On Tue, May 05, 2015 at 09:09:51AM -0700, nat...@nathanpeters.com wrote:
> I am having some strange issues after upgrade from FreeIPA 4.1.2 to
> 4.1.3/4.1.4 on CentOS 7.
> 
> Here is my setup:
> FreeIPA domain : ipadomain.net
> Trusted AD domain : sub.addomain.net
> 
> In my AD domain, we have our UPN set to addomain.net so users typically
> login as usern...@addomain.net instead of usern...@sub.addomain.net.
> 
> In my /etc/sssd/sssd.conf on the ipa dc I have the following values set:
> use_fully_qualified_names = True
> [sssd]
> default_domain_suffix = sub.addomain.net
> 
> 
> This is what I see in the logs when I attempt to login as 'username' (with
> do domain):
> 
> May 05 15:36:51 ipadc1.ipadomain.net [sssd[krb5_child[4376]]][4376]:
> Cannot find KDC for realm "ADDOMAIN.NET"
> May 05 15:36:51 ipadc1.ipadomain.net [sssd[krb5_child[4376]]][4376]:
> Cannot find KDC for realm "ADDOMAIN.NET"
> May 05 15:36:51 ipadc1.ipadomain.net sshd[4373]: pam_sss(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.5.5.57 user=username
> May 05 15:36:51 ipadc1.ipadomain.net sshd[4373]: pam_sss(sshd:auth):
> received for user username: 4 (System error)
> May 05 15:36:53 ipadc1.ipadomain.net sshd[4373]: Failed password for
> username from 10.5.5.57 port 53118 ssh2
> 
> However, if in AD I switch the UPN on 'username' to the default of
> 'sub.addomain.net' I get a successful login:
> 
> May 04 23:10:57 ipadc1.ipadomain.net sshd[2293]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.5.5.57  user=username
> May 04 23:10:58 ipadc1.ipadomain.net sshd[2293]: pam_sss(sshd:auth):
> authentication success; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.5.5.57 user=username
> May 04 23:11:01 ipadc1.ipadomain.net sshd[2293]: Accepted password for
> username from 10.5.5.57 port 46077 ssh2
> May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Starting
> user-1539201103.slice.
> May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Created slice
> user-1539201103.slice.
> May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Starting Session 3 of
> user usern...@sub.addomain.net.
> May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Started Session 3 of user
> usern...@sub.addomain.net.
> May 04 23:11:01 ipadc1.ipadomain.net systemd-logind[716]: New session 3 of
> user usern...@sub.addomain.net.
> May 04 23:11:02 ipadc1.ipadomain.net sshd[2293]: pam_unix(sshd:session):
> session opened for user username by (uid=0)
> 
> As a temporary workaround I set dns_lookup_kdc = false in my
> /etc/krb5.conf file and that worked to allow me to login with just
> 'username' but even after a successful login, I was seeing those 'cannot
> find KDC for realm' message in the log.
> 
> Is there a proper way to allow people from a trusted AD domain to login
> with their alternative UPNs?

I'm afraid currently the only way doing this is by adding a ADDOMAIN.NET
section to the realms section of /etc/krb5.conf to all IPA clients and
servers.

Although SSSD as a client in a AD domain can handle those UPNs there is
a missing part on the FreeIPA server side which is needed to make it
work. The item is tracked in
https://fedorahosted.org/freeipa/ticket/3559 .

Since the UPN-suffix can be freely chosen, i.e. it does not have to be a
DNS domain, the client will ask it's local KDC with a special so called
enterprise principal if it knows about this UPN suffix and if the KDC
knows about it it will tell the client where to ask for it. IF ticket
#3559 gets implemented the entry in /etc/krb5.conf would not be needed
anymore.

HTH

bye,
Sumit

> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to