Alexander Bokovoy wrote:
you don't have explicit definition for the AD realms and you don't allow
Kerberos to discover neither realms nor their KDCs via DNS SRV records.

The latter happened because you have used --server option when
configuring the client -- man page for ipa-client-install has a section
explaining discovery and influence of options on it.

That's your problem. It also reveals that your reading of the wiki was
cursory, but that's another problem. :)

Huge thanks to Alexander Bokovoy for his patient guidance.

Following up to close out this thread with a solution that worked for our multi AD forest setup where client DNS name is different from IDM/IPA domain/realm

There were 2 changes needed to /etc/krb5.conf to get password login via SSH working along with everything else ...

Change #1 was simplifying the [domain_realm] settings down to a very tightly scoped config that would allow additional things to be auto discovered via DNS

Change #2 was setting "dns_lookup_realm = true" and "dns_lookup_kdc = true" in [libdefaults] -- this was the main thing I missed because the wiki page at displays example config with these values already set to true. These settings were actually false on my client's krb5.conf file due to the way I ran the ipa-client-install command. It was my mistake to not carefully compare the full file contents.

So wrapping it all up, this is the /etc/krb5.conf file that enabled password logins via SSH - the other change in the file below is I commented out the includedir file and put those settings into the /etc/krb5.conf file so I could have everything in one place for troubleshooting.

To recap our setup we have 2 AD Forests and an IDM/IPA server running on it's own domain name rather than subdomain

AD Servers & IPA:
AD Forest #1:
AD Forest #2:
IPA Server : (successful 1-way trusts to and

IPA Client:
Client test hostname:



#File modified by ipa-client-install
#includedir /var/lib/sss/pubconf/krb5.include.d/

default_realm = COMPANY-IDM.ORG
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}

kdc =
master_kdc =
admin_server =
default_domain =
pkinit_anchors = FILE:/etc/ipa/ca.crt

[domain_realm] = COMPANY-IDM.ORG

[capaths] = {
} = {

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to