1417689782.161823: Received answer from dgram 192.168.5.109:88 > [22351] 1417689782.161925: Response was from master KDC > [22351] 1417689782.162011: Decoding FAST response > [22351] 1417689782.162084: FAST reply key: aes256-cts/EBCE > [22351] 1417689782.162127: TGS reply is for ad...@ipa5.test -> > krbtgt/f21.t...@ipa5.test with session key aes256-cts/822B > [22351] 1417689782.162159: TGS request result: 0/Success > [22351] 1417689782.162185: Removing ad...@ipa5.test -> > krbtgt/f21.t...@ipa5.test from KEYRING:persistent:0:0 > [22351] 1417689782.162207: Storing ad...@ipa5.test -> > krbtgt/f21.t...@ipa5.test in KEYRING:persistent:0:0 > [22351] 1417689782.162268: Received TGT for service realm: > krbtgt/f21.t...@ipa5.test > [22351] 1417689782.162296: Requesting tickets for > host/master.f21.t...@f21.test, referrals on > [22351] 1417689782.162322: Generated subkey for TGS request: aes256-cts/61A2 > [22351] 1417689782.162359: etypes requested in TGS request: aes256-cts, > aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts > [22351] 1417689782.162413: Encoding request body and padata into FAST request > [22351] 1417689782.162460: Sending request (855 bytes) to F21.TEST > [22351] 1417689782.162493: Resolving hostname master.f21.test > [22351] 1417689782.163213: Sending initial UDP request to dgram > 192.168.5.169:88 > [22351] 1417689782.165439: Received answer from dgram 192.168.5.169:88 > [22351] 1417689782.165516: Response was from master KDC > [22351] 1417689782.165572: Decoding FAST response > [22351] 1417689782.165643: TGS request result: -1765328372/KDC policy rejects > request > [22351] 1417689782.165680: Requesting tickets for > host/master.f21.t...@f21.test, referrals off > [22351] 1417689782.165714: Generated subkey for TGS request: aes256-cts/FEA9 > [22351] 1417689782.165751: etypes requested in TGS request: aes256-cts, > aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts > [22351] 1417689782.165799: Encoding request body and padata into FAST request > [22351] 1417689782.165847: Sending request (855 bytes) to F21.TEST > [22351] 1417689782.165875: Resolving hostname master.f21.test > [22351] 1417689782.166084: Sending initial UDP request to dgram > 192.168.5.169:88 > [22351] 1417689782.167602: Received answer from dgram 192.168.5.169:88 > [22351] 1417689782.167642: Response was from master KDC > [22351] 1417689782.167669: Decoding FAST response > [22351] 1417689782.167709: TGS request result: -1765328372/KDC policy rejects > request > kvno: KDC policy rejects request while getting credentials for > host/master.f21.t...@f21.test > [root@ipa-05-m ~]# > And /var/log/krb5kdc.log on master.f21.test (KDC for F21.TEST) I can > see: > Dec 04 12:41:52 master.f21.test krb5kdc[1131](info): bad realm transit path > from 'ad...@ipa5.test' to 'host/master.f21.t...@f21.test' via '' > Dec 04 12:41:52 master.f21.test krb5kdc[1131](info): TGS_REQ (6 etypes {18 17 > 16 23 25 26}) 192.168.5.109: BAD_TRANSIT: authtime 1417689777, ad...@ipa5.test > for host/master.f21.t...@f21.test, KDC policy rejects request > Dec 04 12:41:52 master.f21.test krb5kdc[1131](info): bad realm transit path > from 'ad...@ipa5.test' to 'host/master.f21.t...@f21.test' via '' > Dec 04 12:41:52 master.f21.test krb5kdc[1131](info): TGS_REQ (6 etypes {18 17 > 16 23 25 26}) 192.168.5.109: BAD_TRANSIT: authtime 1417689777, ad...@ipa5.test > for host/master.f21.t...@f21.test, KDC policy rejects request > > And this is correct for FreeIPA 3.3 or later because we limit trust to > those domains we defined in cn=ad,cn=trusts,$SUFFIX with filter > (objectclass=ipaNTTrustedDomain). For the rest we return > KRB5KRB_AP_ERR_ILL_CR_TKT error code which is visible as 'KDC policy > rejects request'. > > > We may reconsider this check and instead of KRB5KRB_AP_ERR_ILL_CR_TKT > return KRB5_PLUGIN_NO_HANDLE to allow fallback to krb5.conf-defined > capaths but I remember we had some issues with krb5 versions prior to > 1.12 where capaths from krb5.conf were blocking work of the DAL driver.
Alexander, could you open a ticket to prevent us from forgetting about it? -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project