Alexander Bokovoy wrote:
you don't have explicit definition for the AD realms and you don't allow
Kerberos to discover neither realms nor their KDCs via DNS SRV records.
The latter happened because you have used --server option when
configuring the client -- man page for ipa-client-install has a section
explaining discovery and influence of options on it.
That's your problem. It also reveals that your reading of the wiki was
cursory, but that's another problem. :)
Huge thanks to Alexander Bokovoy for his patient guidance.
Following up to close out this thread with a solution that worked for
our multi AD forest setup where client DNS name is different from
IDM/IPA domain/realm
There were 2 changes needed to /etc/krb5.conf to get password login via
SSH working along with everything else ...
Change #1 was simplifying the [domain_realm] settings down to a very
tightly scoped config that would allow additional things to be auto
discovered via DNS
Change #2 was setting "dns_lookup_realm = true" and "dns_lookup_kdc =
true" in [libdefaults] -- this was the main thing I missed because the
wiki page at
http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain
displays example config with these values already set to true. These
settings were actually false on my client's krb5.conf file due to the
way I ran the ipa-client-install command. It was my mistake to not
carefully compare the full file contents.
So wrapping it all up, this is the /etc/krb5.conf file that enabled
password logins via SSH - the other change in the file below is I
commented out the includedir file and put those settings into the
/etc/krb5.conf file so I could have everything in one place for
troubleshooting.
To recap our setup we have 2 AD Forests and an IDM/IPA server running on
it's own domain name rather than subdomain
AD Servers & IPA:
------------------------
AD Forest #1: company-test.org
AD Forest #2: company-aws.org
IPA Server : company-ipa.org (successful 1-way trusts to
company-test.org and company-aws.org)
IPA Client:
Client test hostname: client.company-aws.org
-Chris
####-----------------
#File modified by ipa-client-install
#includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = COMPANY-IDM.ORG
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
COMPANY-IDM.ORG = {
kdc = usaeilidmp001.COMPANY-IDM.org:88
master_kdc = usaeilidmp001.COMPANY-IDM.org:88
admin_server = usaeilidmp001.COMPANY-IDM.org:749
default_domain = COMPANY-IDM.org
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
client.company-aws.org = COMPANY-IDM.ORG
[capaths]
company-aws.org = {
COMPANY-IDM.ORG = company-aws.org
}
COMPANY-IDM.ORG = {
company-aws.org = company-aws.org
}
company-test.org = {
COMPANY-IDM.ORG = company-test.org
}
COMPANY-IDM.ORG = {
company-test.org = company-test.org
}
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
