I am having some strange issues after upgrade from FreeIPA 4.1.2 to
4.1.3/4.1.4 on CentOS 7.

Here is my setup:
FreeIPA domain : ipadomain.net
Trusted AD domain : sub.addomain.net

In my AD domain, we have our UPN set to addomain.net so users typically
login as usern...@addomain.net instead of usern...@sub.addomain.net.

In my /etc/sssd/sssd.conf on the ipa dc I have the following values set:
use_fully_qualified_names = True
[sssd]
default_domain_suffix = sub.addomain.net


This is what I see in the logs when I attempt to login as 'username' (with
do domain):

May 05 15:36:51 ipadc1.ipadomain.net [sssd[krb5_child[4376]]][4376]:
Cannot find KDC for realm "ADDOMAIN.NET"
May 05 15:36:51 ipadc1.ipadomain.net [sssd[krb5_child[4376]]][4376]:
Cannot find KDC for realm "ADDOMAIN.NET"
May 05 15:36:51 ipadc1.ipadomain.net sshd[4373]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.5.5.57 user=username
May 05 15:36:51 ipadc1.ipadomain.net sshd[4373]: pam_sss(sshd:auth):
received for user username: 4 (System error)
May 05 15:36:53 ipadc1.ipadomain.net sshd[4373]: Failed password for
username from 10.5.5.57 port 53118 ssh2

However, if in AD I switch the UPN on 'username' to the default of
'sub.addomain.net' I get a successful login:

May 04 23:10:57 ipadc1.ipadomain.net sshd[2293]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.5.5.57  user=username
May 04 23:10:58 ipadc1.ipadomain.net sshd[2293]: pam_sss(sshd:auth):
authentication success; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.5.5.57 user=username
May 04 23:11:01 ipadc1.ipadomain.net sshd[2293]: Accepted password for
username from 10.5.5.57 port 46077 ssh2
May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Starting
user-1539201103.slice.
May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Created slice
user-1539201103.slice.
May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Starting Session 3 of
user usern...@sub.addomain.net.
May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Started Session 3 of user
usern...@sub.addomain.net.
May 04 23:11:01 ipadc1.ipadomain.net systemd-logind[716]: New session 3 of
user usern...@sub.addomain.net.
May 04 23:11:02 ipadc1.ipadomain.net sshd[2293]: pam_unix(sshd:session):
session opened for user username by (uid=0)

As a temporary workaround I set dns_lookup_kdc = false in my
/etc/krb5.conf file and that worked to allow me to login with just
'username' but even after a successful login, I was seeing those 'cannot
find KDC for realm' message in the log.

Is there a proper way to allow people from a trusted AD domain to login
with their alternative UPNs?


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to