On Thu, Dec 08, 2016 at 09:29:34AM -0500, Chris Dagdigian wrote:
> 
> Sumit Bose wrote:
> > > >  Am I being stupid (again?)  Obviously the krb5_validate=false setting 
> > > > needs
> > > >  to be fixed. Just not sure if I should work on a fix within 4.2 or 
> > > > move to
> > > >  4.4 and see if it gets resolved as part of other changes.
> > 
> > The validation issue might have different reasons. One might be
> > https://fedorahosted.org/sssd/ticket/3103  where SSSD creates a wrong
> > Kerberos configuration snippet. Fixes are available for sssd-1.13 and
> > later. But there might be other reasons as well.
> > 
> > If you don't mind please send the krb5_child.log with debug_level=10
> > covering an authentication attempt with 'krb5_validate = true' and the
> > content of /var/lib/sss/pubconf/krb5.include.d/domain_realm_your_domain.
> 
> Thanks Sumit,
> 
> Info you requested is attached. These logs are from a client machine. I
> confirmed that I could not authenticate with krb5_validate = True and that I
> could authenticate when I switched krb5_validate=false.  I set the value to
> "True", turned up debug logging to 10 and then stopped SSSD service after my
> 3 login tries to try to constrain the log volume.
> 
> Still ended up with 1200+ lines in krb5_child.log though
> 
> Here is the info you requested (sanitized)
> 
> URL to krb5_child.log since it is pretty lengthy:
> -------------------------------------------------------------
> http://chrisdag.me/krb5_child.log.txt
> 
> 
> And we actually had 2 domain_realm* files which is I think due to our
> difference in DNS for client hostnames vs DNS for the IPA server:
> Our CAPATH info does look like that SSSD issue you mentioned (ticket 3103)
> ...
> 
> 
> This is domain_realm_companyaws_org:
> ------------------------------------------------------
> [domain_realm]
> .COMPANY.ORG = COMPANY.ORG
> COMPANY.ORG = COMPANY.ORG
> .EAME.COMPANY.ORG = EAME.COMPANY.ORG
> EAME.COMPANY.ORG = EAME.COMPANY.ORG
> .APAC.COMPANY.ORG = APAC.COMPANY.ORG
> APAC.COMPANY.ORG = APAC.COMPANY.ORG
> .LATAM.COMPANY.ORG = LATAM.COMPANY.ORG
> LATAM.COMPANY.ORG = LATAM.COMPANY.ORG
> .NAFTA.COMPANY.ORG = NAFTA.COMPANY.ORG
> NAFTA.COMPANY.ORG = NAFTA.COMPANY.ORG
> [capaths]
> COMPANY.ORG = {
>   COMPANYAWS.ORG = COMPANY.ORG
> }
> COMPANYAWS.ORG = {
>   COMPANY.ORG = COMPANY.ORG
> }
> EAME.COMPANY.ORG = {
>   COMPANYAWS.ORG = COMPANY.ORG
> }
> COMPANYAWS.ORG = {
>   EAME.COMPANY.ORG = COMPANY.ORG
> }
> APAC.COMPANY.ORG = {
>   COMPANYAWS.ORG = COMPANY.ORG
> }
> COMPANYAWS.ORG = {
>   APAC.COMPANY.ORG = COMPANY.ORG
> }
> LATAM.COMPANY.ORG = {
>   COMPANYAWS.ORG = COMPANY.ORG
> }
> COMPANYAWS.ORG = {
>   LATAM.COMPANY.ORG = COMPANY.ORG
> }
> NAFTA.COMPANY.ORG = {
>   COMPANYAWS.ORG = COMPANY.ORG
> }
> COMPANYAWS.ORG = {
>   NAFTA.COMPANY.ORG = COMPANY.ORG
> }
> 
> 
> 
> 
> And this is domain_realm_companyidm_org:
> ------------------------------------------------------------
> [domain_realm]
> .COMPANY.ORG = COMPANY.ORG
> COMPANY.ORG = COMPANY.ORG
> .EAME.COMPANY.ORG = EAME.COMPANY.ORG
> EAME.COMPANY.ORG = EAME.COMPANY.ORG
> .APAC.COMPANY.ORG = APAC.COMPANY.ORG
> APAC.COMPANY.ORG = APAC.COMPANY.ORG
> .LATAM.COMPANY.ORG = LATAM.COMPANY.ORG
> LATAM.COMPANY.ORG = LATAM.COMPANY.ORG
> .NAFTA.COMPANY.ORG = NAFTA.COMPANY.ORG
> NAFTA.COMPANY.ORG = NAFTA.COMPANY.ORG
> [capaths]
> COMPANYAWS.ORG = {
>   COMPANYIDM.ORG = COMPANYAWS.ORG
> }
> COMPANYIDM.ORG = {
>   COMPANYAWS.ORG = COMPANYAWS.ORG
> }
> COMPANY.ORG = {
>   COMPANYIDM.ORG = COMPANY.ORG
> }
> COMPANYIDM.ORG = {
>   COMPANY.ORG = COMPANY.ORG
> }
> EAME.COMPANY.ORG = {
>   COMPANYIDM.ORG = COMPANY.ORG
> }
> COMPANYIDM.ORG = {
>   EAME.COMPANY.ORG = COMPANY.ORG
> }
> APAC.COMPANY.ORG = {
>   COMPANYIDM.ORG = COMPANY.ORG
> }
> COMPANYIDM.ORG = {
>   APAC.COMPANY.ORG = COMPANY.ORG
> }
> LATAM.COMPANY.ORG = {
>   COMPANYIDM.ORG = COMPANY.ORG
> }
> COMPANYIDM.ORG = {
>   LATAM.COMPANY.ORG = COMPANY.ORG
> }
> NAFTA.COMPANY.ORG = {
>   COMPANYIDM.ORG = COMPANY.ORG
> }
> COMPANYIDM.ORG = {
>   NAFTA.COMPANY.ORG = COMPANY.ORG
> }


Yes, you are right the capaths are wrong.


Adding:

[capaths]
COMPANYAWS.ORG = {
  COMPANYIDM.ORG = COMPANYAWS.ORG
}
COMPANYIDM.ORG = {
  COMPANYAWS.ORG = COMPANYAWS.ORG
  COMPANY.ORG = COMPANY.ORG
  EAME.COMPANY.ORG = COMPANY.ORG
  APAC.COMPANY.ORG = COMPANY.ORG
  LATAM.COMPANY.ORG = COMPANY.ORG
  NAFTA.COMPANY.ORG = COMPANY.ORG
}
COMPANY.ORG = {
  COMPANYIDM.ORG = COMPANY.ORG
}
EAME.COMPANY.ORG = {
  COMPANYIDM.ORG = COMPANY.ORG
}
APAC.COMPANY.ORG = {
  COMPANYIDM.ORG = COMPANY.ORG
}
LATAM.COMPANY.ORG = {
  COMPANYIDM.ORG = COMPANY.ORG
}
NAFTA.COMPANY.ORG = {
  COMPANYIDM.ORG = COMPANY.ORG
}

at the very beginning of /etc/krb5.conf before and include or includedir
directives should fix it. With the broken configuration libkrb5 thinks
that there direct trust between NAFTA.COMPANY.ORG and COMPANYIDM.ORG
which is not the case, everything has to go via COMPANY.ORG because
that's the domain which trusts COMPANYIDM.ORG.

Updating SSSD to a version with the fix might help as well.

HTH

bye,
Sumit

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
  • ... List dedicated to discussions about use, configuration and deployment of the IPA server.
    • ... List dedicated to discussions about use, configuration and deployment of the IPA server.
      • ... List dedicated to discussions about use, configuration and deployment of the IPA server.
        • ... Sumit Bose
          • ... Chris Dagdigian
          • ... Chris Dagdigian
          • ... Chris Dagdigian
            • ... Sumit Bose
              • ... Chris Dagdigian
                • ... Sumit Bose
                • ... Chris Dagdigian
                • ... Sumit Bose

Reply via email to