hi,
at work we are having *interesting* problems with our migration from idm
servers running rhel 7 to new rhel 8 idm servers.
We have a AD -> idm trust in place, this is working properly.
AD is domain.local
IDM is idm.domain.local
We add replicas to the set, and this runs properly. No replication errors.
Basically the problem is we cannot log in to newly joined systems running
rhel 8 as trusted users from AD.
We have a new rhel 8 idm server which has also the trust agent and trust
controller role installed.
We want to login as a trusted AD user to a rhel 8 host which has this new
rhel 8 idm server as its ipa host, we have forced it using this sssd.conf:
[domain/idm.domain.local]
id_provider = ipa
ipa_server = ds.idm.domain.local
ipa_domain = idm.domain.local
ipa_hostname = host.idm.domain.local
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
dyndns_update = True
dyndns_iface = ens192
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ssh, sudo
domains = idm.domain.local
full_name_format = %1$s
debug = 9
[nss]
homedir_substring = /home
override_homedir = /home/%u
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[session_recording]
We also modified krb5.conf on the client to find the IDM realm only on the
rhel 8 idm server, not the rhel 7. So we disabled srv dns autodiscovery for
the IDM.DOMAIN.LOCAL realm:
# cat /etc/krb5.conf
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
[libdefaults]
default_realm = IDM.DOMAIN.LOCAL
dns_lookup_realm = true
rdns = false
dns_canonicalize_hostname = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
IDM.DOMAIN.LOCAL = {
kdc = ds.idm.domain.local:88
master_kdc = ds.idm.domain.local:88
admin_server = ds.idm.domain.local:749
kpasswd_server = ds.idm.domain.local:464
default_domain = idm.domain.local
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.idm.domain.local = IDM.DOMAIN.LOCAL
idm.domain.local = IDM.DOMAIN.LOCAL
host.idm.domain.local = IDM.DOMAIN.LOCAL
On the rhel 8 client, I can kinit with the host keytab, this work, I get a
ticket with the host principal.
I can also kinit using a trusted AD user, this works, I get a ticket of the
AD domain.
But as soon as I try logging in from ssh, it does not work. It does not
recognize the user.
Running id trusteduser@ad does not wok either (no such user)
I have run out of ideas, to be honest. I do not know how to troubleshoot
this anymore. The rhel8 idm server finds the users, I can log in there
without any problem too thanks to the rbac rules, but this rhel8 client
simpley will not see the users.
Any ideas?
Thanks in advance.
--
Groeten,
natxo
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
