On Fri, 10 Jul 2015, Angelo Pantano wrote:
and this is the error I see in krb5_child.log

(Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [main] (0x0400):
Will perform online auth
(Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [get_and_save_tgt]
(0x0400): Attempting kinit for realm [AD.TWEEK]
(Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [get_and_save_tgt]
(0x0020): 996: [-1765328378][Client 'freeipa@AD.TWEEK' not found in
Kerberos database]
(Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [map_krb5_error]
(0x0020): 1065: [-1765328378][Client 'freeipa@AD.TWEEK' not found in
Kerberos database]


also

# kinit freeipa@AD.TWEEK
kinit: Cannot find KDC for realm "AD.TWEEK" while getting initial
credentials

any idea what's the problem? It seems kerberos cannot find users in the AD
subdomain
Run KRB5_TRACE=/dev/stderr kinit freeipa@AD.TWEEK

to see what Kerberos library tries to connect to.

If AD.TWEEK is your Active Directory's domain realm, then according to
your krb5.conf it should be discovered via SRV records and appropriate
AD DC would be contacted.

This is first part to solve. The rest (sssd output above) is due to SSSD
not being able to find out proper AD DC to talk to and thus talks to IPA
DC which doesn't know this principal and errors out.

this is my sssd.conf

[domain/ipa.tweek]
debug_level = 6
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.tweek
id_provider = ipa
auth_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = someaddress_here
chpass_provider = ipa
ipa_server = _srv_, centos.ipa.tweek
dns_discovery_domain = ipa.tweek

cn=ad_admins_external,cn=groups,cn=accounts,dc=ipa,dc=tweek
^^ what is this?

subdomains_provider = ipa
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to