[Freeipa-users] Re: Can't login AD users on FreeIPA client
On Wed, Feb 26, 2020 at 07:26:56AM -, Michael Solodovnikov via FreeIPA-users wrote: > > On Tue, Feb 25, 2020 at 10:02:48AM -, Michael Solodovnikov via > > FreeIPA-users wrote: > > > > Thanks, > > > > please try to add > > > > krb5_use_fast = never > > > > to the [domain/] section of sssd.conf as well. > > > > If this does not help, please send/paste the krb5_child.log files with > > this setting as well. > > > > bye, > > Sumit > > Thanks, Sumit. Its work. Hi, great, thanks for the feedback. Just to close this, it is a know issue and currently tracked by https://bugzilla.redhat.com/show_bug.cgi?id=1749786. bye, Sumit > > Best regards, > Michael. > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Can't login AD users on FreeIPA client
> On Tue, Feb 25, 2020 at 10:02:48AM -, Michael Solodovnikov via > FreeIPA-users wrote: > > Thanks, > > please try to add > > krb5_use_fast = never > > to the [domain/] section of sssd.conf as well. > > If this does not help, please send/paste the krb5_child.log files with > this setting as well. > > bye, > Sumit Thanks, Sumit. Its work. Best regards, Michael. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Can't login AD users on FreeIPA client
On Tue, Feb 25, 2020 at 10:02:48AM -, Michael Solodovnikov via FreeIPA-users wrote: > > Hi, > > > > can you paste krb5_child.log from the server and client attempt as well? > > > > bye, > > Sumit > > Attempt on server krb5_child.log - https://paste.centos.org/view/09edb080 > > Attempt on client krb5_child.log - https://paste.centos.org/view/eb2b89b3 Thanks, please try to add krb5_use_fast = never to the [domain/] section of sssd.conf as well. If this does not help, please send/paste the krb5_child.log files with this setting as well. bye, Sumit > > Michael. > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Can't login AD users on FreeIPA client
> Hi, > > can you paste krb5_child.log from the server and client attempt as well? > > bye, > Sumit Attempt on server krb5_child.log - https://paste.centos.org/view/09edb080 Attempt on client krb5_child.log - https://paste.centos.org/view/eb2b89b3 Michael. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Can't login AD users on FreeIPA client
On Tue, Feb 25, 2020 at 04:16:53AM -, Michael Solodovnikov via FreeIPA-users wrote: > Hi. > > > Can you run the same commands as > > > > KRB5_TRACE=/dev/stdout kinit solodovnikov(a)win.gtf.kz > > KRB5_TRACE=/dev/stdout klist > > KRB5_TRACE=/dev/stdout kvno -S host dc1.nix.gtf.kz > > KRB5_TRACE=/dev/stdout klist > > > > and send the output? > > KRB5_TRACE - https://paste.centos.org/view/848348bc > > > Here the all upper-case version is requested and not found. Please note > > the Kerberos according to the RFCs is case-sensitive and the IPA KDC > > treats principal names case-sensitive in contrast to AD DCs. > > Yes, I pay attention to it. > > > The cross-realm TGT is needed for the Kerberos ticket validation. You > > can disable this for testing by setting 'krb5_validate = False' in the > > [domain/...] section of sssd.conf. But since validation is a useful > > security feature, especially in an environment with trust, I'd recommend > > to still find the real cause of the issue and not use 'krb5_validate = > > False' permanently. > > Add 'krb5_validate = False' option, not working. > > In server disabled options: > > [domain/nix.gtf.kz/win.gtf.kz] > subdomain_inherit = ldap_user_principal > ldap_user_principal = nosuchattr > > And enable: > > krb5_validate = False > > [domain/nix.gtf.kz] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = nix.gtf.kz > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = dc1.nix.gtf.kz > chpass_provider = ipa > ipa_server = dc1.nix.gtf.kz > ipa_server_mode = True > ldap_tls_cacert = /etc/ipa/ca.crt > krb5_validate = False > debug_level=9 > > [sssd] > services = sudo, nss, ifp, pam, ssh > domains = nix.gtf.kz > debug_level=9 > ... > > Clean and restart. > # service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start > # systemctl restart ipa > > [root@dc1 ~]# su - test > Last login: Wed Feb 19 16:41:14 +07 2020 on pts/0 > [test@dc1 ~]$ su - solodovnikov(a)win.gtf.kz > Password: > su: Authentication failure > > In krb5kdc.log - https://paste.centos.org/view/b921a40b > > > This looks like the client cannot properly detect that enterprise > > principal should be used. To understand why it would be good to see the > > full SSSD domain log of the client. As a workaround you can add > > 'krb5_use_enterprise_principal = True' to the [domain/...] section of > > sssd.conf on the IPA client. Given the issue from above you might have > > to add 'krb5_validate = False' as well. > > In client add krb5_use_enterprise_principal = True and krb5_validate = False > > [domain/nix.gtf.kz] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = nix.gtf.kz > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = sqlg.nix.gtf.kz > chpass_provider = ipa > ipa_server = _srv_, dc1.nix.gtf.kz > ldap_tls_cacert = /etc/ipa/ca.crt > > krb5_use_enterprise_principal = True > krb5_validate = False > > use_fully_qualified_names = True > re_expression = ((?P.+)@(?P[^@]+$)) > > debug_level=9 > [sssd] > services = nss, sudo, pam, ssh > > domains = nix.gtf.kz > > debug_level=9 > ... > > # service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start > > [root@sqlg ~]# su - test > Last login: Wed Feb 19 16:45:57 +07 2020 on pts/0 > [test@sqlg ~]$ su - solodovnikov(a)win.gtf.kz > Password: > su: Authentication failure > > In sssd log - https://paste.centos.org/view/359115b9 > In messages - https://paste.centos.org/view/f459ec56 > In krb5kdc.log on server - https://paste.centos.org/view/960eab78 Hi, can you paste krb5_child.log from the server and client attempt as well? bye, Sumit > > Michael. > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Can't login AD users on FreeIPA client
Hi. > Can you run the same commands as > > KRB5_TRACE=/dev/stdout kinit solodovnikov(a)win.gtf.kz > KRB5_TRACE=/dev/stdout klist > KRB5_TRACE=/dev/stdout kvno -S host dc1.nix.gtf.kz > KRB5_TRACE=/dev/stdout klist > > and send the output? KRB5_TRACE - https://paste.centos.org/view/848348bc > Here the all upper-case version is requested and not found. Please note > the Kerberos according to the RFCs is case-sensitive and the IPA KDC > treats principal names case-sensitive in contrast to AD DCs. Yes, I pay attention to it. > The cross-realm TGT is needed for the Kerberos ticket validation. You > can disable this for testing by setting 'krb5_validate = False' in the > [domain/...] section of sssd.conf. But since validation is a useful > security feature, especially in an environment with trust, I'd recommend > to still find the real cause of the issue and not use 'krb5_validate = > False' permanently. Add 'krb5_validate = False' option, not working. In server disabled options: [domain/nix.gtf.kz/win.gtf.kz] subdomain_inherit = ldap_user_principal ldap_user_principal = nosuchattr And enable: krb5_validate = False [domain/nix.gtf.kz] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = nix.gtf.kz id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = dc1.nix.gtf.kz chpass_provider = ipa ipa_server = dc1.nix.gtf.kz ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt krb5_validate = False debug_level=9 [sssd] services = sudo, nss, ifp, pam, ssh domains = nix.gtf.kz debug_level=9 ... Clean and restart. # service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start # systemctl restart ipa [root@dc1 ~]# su - test Last login: Wed Feb 19 16:41:14 +07 2020 on pts/0 [test@dc1 ~]$ su - solodovnikov(a)win.gtf.kz Password: su: Authentication failure In krb5kdc.log - https://paste.centos.org/view/b921a40b > This looks like the client cannot properly detect that enterprise > principal should be used. To understand why it would be good to see the > full SSSD domain log of the client. As a workaround you can add > 'krb5_use_enterprise_principal = True' to the [domain/...] section of > sssd.conf on the IPA client. Given the issue from above you might have > to add 'krb5_validate = False' as well. In client add krb5_use_enterprise_principal = True and krb5_validate = False [domain/nix.gtf.kz] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = nix.gtf.kz id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = sqlg.nix.gtf.kz chpass_provider = ipa ipa_server = _srv_, dc1.nix.gtf.kz ldap_tls_cacert = /etc/ipa/ca.crt krb5_use_enterprise_principal = True krb5_validate = False use_fully_qualified_names = True re_expression = ((?P.+)@(?P[^@]+$)) debug_level=9 [sssd] services = nss, sudo, pam, ssh domains = nix.gtf.kz debug_level=9 ... # service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start [root@sqlg ~]# su - test Last login: Wed Feb 19 16:45:57 +07 2020 on pts/0 [test@sqlg ~]$ su - solodovnikov(a)win.gtf.kz Password: su: Authentication failure In sssd log - https://paste.centos.org/view/359115b9 In messages - https://paste.centos.org/view/f459ec56 In krb5kdc.log on server - https://paste.centos.org/view/960eab78 Michael. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Can't login AD users on FreeIPA client
On Wed, Feb 19, 2020 at 07:26:51AM -, Michael Solodovnikov via FreeIPA-users wrote: > I have a fresh installed FreeIPA 4.6.5, sssd 1.16.4, krb5 1.15.1-37, samba > 4.9.1-10, on CentOS 7.7.1908, can’t login as AD user. > FreeIPA configured one-way trust AD(win.gtf.kz),AD user have UPN > n.u...@fgt.kz. FreeIPA realm nix.gtf.kz. > > ... > > AD user. > > [root@dc1 ~]# getent passwd solodovni...@win.gtf.kz > solodovni...@win.gtf.kz:*:1573974455:1573974455:ФПП:/home/win.gtf.kz/solodovnikov: > > [root@dc1 ~]# kinit solodovni...@win.gtf.kz > Password for solodovni...@win.gtf.kz: > [root@dc1 ~]# klist > Ticket cache: KEYRING:persistent:0:krb_ccache_FrKYVBm > Default principal: solodovni...@win.gtf.kz > > Valid starting Expires Service principal > 02/19/2020 11:05:16 02/19/2020 21:05:16 krbtgt/win.gtf...@win.gtf.kz > renew until 02/20/2020 11:05:10 > > [root@dc1 ~]# kvno -S host dc1.nix.gtf.kz > host/dc1.nix.gtf...@nix.gtf.kz: kvno = 2 > [root@dc1 ~]# klist > Ticket cache: KEYRING:persistent:0:krb_ccache_FrKYVBm > Default principal: solodovni...@win.gtf.kz > > Valid starting Expires Service principal > 02/19/2020 11:07:34 02/19/2020 21:05:16 host/dc1.nix.gtf...@nix.gtf.kz > renew until 02/20/2020 11:05:10 > 02/19/2020 11:07:34 02/19/2020 21:05:16 krbtgt/nix.gtf...@win.gtf.kz > renew until 02/20/2020 11:05:10 > 02/19/2020 11:05:16 02/19/2020 21:05:16 krbtgt/win.gtf...@win.gtf.kz > renew until 02/20/2020 11:05:10 Hi, the lower-case components in the krbtgt principals 'krbtgt/nix.gtf...@win.gtf.kz' and 'krbtgt/win.gtf...@win.gtf.kz' are looking odd, especially since the latter was 'krbtgt/win.gtf...@win.gtf.kz' after calling kinit. Can you run the same commands as KRB5_TRACE=/dev/stdout kinit solodovni...@win.gtf.kz KRB5_TRACE=/dev/stdout klist KRB5_TRACE=/dev/stdout kvno -S host dc1.nix.gtf.kz KRB5_TRACE=/dev/stdout klist and send the output? > > > ... > In krb5kdc.log: > > Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10267](info): AS_REQ (8 etypes {18 17 > 20 19 16 23 25 26}) 192.168.8.7: REFERRAL: m.solodovnikov\@fgt...@nix.gtf.kz > for krbtgt/nix.gtf...@nix.gtf.kz, Realm not local to KDC > Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10267](info): closing down fd 11 > Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10268](info): TGS_REQ (8 etypes {18 17 > 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, > host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/win.gtf...@nix.gtf.kz, Server not > found in Kerberos database > Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10268](info): closing down fd 11 > Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10269](info): TGS_REQ (8 etypes {18 17 > 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, > host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/win.gtf...@nix.gtf.kz, Server not > found in Kerberos database > Feb 19 11:51:57 dc1.nix.gtf.kz krb5kdc[10269](info): closing down fd 11 > Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): AS_REQ (8 etypes {18 17 > 20 19 16 23 25 26}) 192.168.8.7: REFERRAL: m.solodovnikov\@fgt...@nix.gtf.kz > for krbtgt/nix.gtf...@nix.gtf.kz, Realm not local to KDC > Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): closing down fd 11 > Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): TGS_REQ (8 etypes {18 17 > 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, > host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/win.gtf...@nix.gtf.kz, Server not > found in Kerberos database > Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10269](info): closing down fd 11 > Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10268](info): TGS_REQ (8 etypes {18 17 > 20 19 16 23 25 26}) 192.168.8.7: UNKNOWN_SERVER: authtime 0, > host/dc1.nix.gtf...@nix.gtf.kz for krbtgt/win.gtf...@nix.gtf.kz, Server not > found in Kerberos database Here the all upper-case version is requested and not found. Please note the Kerberos according to the RFCs is case-sensitive and the IPA KDC treats principal names case-sensitive in contrast to AD DCs. The cross-realm TGT is needed for the Kerberos ticket validation. You can disable this for testing by setting 'krb5_validate = False' in the [domain/...] section of sssd.conf. But since validation is a useful security feature, especially in an environment with trust, I'd recommend to still find the real cause of the issue and not use 'krb5_validate = False' permanently. > Feb 19 11:52:02 dc1.nix.gtf.kz krb5kdc[10268](info): closing down fd 11 > > > > > Сonfigs on client FreeIPA(sqlg.nix.gtf.kz) > > [root@sqlg ~]# cat /etc/redhat-release > CentOS Linux release 7.7.1908 (Core) > [root@sqlg ~]# ipa --version > VERSION: 4.6.5, API_VERSION: 2.231 > > [root@sqlg ~]# cat /etc/krb5.conf > #File modified by ipa-client-install > > includedir /etc/krb5.conf.d/ > includedir /var/lib/sss/pubconf/krb5.include.d/ > > [libdefaults] > default_realm = NIX.GTF.KZ > dns_lookup_realm = true