Hey Guys, Centos7.3 FreeIPA 4.4.0
I'm having a strange issue with cross-realm tickets that I'm having a hard time troubleshooting. it looks similar to an issue posted back in 2014. https://www.redhat.com/archives/freeipa-users/2014-October/msg00207.html but this routes file seems to exist. My Setup. example.org = legacy (all users exist here) (transitive trust with example.com) example.com = forest root (transitive trust with example.com) ipa.example.com = ipa domain (one-way trust with example.com & example.org) with route filters. ad.example.com = domain in forest for servers/users If I get a kerberos ticket on a non-ipa joined client with kinit as a user @ legacy , I can use kerberos to authenticate. If I log into an ipa-joined server on ipa.example.com as a user @ legacy and attempt to use kerberos auth to another server, I received this error: debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,keyboard-interactive debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: keyboard-interactive debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Delegating credentials debug1: Delegating credentials debug1: Unspecified GSS failure. Minor code may provide more information Illegal cross-realm ticket Any help would be apprecaited, I checked capaths and it looks correct. cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_ipa_example_com [domain_realm] .EXAMPLE.COM = EXAMPLE.COM EXAMPLE.COM = EXAMPLE.COM .AD.EXAMPLE.COM = AD.EXAMPLE.COM AD.EXAMPLE.COM = AD.EXAMPLE.COM .EXAMPLE.ORG = EXAMPLE.ORG EXAMPLE.ORG = EXAMPLE.ORG [capaths] EXAMPLE.COM = { IPA.EXAMPLE.COM = EXAMPLE.COM } AD.EXAMPLE.COM = { IPA.EXAMPLE.COM = EXAMPLE.COM } EXAMPLE.ORG = { IPA.EXAMPLE.COM = EXAMPLE.ORG } IPA.EXAMPLE.COM = { EXAMPLE.COM = EXAMPLE.COM AD.EXAMPLE.COM = EXAMPLE.COM EXAMPLE.ORG = EXAMPLE.ORG }
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org