I am using a Idm setup which has AD trust configured.
IPADEV.EXAMPLE.LOCAL is the IPA realm
EXAMPLE.LOCAL is the AD realm
I can ssh to both ipa servers with AD credentials , but cannot ssh to the ipa
clients. I have enabled debug for almost all services in sssd and the only one
which seems to be related to the issue is this one:
[[sssd[krb5_child[29926]]]] [sss_child_krb5_trace_cb] (0x4000): [29926]
1619534544.375456: Getting initial credentials for
user.email\@COMPANY.COM@IPADEV.EXAMPLE.LOCAL
[[sssd[krb5_child[29926]]]] [get_and_save_tgt] (0x0020): 1695:
[-1765328378][Client 'user.em...@company.com@IPADEV.EXAMPLE.LOCAL' not found in
Kerberos database]
What i do not understand is why does it use UPN (in the user.email format) to
query for the user .
I can run id, getent passwd, etc and all userids/gids are resolved.
I have tried many settings in sssd.conf , both on the client and server side,
but none of them helped.
Bellow are the sssd.conf and krb5.conf from the client:
sssd.conf
========
[domain/ipadev.example.local]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipadev.example.local
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = ipadev02.example.local
chpass_provider = ipa
ipa_server = _srv_, ipadev04.example.local, ipadev05.example.local
#dns_discovery_domain = ipadev.example.local
debug_level = 9
krb5_auth_timeout = 30
[sssd]
domain_resolution_order = example.local, ipadev.example.local
services = nss, sudo, pam, ssh, ifp
domains = ipadev.example.local
debug_level = 9
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
debug_level = 9
[pac]
[ifp]
[secrets]
[session_recording]
krb5.conf
========
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = IPADEV.EXAMPLE.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
IPADEV.EXAMPLE.LOCAL = {
kdc = ipadev04.example.local:88
master_kdc = ipadev04.example.local:88
admin_server = ipadev04.example.local:749
kpasswd_server = ipadev04.example.local:464
kdc = ipadev05.example.local:88
master_kdc = ipadev05.example.local:88
admin_server = ipadev05.example.local:749
kpasswd_server = ipadev05.example.local:464
default_domain = ipadev.example.local
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.ipadev.example.local = IPADEV.EXAMPLE.LOCAL
ipadev.example.local = IPADEV.EXAMPLE.LOCAL
ipadev02.example.local = IPADEV.EXAMPLE.LOCAL
.example.local = IPADEV.EXAMPLE.LOCAL
example.local = IPADEV.EXAMPLE.LOCAL
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
