On Tue, Feb 16, 2016 at 10:23:30PM +0000, Nathan Peters wrote:
> I have created a trust between my FreeIPA domain and an active directory 
> domain.  I can get a kerberos ticket properly from the other domain at the 
> command line on the IPA server.
> I have also created sudo and HBAC rules to allow my AD users to logon to the 
> IPA domain controller using the recommended nested external group setup.
> However, I can not actually login to the machines.
> 
> I should note that our AD domain is office.mydomain.net, but we use 
> alternative UPN suffixes so the usernames are u...@mydomain.net.
> 
> I read the patch notes and apparently support for client referrals that will 
> allow alternate UPN suffixes in trusted domains was added in FreeIPA 4.2.1.

While client referrals with the realm derived from the domain name
already work the UPN support is currently WIP
(https://fedorahosted.org/freeipa/ticket/5354).

HTH

bye,
Sumit

> 
> Is there anything special I need to do to configure it beyond the creation of 
> the original trust?  Do I need to set special options in krb5.conf or 
> sssd.conf to get it to work?
> 
> ==============Kinit works==========================
> [root@dc1-ipa-dev-nvan log]# kinit nathan.pet...@office.mydomain.net
> Password for nathan.pet...@office.mydomain.net:
> [root@dc1-ipa-dev-nvan log]# klist
> Ticket cache: KEYRING:persistent:0:krb_ccache_V7hjacL
> Default principal: nathan.pet...@office.mydomain.net
> 
> Valid starting     Expires            Service principal
> 16/02/16 14:05:33  17/02/16 14:05:30  
> krbtgt/office.mydomain....@office.mydomain.net
> 
> ============/var/log/messages during login failure===============
> Feb 16 14:10:14 dc1-ipa-dev-nvan audit: CRYPTO_SESSION pid=2019 uid=0 
> auid=4294967295 ses=4294967295 msg='op=start direction=from-client 
> cipher=aes256-ctr ksize=256 mac=hmac-sha2-256 pfs=diffie-hellman-group14-sha1 
> spid=2020 suid=74 rport=9577 laddr=10.178.0.99 lport=22  exe="/usr/sbin/sshd" 
> hostname=? addr=10.8.134.154 terminal=? res=success'
> Feb 16 14:10:20 dc1-ipa-dev-nvan audit: USER_AUTH pid=2019 uid=0 
> auid=4294967295 ses=4294967295 msg='op=gssapi 
> acct="nathan.pet...@mydomain.net" exe="/usr/sbin/sshd" hostname=? 
> addr=10.8.134.154 terminal=ssh res=failed'
> Feb 16 14:10:23 dc1-ipa-dev-nvan audit: USER_AUTH pid=2019 uid=0 
> auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? 
> acct="nathan.pet...@mydomain.net" exe="/usr/sbin/sshd" hostname=10.8.134.154 
> addr=10.8.134.154 terminal=ssh res=failed'
> Feb 16 14:10:23 dc1-ipa-dev-nvan audit: USER_AUTH pid=2019 uid=0 
> auid=4294967295 ses=4294967295 msg='op=password 
> acct="nathan.pet...@mydomain.net" exe="/usr/sbin/sshd" hostname=? 
> addr=10.8.134.154 terminal=ssh res=failed'
> Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 
> auid=4294967295 ses=4294967295 msg='op=destroy kind=server 
> fp=SHA256:28:cf:eb:e1:3f:61:00:c5:ff:62:da:54:cc:bb:62:7c:e5:07:d1:3a:62:9e:7c:c0:3b:bc:8e:08:90:9a:9b:83
>  direction=? spid=2020 suid=74  exe="/usr/sbin/sshd" hostname=? 
> addr=10.8.134.154 terminal=? res=success'
> Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 
> auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? 
> direction=both spid=2020 suid=74 rport=9577 laddr=10.178.0.99 lport=22  
> exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success'
> Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 
> auid=4294967295 ses=4294967295 msg='op=destroy kind=server 
> fp=SHA256:f2:5c:54:6f:2a:0e:38:19:8c:e4:94:ef:53:2e:9b:ce:07:7f:bb:af:e0:65:7d:11:82:30:cf:03:0d:35:1b:ca
>  direction=? spid=2019 suid=0  exe="/usr/sbin/sshd" hostname=? 
> addr=10.8.134.154 terminal=? res=success'
> Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 
> auid=4294967295 ses=4294967295 msg='op=destroy kind=server 
> fp=SHA256:4b:0e:be:22:b5:28:65:28:72:90:5b:81:70:99:ff:47:5d:3c:90:a8:81:12:d1:1f:a0:e7:a3:d0:29:d1:25:1e
>  direction=? spid=2019 suid=0  exe="/usr/sbin/sshd" hostname=? 
> addr=10.8.134.154 terminal=? res=success'
> Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 
> auid=4294967295 ses=4294967295 msg='op=destroy kind=server 
> fp=SHA256:28:cf:eb:e1:3f:61:00:c5:ff:62:da:54:cc:bb:62:7c:e5:07:d1:3a:62:9e:7c:c0:3b:bc:8e:08:90:9a:9b:83
>  direction=? spid=2019 suid=0  exe="/usr/sbin/sshd" hostname=? 
> addr=10.8.134.154 terminal=? res=success'
> Feb 16 14:10:25 dc1-ipa-dev-nvan audit: USER_LOGIN pid=2019 uid=0 
> auid=4294967295 ses=4294967295 msg='op=login 
> acct="nathan.pet...@mydomain.net" exe="/usr/sbin/sshd" hostname=? 
> addr=10.8.134.154 terminal=ssh res=failed'
> 
> ===================/var/log/secure during login failure=======================
> Feb 16 14:09:56 dc1-ipa-dev-nvan polkitd[604]: Registered Authentication 
> Agent for unix-process:1968:182654681 (system bus name :1.222 
> [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path 
> /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_CA.UTF-8)
> Feb 16 14:09:56 dc1-ipa-dev-nvan polkitd[604]: Unregistered Authentication 
> Agent for unix-process:1968:182654681 (system bus name :1.222, object path 
> /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_CA.UTF-8) 
> (disconnected from bus)
> Feb 16 14:09:56 dc1-ipa-dev-nvan polkitd[604]: Registered Authentication 
> Agent for unix-process:1979:182654684 (system bus name :1.223 
> [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path 
> /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_CA.UTF-8)
> Feb 16 14:09:56 dc1-ipa-dev-nvan polkitd[604]: Unregistered Authentication 
> Agent for unix-process:1979:182654684 (system bus name :1.223, object path 
> /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_CA.UTF-8) 
> (disconnected from bus)
> Feb 16 14:10:02 dc1-ipa-dev-nvan sshd[2006]: Connection closed by 10.21.2.100 
> [preauth]
> Feb 16 14:10:23 dc1-ipa-dev-nvan sshd[2019]: pam_sss(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=10.8.134.154 user=nathan.pet...@mydomain.net
> Feb 16 14:10:23 dc1-ipa-dev-nvan sshd[2019]: pam_sss(sshd:auth): received for 
> user nathan.pet...@mydomain.net: 4 (System error)
> Feb 16 14:10:23 dc1-ipa-dev-nvan sshd[2019]: Failed password for 
> nathan.pet...@mydomain.net from 10.8.134.154 port 9577 ssh2
> Feb 16 14:10:25 dc1-ipa-dev-nvan sshd[2019]: error: Received disconnect from 
> 10.8.134.154: 13: Unable to authenticate [preauth]
> Feb 16 14:10:25 dc1-ipa-dev-nvan sshd[2019]: Disconnected from 10.8.134.154 
> [preauth]
> 

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to