Hello again,

Following up on an early query about configuring IPA clients that are in different DNS domains than the IPA server domain & realm

This is our setup:

AD Servers & IPA:
AD Forest #1:   company-test.org
AD Forest #2:   company-aws.org
IPA Server    :   company-ipa.org

I don't really need Kerberos or Kerberized SSO -- I really just want to get SSH logins via passwords working before moving on to SSH keys - my understanding of the way I'm configuring things basically breaks Kerberos but should allow other user and authentication services to work.

Client Machine:
Hostname: client.company-aws.org

I was able to configure a client in the domain 'company-aws.org' by abusing the ipa-client-install command:

$ client.company-aws.org> # ipa-client-install --server ipa.company-ipa.org --domain company-ipa.com

Barring the usual warnings about losing autodiscover based failover the above command actually worked and took me pretty far. I can launch an AWS host and give it the standard "company-aws.org" hostname but still bind it explicitly to an IPA server running in a different DNS domain and realm.

The nice thing is that it appears that everything but SSH w/ passwords is working on the client machine with the different DNS domain name

 # id u...@company-test.org works
 # id u...@company-aws.org works
 # id <local IPA user> works
 # getent passwd u...@company-test.org works
 # getent passwd u...@company-aws.org works
 # getent passwd <local IPA user> works
 # su - u...@company-test.org works
 # su - u...@company-aws.org works
 # su - <local IPA user> works

What fails are things like:

 $ ssh localhost -l u...@company-aws.org

The client sees a standard "Permission Denied, please try again" error

On the client host I mainly see this in /var/log/messages:

client.company-aws.org: [sssd[krb5_child[2311]]]: Cannot find KDC for realm "COMPANY-AWS.ORG"

I'm hesitant to make significant changes for fear of breaking the fact that my client can actually resolve users and passwords! I'm incredibly happy to even have the basic identities being recognized.

The problem with configuring SSH for password logins seems like it could be somewhere in krb5.conf, ssh_config, sshd_config, sssd.conf or even down in the PAM configuration and I'm not really where to start troubleshooting "just SSH" when everything else seems to be working OK.

Any tips, tricks or URLs for configuring the local SSH client on IPA clients would be appreciated. I suspect I'm a victim of either a dumb mistake or something that needs a manual tweak after doing an IPA client install where the client hostname is different from the IPA domain and realm.

Can provide config files and logs but did not want to spam a huge message in case there was a simple set of things I should be looking at


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to