Hmm, so if this is the [realms] section of my /etc/krb5.conf what do I have to do ?
[realms] IPADOMAIN.NET = { kdc = dc1.ipadomain.net:88 master_kdc = dc1.ipadomain.net:88 admin_server = dc1.ipadomain.net:749 default_domain = ipadomain.net pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[1:$1@$0](^.*@SUB.ADDOMAIN.NET$)s/@SUB.ADDOMAIN.NET/@sub.addomain.net/ auth_to_local = DEFAULT } Would I just literally copy that section and change the names? eg: SUB.ADDOMAIN.NET = { kdc = dc1.ipadomain.net:88 master_kdc = dc1.ipadomain.net:88 admin_server = dc1.ipadomain.net:749 default_domain = ipadomain.net pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[1:$1@$0](^.*@SUB.ADDOMAIN.NET$)s/@SUB.ADDOMAIN.NET/@sub.addomain.net/ auth_to_local = DEFAULT } > On Tue, May 05, 2015 at 09:09:51AM -0700, nat...@nathanpeters.com wrote: >> I am having some strange issues after upgrade from FreeIPA 4.1.2 to >> 4.1.3/4.1.4 on CentOS 7. >> >> Here is my setup: >> FreeIPA domain : ipadomain.net >> Trusted AD domain : sub.addomain.net >> >> In my AD domain, we have our UPN set to addomain.net so users typically >> login as usern...@addomain.net instead of usern...@sub.addomain.net. >> >> In my /etc/sssd/sssd.conf on the ipa dc I have the following values set: >> use_fully_qualified_names = True >> [sssd] >> default_domain_suffix = sub.addomain.net >> >> >> This is what I see in the logs when I attempt to login as 'username' >> (with >> do domain): >> >> May 05 15:36:51 ipadc1.ipadomain.net [sssd[krb5_child[4376]]][4376]: >> Cannot find KDC for realm "ADDOMAIN.NET" >> May 05 15:36:51 ipadc1.ipadomain.net [sssd[krb5_child[4376]]][4376]: >> Cannot find KDC for realm "ADDOMAIN.NET" >> May 05 15:36:51 ipadc1.ipadomain.net sshd[4373]: pam_sss(sshd:auth): >> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= >> rhost=10.5.5.57 user=username >> May 05 15:36:51 ipadc1.ipadomain.net sshd[4373]: pam_sss(sshd:auth): >> received for user username: 4 (System error) >> May 05 15:36:53 ipadc1.ipadomain.net sshd[4373]: Failed password for >> username from 10.5.5.57 port 53118 ssh2 >> >> However, if in AD I switch the UPN on 'username' to the default of >> 'sub.addomain.net' I get a successful login: >> >> May 04 23:10:57 ipadc1.ipadomain.net sshd[2293]: pam_unix(sshd:auth): >> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= >> rhost=10.5.5.57 user=username >> May 04 23:10:58 ipadc1.ipadomain.net sshd[2293]: pam_sss(sshd:auth): >> authentication success; logname= uid=0 euid=0 tty=ssh ruser= >> rhost=10.5.5.57 user=username >> May 04 23:11:01 ipadc1.ipadomain.net sshd[2293]: Accepted password for >> username from 10.5.5.57 port 46077 ssh2 >> May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Starting >> user-1539201103.slice. >> May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Created slice >> user-1539201103.slice. >> May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Starting Session 3 of >> user usern...@sub.addomain.net. >> May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Started Session 3 of >> user >> usern...@sub.addomain.net. >> May 04 23:11:01 ipadc1.ipadomain.net systemd-logind[716]: New session 3 >> of >> user usern...@sub.addomain.net. >> May 04 23:11:02 ipadc1.ipadomain.net sshd[2293]: pam_unix(sshd:session): >> session opened for user username by (uid=0) >> >> As a temporary workaround I set dns_lookup_kdc = false in my >> /etc/krb5.conf file and that worked to allow me to login with just >> 'username' but even after a successful login, I was seeing those 'cannot >> find KDC for realm' message in the log. >> >> Is there a proper way to allow people from a trusted AD domain to login >> with their alternative UPNs? > > I'm afraid currently the only way doing this is by adding a ADDOMAIN.NET > section to the realms section of /etc/krb5.conf to all IPA clients and > servers. > > Although SSSD as a client in a AD domain can handle those UPNs there is > a missing part on the FreeIPA server side which is needed to make it > work. The item is tracked in > https://fedorahosted.org/freeipa/ticket/3559 . > > Since the UPN-suffix can be freely chosen, i.e. it does not have to be a > DNS domain, the client will ask it's local KDC with a special so called > enterprise principal if it knows about this UPN suffix and if the KDC > knows about it it will tell the client where to ask for it. IF ticket > #3559 gets implemented the entry in /etc/krb5.conf would not be needed > anymore. > > HTH > > bye, > Sumit > >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project