Ok, I have attempted to set this up by adding the AD domain to my
configuration and it still isn't working.
I just want to confirm what I'm trying to accomplish here before I list
what I've done to troubleshoot this.

We have an AD domain called corp.addomain.net.  We have UPNs set so AD
users login to the AD domain as adusern...@addomain.net when they login to
windows machines.

The linux clients in our network are currently just using straight up
kerberos authentication against the domain and can currently login as
'username' without entering any suffix.

Because this means we can't control sudo policies centrally by our current
direct kerberos connection, we want to switch to logging in through
FreeIPA.
I need to be clear that we want to maintain the current logins of just
'username' on Linux servers.

To accomplish this, I added the following line to the sssd.conf file:
default_domain_suffix = corp.addomain.net

I have tried 3 different combinations of kerberos config to try to get the
logins to work, but am running into errors in each case.  I have tried to
follow the suggestions given earlier in this thread.  Here are the 3
krb.conf configurations I tried and the errors given on each try.

-------------- configuration 1 -------------------

[realms]
 IPADOMAIN.NET = {
  kdc = dc1.ipadomain.net:88
  master_kdc = dc1.ipadomain.net:88
  admin_server = dc1.ipadomain.net:749
  default_domain = ipadomain.net
  pkinit_anchors = FILE:/etc/ipa/ca.crt
  auth_to_local =
RULE:[1:$1@$0](^.*@CORP.ADDOMAIN.NET$)s/@CORP.ADDOMAIN.NET/@corp.addomain.net/
  auth_to_local = DEFAULT
}
CORP.ADDOMAIN.NET = {
  kdc = dc3.corp.addomain.net:88
  master_kdc = dc3.corp.addomain.net:88
}

[domain_realm]
 .ipadomain.net = IPADOMAIN.NET
 ipadomain.net = IPADOMAIN.NET
 .corp.addomain.net = CORP.ADDOMAIN.NET
 corp.addomain.net = CORP.ADDOMAIN.NET


May 06 16:43:53 dc1.ipadomain.net [sssd[krb5_child[7512]]][7512]: Cannot
find KDC for realm "ADDOMAIN.NET"
May 06 16:43:53 dc1.ipadomain.net [sssd[krb5_child[7512]]][7512]: Cannot
find KDC for realm "ADDOMAIN.NET"
May 06 16:43:53 dc1.ipadomain.net sshd[7508]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.5.5.57 user=adusername
May 06 16:43:53 dc1.ipadomain.net sshd[7508]: pam_sss(sshd:auth): received
for user adusername: 4 (System error)
May 06 16:43:55 dc1.ipadomain.net sshd[7508]: Failed password for
adusername from 10.5.5.57 port 1832 ssh2

----------- configuration 2 ----------------

Notes : since the above error seemed to imply that I needed to add the
'UPN realm' to the [realms] section I tried to add it.

[realms]
 IPADOMAIN.NET = {
  kdc = dc1.ipadomain.net:88
  master_kdc = dc1.ipadomain.net:88
  admin_server = dc1.ipadomain.net:749
  default_domain = ipadomain.net
  pkinit_anchors = FILE:/etc/ipa/ca.crt
  auth_to_local =
RULE:[1:$1@$0](^.*@CORP.ADDOMAIN.NET$)s/@CORP.ADDOMAIN.NET/@corp.addomain.net/
  auth_to_local = DEFAULT

}
 ADDOMAIN.NET = {
  kdc = dc3.corp.addomain.net:88
  master_kdc = dc3.corp.addomain.net:88
}

[domain_realm]
 .ipadomain.net = IPADOMAIN.NET
 ipadomain.net = IPADOMAIN.NET
 addomain.net = ADDOMAIN.NET
 .addomain.net = ADDOMAIN.NET

May 06 16:48:32 dc1.ipadomain.net [sssd[krb5_child[7546]]][7546]: Realm
not local to KDC
May 06 16:48:32 dc1.ipadomain.net [sssd[krb5_child[7546]]][7546]: Realm
not local to KDC
May 06 16:48:32 dc1.ipadomain.net sshd[7542]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.5.5.57 user=adusername
May 06 16:48:32 dc1.ipadomain.net sshd[7542]: pam_sss(sshd:auth): received
for user adusername: 4 (System error)
May 06 16:48:34 dc1.ipadomain.net sshd[7542]: Failed password for
adusername from 10.5.5.57 port 1870 ssh2

---- configuration 3 -----
Notes : Since the eror message given in the second try indicated that the
realm wasn't local, I thought it might need both variations to recognize
it as local.

[realms]
 IPADOMAIN.NET = {
  kdc = dc1.ipadomain.net:88
  master_kdc = dc1.ipadomain.net:88
  admin_server = dc1.ipadomain.net:749
  default_domain = ipadomain.net
  pkinit_anchors = FILE:/etc/ipa/ca.crt
}
 ADDOMAIN.NET = {
  kdc = dc3.corp.addomain.net:88
  master_kdc = dc3.corp.addomain.net:88
}

 CORP.ADDOMAIN.NET = {
  kdc = dc3.corp.addomain.net:88
  master_kdc = dc3.corp.addomain.net:88
}

[domain_realm]
 .ipadomain.net = IPADOMAIN.NET
 ipadomain.net = IPADOMAIN.NET
 addomain.net = ADDOMAIN.NET
 .addomain.net = ADDOMAIN.NET
 corp.addomain.net = CORP.ADDOMAIN.NET
 .corp.addomain.net = CORP.ADDOMAIN.NET

May 06 16:56:25 dc1.ipadomain.net [sssd[krb5_child[7664]]][7664]: Realm
not local to KDC
May 06 16:56:25 dc1.ipadomain.net [sssd[krb5_child[7664]]][7664]: Realm
not local to KDC
May 06 16:56:25 dc1.ipadomain.net sshd[7660]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.5.5.57 user=adusername
May 06 16:56:25 dc1.ipadomain.net sshd[7660]: pam_sss(sshd:auth): received
for user adusername: 4 (System error)
May 06 16:56:28 dc1.ipadomain.net sshd[7660]: Failed password for
adusername from 10.5.5.57 port 1964 ssh2



> If you want to look up user data like e.g. the UID  or the home
> directory the IPA client will talk to the IPA server exclusively, if the
> server does not know about the requested AD user it will try to get this
> information from a AD DC.
>
> For authentication this is different, because only the AD DC should know
> the password of the user. Hence authentication ans password changes as
> well are done directly with the AD DC.
>
>>
>> Also this page here :
>> https://www.freeipa.org/page/Active_Directory_trust_setup
>>
>> does not list having to add the AD domain in the krb5.conf.  Is that not
>> necessary in the example because they are not using a different UPN for
>> their users like we are?
>
> yes, it is because of the UPN in your case. As I said before this
> special entry in krb5.conf would not be needed anymore if the IPA KDC
> supports the Kerberos client referrals for the trusted domains. Adding
> the entry to krb5.conf in only a work-around here.
>
> bye,
> Sumit



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to