On ke, 05 loka 2016, Chris Dagdigian wrote:
Hello again,

Following up on an early query about configuring IPA clients that are in different DNS domains than the IPA server domain & realm

This is our setup:

AD Servers & IPA:
AD Forest #1:   company-test.org
AD Forest #2:   company-aws.org
IPA Server    :   company-ipa.org

I don't really need Kerberos or Kerberized SSO -- I really just want to get SSH logins via passwords working before moving on to SSH keys - my understanding of the way I'm configuring things basically breaks Kerberos but should allow other user and authentication services to work.

Client Machine:
Hostname: client.company-aws.org

I was able to configure a client in the domain 'company-aws.org' by abusing the ipa-client-install command:

$ client.company-aws.org> # ipa-client-install --server ipa.company-ipa.org --domain company-ipa.com

Barring the usual warnings about losing autodiscover based failover the above command actually worked and took me pretty far. I can launch an AWS host and give it the standard "company-aws.org" hostname but still bind it explicitly to an IPA server running in a different DNS domain and realm.

The nice thing is that it appears that everything but SSH w/ passwords is working on the client machine with the different DNS domain name

# id u...@company-test.org works
# id u...@company-aws.org works
# id <local IPA user> works
# getent passwd u...@company-test.org works
# getent passwd u...@company-aws.org works
# getent passwd <local IPA user> works
# su - u...@company-test.org works
# su - u...@company-aws.org works
# su - <local IPA user> works

What fails are things like:

$ ssh localhost -l u...@company-aws.org

The client sees a standard "Permission Denied, please try again" error

On the client host I mainly see this in /var/log/messages:

client.company-aws.org: [sssd[krb5_child[2311]]]: Cannot find KDC for realm "COMPANY-AWS.ORG"

I'm hesitant to make significant changes for fear of breaking the fact that my client can actually resolve users and passwords! I'm incredibly happy to even have the basic identities being recognized.
As http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain
explains, you need to have proper mapping of domains to realms and have
proper definitions for those realms.

We don't see your krb5.conf, so if it deviates from what the wiki
describes, you need to be explicit in your details.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to