[Freeipa-users] Illegal cross-realm ticket

Thu, 25 May 2017 13:56:09 -0700 

Hey Guys, 

Centos7.3 
FreeIPA 4.4.0 


I'm having a strange issue with cross-realm tickets that I'm having a hard time 
troubleshooting. it looks similar to an issue posted back in 2014. 
https://www.redhat.com/archives/freeipa-users/2014-October/msg00207.html but 
this routes file seems to exist. 

My Setup. 

example.org = legacy (all users exist here) (transitive trust with example.com) 
example.com = forest root (transitive trust with example.com) 
ipa.example.com = ipa domain (one-way trust with example.com & example.org) 
with route filters. 
ad.example.com = domain in forest for servers/users 

If I get a kerberos ticket on a non-ipa joined client with kinit as a user @ 
legacy , I can use kerberos to authenticate. 

If I log into an ipa-joined server on ipa.example.com as a user @ legacy and 
attempt to use kerberos auth to another server, I received this error: 

debug3: authmethod_lookup gssapi-keyex 
debug3: remaining preferred: gssapi-with-mic,keyboard-interactive 
debug3: authmethod_is_enabled gssapi-keyex 
debug1: Next authentication method: gssapi-keyex 
debug1: No valid Key exchange context 
debug2: we did not send a packet, disable method 
debug3: authmethod_lookup gssapi-with-mic 
debug3: remaining preferred: keyboard-interactive 
debug3: authmethod_is_enabled gssapi-with-mic 
debug1: Next authentication method: gssapi-with-mic 
debug2: we sent a gssapi-with-mic packet, wait for reply 
debug1: Delegating credentials 
debug1: Delegating credentials 
debug1: Unspecified GSS failure. Minor code may provide more information 
Illegal cross-realm ticket 


Any help would be apprecaited, I checked capaths and it looks correct. 

cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_ipa_example_com 
[domain_realm] 
.EXAMPLE.COM = EXAMPLE.COM 
EXAMPLE.COM = EXAMPLE.COM 
.AD.EXAMPLE.COM = AD.EXAMPLE.COM 
AD.EXAMPLE.COM = AD.EXAMPLE.COM 
.EXAMPLE.ORG = EXAMPLE.ORG 
EXAMPLE.ORG = EXAMPLE.ORG 
[capaths] 
EXAMPLE.COM = { 
IPA.EXAMPLE.COM = EXAMPLE.COM 
} 
AD.EXAMPLE.COM = { 
IPA.EXAMPLE.COM = EXAMPLE.COM 
} 
EXAMPLE.ORG = { 
IPA.EXAMPLE.COM = EXAMPLE.ORG 
} 
IPA.EXAMPLE.COM = { 
EXAMPLE.COM = EXAMPLE.COM 
AD.EXAMPLE.COM = EXAMPLE.COM 
EXAMPLE.ORG = EXAMPLE.ORG 
} 


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to