[Freeipa-users] Re: Can't login AD users on FreeIPA client
On Wed, Feb 26, 2020 at 07:26:56AM -, Michael Solodovnikov via FreeIPA-users wrote: > > On Tue, Feb 25, 2020 at 10:02:48AM -, Michael Solodovnikov via > > FreeIPA-users wrote: > > > > Thanks, > > > > please try to add > > > > krb5_use_fast = never > > > > to the [domain/] section of sssd.conf as well. > > > > If this does not help, please send/paste the krb5_child.log files with > > this setting as well. > > > > bye, > > Sumit > > Thanks, Sumit. Its work. Hi, great, thanks for the feedback. Just to close this, it is a know issue and currently tracked by https://bugzilla.redhat.com/show_bug.cgi?id=1749786. bye, Sumit > > Best regards, > Michael. > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Can't login AD users on FreeIPA client
> On Tue, Feb 25, 2020 at 10:02:48AM -, Michael Solodovnikov via > FreeIPA-users wrote: > > Thanks, > > please try to add > > krb5_use_fast = never > > to the [domain/] section of sssd.conf as well. > > If this does not help, please send/paste the krb5_child.log files with > this setting as well. > > bye, > Sumit Thanks, Sumit. Its work. Best regards, Michael. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Can't login AD users on FreeIPA client
On Tue, Feb 25, 2020 at 10:02:48AM -, Michael Solodovnikov via FreeIPA-users wrote: > > Hi, > > > > can you paste krb5_child.log from the server and client attempt as well? > > > > bye, > > Sumit > > Attempt on server krb5_child.log - https://paste.centos.org/view/09edb080 > > Attempt on client krb5_child.log - https://paste.centos.org/view/eb2b89b3 Thanks, please try to add krb5_use_fast = never to the [domain/] section of sssd.conf as well. If this does not help, please send/paste the krb5_child.log files with this setting as well. bye, Sumit > > Michael. > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Can't login AD users on FreeIPA client
> Hi, > > can you paste krb5_child.log from the server and client attempt as well? > > bye, > Sumit Attempt on server krb5_child.log - https://paste.centos.org/view/09edb080 Attempt on client krb5_child.log - https://paste.centos.org/view/eb2b89b3 Michael. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Can't login AD users on FreeIPA client
On Tue, Feb 25, 2020 at 04:16:53AM -, Michael Solodovnikov via
FreeIPA-users wrote:
> Hi.
>
> > Can you run the same commands as
> >
> > KRB5_TRACE=/dev/stdout kinit solodovnikov(a)win.gtf.kz
> > KRB5_TRACE=/dev/stdout klist
> > KRB5_TRACE=/dev/stdout kvno -S host dc1.nix.gtf.kz
> > KRB5_TRACE=/dev/stdout klist
> >
> > and send the output?
>
> KRB5_TRACE - https://paste.centos.org/view/848348bc
>
> > Here the all upper-case version is requested and not found. Please note
> > the Kerberos according to the RFCs is case-sensitive and the IPA KDC
> > treats principal names case-sensitive in contrast to AD DCs.
>
> Yes, I pay attention to it.
>
> > The cross-realm TGT is needed for the Kerberos ticket validation. You
> > can disable this for testing by setting 'krb5_validate = False' in the
> > [domain/...] section of sssd.conf. But since validation is a useful
> > security feature, especially in an environment with trust, I'd recommend
> > to still find the real cause of the issue and not use 'krb5_validate =
> > False' permanently.
>
> Add 'krb5_validate = False' option, not working.
>
> In server disabled options:
>
> [domain/nix.gtf.kz/win.gtf.kz]
> subdomain_inherit = ldap_user_principal
> ldap_user_principal = nosuchattr
>
> And enable:
>
> krb5_validate = False
>
> [domain/nix.gtf.kz]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = nix.gtf.kz
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = dc1.nix.gtf.kz
> chpass_provider = ipa
> ipa_server = dc1.nix.gtf.kz
> ipa_server_mode = True
> ldap_tls_cacert = /etc/ipa/ca.crt
> krb5_validate = False
> debug_level=9
>
> [sssd]
> services = sudo, nss, ifp, pam, ssh
> domains = nix.gtf.kz
> debug_level=9
> ...
>
> Clean and restart.
> # service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
> # systemctl restart ipa
>
> [root@dc1 ~]# su - test
> Last login: Wed Feb 19 16:41:14 +07 2020 on pts/0
> [test@dc1 ~]$ su - solodovnikov(a)win.gtf.kz
> Password:
> su: Authentication failure
>
> In krb5kdc.log - https://paste.centos.org/view/b921a40b
>
> > This looks like the client cannot properly detect that enterprise
> > principal should be used. To understand why it would be good to see the
> > full SSSD domain log of the client. As a workaround you can add
> > 'krb5_use_enterprise_principal = True' to the [domain/...] section of
> > sssd.conf on the IPA client. Given the issue from above you might have
> > to add 'krb5_validate = False' as well.
>
> In client add krb5_use_enterprise_principal = True and krb5_validate = False
>
> [domain/nix.gtf.kz]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = nix.gtf.kz
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = sqlg.nix.gtf.kz
> chpass_provider = ipa
> ipa_server = _srv_, dc1.nix.gtf.kz
> ldap_tls_cacert = /etc/ipa/ca.crt
>
> krb5_use_enterprise_principal = True
> krb5_validate = False
>
> use_fully_qualified_names = True
> re_expression = ((?P.+)@(?P[^@]+$))
>
> debug_level=9
> [sssd]
> services = nss, sudo, pam, ssh
>
> domains = nix.gtf.kz
>
> debug_level=9
> ...
>
> # service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
>
> [root@sqlg ~]# su - test
> Last login: Wed Feb 19 16:45:57 +07 2020 on pts/0
> [test@sqlg ~]$ su - solodovnikov(a)win.gtf.kz
> Password:
> su: Authentication failure
>
> In sssd log - https://paste.centos.org/view/359115b9
> In messages - https://paste.centos.org/view/f459ec56
> In krb5kdc.log on server - https://paste.centos.org/view/960eab78
Hi,
can you paste krb5_child.log from the server and client attempt as well?
bye,
Sumit
>
> Michael.
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Can't login AD users on FreeIPA client
Hi.
> Can you run the same commands as
>
> KRB5_TRACE=/dev/stdout kinit solodovnikov(a)win.gtf.kz
> KRB5_TRACE=/dev/stdout klist
> KRB5_TRACE=/dev/stdout kvno -S host dc1.nix.gtf.kz
> KRB5_TRACE=/dev/stdout klist
>
> and send the output?
KRB5_TRACE - https://paste.centos.org/view/848348bc
> Here the all upper-case version is requested and not found. Please note
> the Kerberos according to the RFCs is case-sensitive and the IPA KDC
> treats principal names case-sensitive in contrast to AD DCs.
Yes, I pay attention to it.
> The cross-realm TGT is needed for the Kerberos ticket validation. You
> can disable this for testing by setting 'krb5_validate = False' in the
> [domain/...] section of sssd.conf. But since validation is a useful
> security feature, especially in an environment with trust, I'd recommend
> to still find the real cause of the issue and not use 'krb5_validate =
> False' permanently.
Add 'krb5_validate = False' option, not working.
In server disabled options:
[domain/nix.gtf.kz/win.gtf.kz]
subdomain_inherit = ldap_user_principal
ldap_user_principal = nosuchattr
And enable:
krb5_validate = False
[domain/nix.gtf.kz]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = nix.gtf.kz
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = dc1.nix.gtf.kz
chpass_provider = ipa
ipa_server = dc1.nix.gtf.kz
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_validate = False
debug_level=9
[sssd]
services = sudo, nss, ifp, pam, ssh
domains = nix.gtf.kz
debug_level=9
...
Clean and restart.
# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
# systemctl restart ipa
[root@dc1 ~]# su - test
Last login: Wed Feb 19 16:41:14 +07 2020 on pts/0
[test@dc1 ~]$ su - solodovnikov(a)win.gtf.kz
Password:
su: Authentication failure
In krb5kdc.log - https://paste.centos.org/view/b921a40b
> This looks like the client cannot properly detect that enterprise
> principal should be used. To understand why it would be good to see the
> full SSSD domain log of the client. As a workaround you can add
> 'krb5_use_enterprise_principal = True' to the [domain/...] section of
> sssd.conf on the IPA client. Given the issue from above you might have
> to add 'krb5_validate = False' as well.
In client add krb5_use_enterprise_principal = True and krb5_validate = False
[domain/nix.gtf.kz]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = nix.gtf.kz
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = sqlg.nix.gtf.kz
chpass_provider = ipa
ipa_server = _srv_, dc1.nix.gtf.kz
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_use_enterprise_principal = True
krb5_validate = False
use_fully_qualified_names = True
re_expression = ((?P.+)@(?P[^@]+$))
debug_level=9
[sssd]
services = nss, sudo, pam, ssh
domains = nix.gtf.kz
debug_level=9
...
# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
[root@sqlg ~]# su - test
Last login: Wed Feb 19 16:45:57 +07 2020 on pts/0
[test@sqlg ~]$ su - solodovnikov(a)win.gtf.kz
Password:
su: Authentication failure
In sssd log - https://paste.centos.org/view/359115b9
In messages - https://paste.centos.org/view/f459ec56
In krb5kdc.log on server - https://paste.centos.org/view/960eab78
Michael.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Can't login AD users on FreeIPA client
On Wed, Feb 19, 2020 at 07:26:51AM -, Michael Solodovnikov via
FreeIPA-users wrote:
> I have a fresh installed FreeIPA 4.6.5, sssd 1.16.4, krb5 1.15.1-37, samba
> 4.9.1-10, on CentOS 7.7.1908, can’t login as AD user.
> FreeIPA configured one-way trust AD(win.gtf.kz),AD user have UPN
> n.u...@fgt.kz. FreeIPA realm nix.gtf.kz.
>
>
...
>
> AD user.
>
> [root@dc1 ~]# getent passwd solodovni...@win.gtf.kz
> solodovni...@win.gtf.kz:*:1573974455:1573974455:ФПП:/home/win.gtf.kz/solodovnikov:
>
> [root@dc1 ~]# kinit solodovni...@win.gtf.kz
> Password for solodovni...@win.gtf.kz:
> [root@dc1 ~]# klist
> Ticket cache: KEYRING:persistent:0:krb_ccache_FrKYVBm
> Default principal: solodovni...@win.gtf.kz
>
> Valid starting Expires Service principal
> 02/19/2020 11:05:16 02/19/2020 21:05:16 krbtgt/win.gtf...@win.gtf.kz
> renew until 02/20/2020 11:05:10
>
> [root@dc1 ~]# kvno -S host dc1.nix.gtf.kz
> host/dc1.nix.gtf...@nix.gtf.kz: kvno = 2
> [root@dc1 ~]# klist
> Ticket cache: KEYRING:persistent:0:krb_ccache_FrKYVBm
> Default principal: solodovni...@win.gtf.kz
>
> Valid starting Expires Service principal
> 02/19/2020 11:07:34 02/19/2020 21:05:16 host/dc1.nix.gtf...@nix.gtf.kz
> renew until 02/20/2020 11:05:10
> 02/19/2020 11:07:34 02/19/2020 21:05:16 krbtgt/nix.gtf...@win.gtf.kz
> renew until 02/20/2020 11:05:10
> 02/19/2020 11:05:16 02/19/2020 21:05:16 krbtgt/win.gtf...@win.gtf.kz
> renew until 02/20/2020 11:05:10
Hi,
the lower-case components in the krbtgt principals
'krbtgt/nix.gtf...@win.gtf.kz' and 'krbtgt/win.gtf...@win.gtf.kz' are
looking odd, especially since the latter was
'krbtgt/win.gtf...@win.gtf.kz' after calling kinit.
Can you run the same commands as
KRB5_TRACE=/dev/stdout kinit solodovni...@win.gtf.kz
KRB5_TRACE=/dev/stdout klist
KRB5_TRACE=/dev/stdout kvno -S host dc1.nix.gtf.kz
KRB5_TRACE=/dev/stdout klist
and send the output?
>
>
>
...
> In krb5kdc.log:
>
> Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10267](info): AS_REQ (8 etypes {18 17
> 20 19 16 23 25 26}) 192.168.8.7: REFERRAL: m.solodovnikov\@fgt...@nix.gtf.kz
> for krbtgt/nix.gtf...@nix.gtf.kz, Realm not local to KDC
> Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10267](info): closing down fd 11
> Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10268](info): TGS_REQ (8 etypes {18 17
> 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0,
> host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/win.gtf...@nix.gtf.kz, Server not
> found in Kerberos database
> Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10268](info): closing down fd 11
> Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10269](info): TGS_REQ (8 etypes {18 17
> 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0,
> host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/win.gtf...@nix.gtf.kz, Server not
> found in Kerberos database
> Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10269](info): closing down fd 11
> Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): AS_REQ (8 etypes {18 17
> 20 19 16 23 25 26}) 192.168.8.7: REFERRAL: m.solodovnikov\@fgt...@nix.gtf.kz
> for krbtgt/nix.gtf...@nix.gtf.kz, Realm not local to KDC
> Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): closing down fd 11
> Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): TGS_REQ (8 etypes {18 17
> 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0,
> host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/win.gtf...@nix.gtf.kz, Server not
> found in Kerberos database
> Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): closing down fd 11
> Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10268](info): TGS_REQ (8 etypes {18 17
> 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0,
> host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/win.gtf...@nix.gtf.kz, Server not
> found in Kerberos database
Here the all upper-case version is requested and not found. Please note
the Kerberos according to the RFCs is case-sensitive and the IPA KDC
treats principal names case-sensitive in contrast to AD DCs.
The cross-realm TGT is needed for the Kerberos ticket validation. You
can disable this for testing by setting 'krb5_validate = False' in the
[domain/...] section of sssd.conf. But since validation is a useful
security feature, especially in an environment with trust, I'd recommend
to still find the real cause of the issue and not use 'krb5_validate =
False' permanently.
> Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10268](info): closing down fd 11
>
>
>
>
> Сonfigs on client FreeIPA(sqlg.nix.gtf.kz)
>
> [root@sqlg ~]# cat /etc/redhat-release
> CentOS Linux release 7.7.1908 (Core)
> [root@sqlg ~]# ipa --version
> VERSION: 4.6.5, API_VERSION: 2.231
>
> [root@sqlg ~]# cat /etc/krb5.conf
> #File modified by ipa-client-install
>
> includedir /etc/krb5.conf.d/
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
> [libdefaults]
> default_realm = NIX.GTF.KZ
> dns_lookup_realm = true
