On 04/06/2018 09:59 PM, Jakub Hrozek wrote:

On 6 Apr 2018, at 17:54, Bastian Rosner <bro-s...@d00m.org> wrote:

Unfortunately, users from other domains can't use their Kerberos ticket, only 
password works. These users are specifying their domain on login.

This all sounds like the issue is not on the SSSD level, but either the 
krb5.conf configuration might be perhaps missing the domain-realm mappings, but 
what you said next was interesting:
This is the krb5.conf for a host in one of the other domains. My client (both computer and user) is in sub1 and logs in to a host in sub2.
$ cat /etc/krb5.conf
 default = FILE:/var/log/krb5libs.log

 default_realm = SUB2.EXAMPLE.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false

Do I have to specify all domains in here? I thought the site/forest discovery of sssd-ad should take care of all the other trusted subdomains.

Surprisingly, once logged in after authenticating with a password, 
foreign-domain users are able to issue a Kerberos ticket with kinit if they 
specify username@FQDN

Hmm, are you saying that if you log in with a password you don’t get a TGT?

Actually I do get a ticket after a logging in using password:
$ klist
Ticket cache: FILE:/tmp/krb5cc_94821677_hr943p
Default principal: b...@sub1.example.com

Valid starting       Expires              Service principal
04/06/2018 16:09:54 04/07/2018 02:09:54 krbtgt/sub1.example....@sub1.example.com
        renew until 04/13/2018 16:09:54

This ticket does not work on sub2 hosts but can be used for gssapi-with-mic based authentication in sub1.
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

Reply via email to