Hmm, so if this is the [realms] section of my /etc/krb5.conf what do I
have to do ?
[realms]
IPADOMAIN.NET = {
kdc = dc1.ipadomain.net:88
master_kdc = dc1.ipadomain.net:88
admin_server = dc1.ipadomain.net:749
default_domain = ipadomain.net
pkinit_anchors = FILE:/etc/ipa/ca.crt
auth_to_local =
RULE:[1:$1@$0](^.*@SUB.ADDOMAIN.NET$)s/@SUB.ADDOMAIN.NET/@sub.addomain.net/
auth_to_local = DEFAULT
}
Would I just literally copy that section and change the names?
eg:
SUB.ADDOMAIN.NET = {
kdc = dc1.ipadomain.net:88
master_kdc = dc1.ipadomain.net:88
admin_server = dc1.ipadomain.net:749
default_domain = ipadomain.net
pkinit_anchors = FILE:/etc/ipa/ca.crt
auth_to_local =
RULE:[1:$1@$0](^.*@SUB.ADDOMAIN.NET$)s/@SUB.ADDOMAIN.NET/@sub.addomain.net/
auth_to_local = DEFAULT
}
> On Tue, May 05, 2015 at 09:09:51AM -0700, nat...@nathanpeters.com wrote:
>> I am having some strange issues after upgrade from FreeIPA 4.1.2 to
>> 4.1.3/4.1.4 on CentOS 7.
>>
>> Here is my setup:
>> FreeIPA domain : ipadomain.net
>> Trusted AD domain : sub.addomain.net
>>
>> In my AD domain, we have our UPN set to addomain.net so users typically
>> login as usern...@addomain.net instead of usern...@sub.addomain.net.
>>
>> In my /etc/sssd/sssd.conf on the ipa dc I have the following values set:
>> use_fully_qualified_names = True
>> [sssd]
>> default_domain_suffix = sub.addomain.net
>>
>>
>> This is what I see in the logs when I attempt to login as 'username'
>> (with
>> do domain):
>>
>> May 05 15:36:51 ipadc1.ipadomain.net [sssd[krb5_child[4376]]][4376]:
>> Cannot find KDC for realm "ADDOMAIN.NET"
>> May 05 15:36:51 ipadc1.ipadomain.net [sssd[krb5_child[4376]]][4376]:
>> Cannot find KDC for realm "ADDOMAIN.NET"
>> May 05 15:36:51 ipadc1.ipadomain.net sshd[4373]: pam_sss(sshd:auth):
>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
>> rhost=10.5.5.57 user=username
>> May 05 15:36:51 ipadc1.ipadomain.net sshd[4373]: pam_sss(sshd:auth):
>> received for user username: 4 (System error)
>> May 05 15:36:53 ipadc1.ipadomain.net sshd[4373]: Failed password for
>> username from 10.5.5.57 port 53118 ssh2
>>
>> However, if in AD I switch the UPN on 'username' to the default of
>> 'sub.addomain.net' I get a successful login:
>>
>> May 04 23:10:57 ipadc1.ipadomain.net sshd[2293]: pam_unix(sshd:auth):
>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
>> rhost=10.5.5.57 user=username
>> May 04 23:10:58 ipadc1.ipadomain.net sshd[2293]: pam_sss(sshd:auth):
>> authentication success; logname= uid=0 euid=0 tty=ssh ruser=
>> rhost=10.5.5.57 user=username
>> May 04 23:11:01 ipadc1.ipadomain.net sshd[2293]: Accepted password for
>> username from 10.5.5.57 port 46077 ssh2
>> May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Starting
>> user-1539201103.slice.
>> May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Created slice
>> user-1539201103.slice.
>> May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Starting Session 3 of
>> user usern...@sub.addomain.net.
>> May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Started Session 3 of
>> user
>> usern...@sub.addomain.net.
>> May 04 23:11:01 ipadc1.ipadomain.net systemd-logind[716]: New session 3
>> of
>> user usern...@sub.addomain.net.
>> May 04 23:11:02 ipadc1.ipadomain.net sshd[2293]: pam_unix(sshd:session):
>> session opened for user username by (uid=0)
>>
>> As a temporary workaround I set dns_lookup_kdc = false in my
>> /etc/krb5.conf file and that worked to allow me to login with just
>> 'username' but even after a successful login, I was seeing those 'cannot
>> find KDC for realm' message in the log.
>>
>> Is there a proper way to allow people from a trusted AD domain to login
>> with their alternative UPNs?
>
> I'm afraid currently the only way doing this is by adding a ADDOMAIN.NET
> section to the realms section of /etc/krb5.conf to all IPA clients and
> servers.
>
> Although SSSD as a client in a AD domain can handle those UPNs there is
> a missing part on the FreeIPA server side which is needed to make it
> work. The item is tracked in
> https://fedorahosted.org/freeipa/ticket/3559 .
>
> Since the UPN-suffix can be freely chosen, i.e. it does not have to be a
> DNS domain, the client will ask it's local KDC with a special so called
> enterprise principal if it knows about this UPN suffix and if the KDC
> knows about it it will tell the client where to ask for it. IF ticket
> #3559 gets implemented the entry in /etc/krb5.conf would not be needed
> anymore.
>
> HTH
>
> bye,
> Sumit
>
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
