On Tue, May 05, 2015 at 09:53:38AM -0700, nat...@nathanpeters.com wrote: > Hmm, so if this is the [realms] section of my /etc/krb5.conf what do I > have to do ? > > [realms] > IPADOMAIN.NET = { > kdc = dc1.ipadomain.net:88 > master_kdc = dc1.ipadomain.net:88 > admin_server = dc1.ipadomain.net:749 > default_domain = ipadomain.net > pkinit_anchors = FILE:/etc/ipa/ca.crt > auth_to_local = > RULE:[1:$1@$0](^.*@SUB.ADDOMAIN.NET$)s/@SUB.ADDOMAIN.NET/@sub.addomain.net/ > auth_to_local = DEFAULT > } > > Would I just literally copy that section and change the names? > eg: > > SUB.ADDOMAIN.NET = { > kdc = dc1.ipadomain.net:88 > master_kdc = dc1.ipadomain.net:88 > admin_server = dc1.ipadomain.net:749 > default_domain = ipadomain.net
you should add the AD DC and AD realm here The following lines you can just drop. HTH bye, Sumit > pkinit_anchors = FILE:/etc/ipa/ca.crt > auth_to_local = > RULE:[1:$1@$0](^.*@SUB.ADDOMAIN.NET$)s/@SUB.ADDOMAIN.NET/@sub.addomain.net/ > auth_to_local = DEFAULT > } > > > > On Tue, May 05, 2015 at 09:09:51AM -0700, nat...@nathanpeters.com wrote: > >> I am having some strange issues after upgrade from FreeIPA 4.1.2 to > >> 4.1.3/4.1.4 on CentOS 7. > >> > >> Here is my setup: > >> FreeIPA domain : ipadomain.net > >> Trusted AD domain : sub.addomain.net > >> > >> In my AD domain, we have our UPN set to addomain.net so users typically > >> login as usern...@addomain.net instead of usern...@sub.addomain.net. > >> > >> In my /etc/sssd/sssd.conf on the ipa dc I have the following values set: > >> use_fully_qualified_names = True > >> [sssd] > >> default_domain_suffix = sub.addomain.net > >> > >> > >> This is what I see in the logs when I attempt to login as 'username' > >> (with > >> do domain): > >> > >> May 05 15:36:51 ipadc1.ipadomain.net [sssd[krb5_child[4376]]][4376]: > >> Cannot find KDC for realm "ADDOMAIN.NET" > >> May 05 15:36:51 ipadc1.ipadomain.net [sssd[krb5_child[4376]]][4376]: > >> Cannot find KDC for realm "ADDOMAIN.NET" > >> May 05 15:36:51 ipadc1.ipadomain.net sshd[4373]: pam_sss(sshd:auth): > >> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > >> rhost=10.5.5.57 user=username > >> May 05 15:36:51 ipadc1.ipadomain.net sshd[4373]: pam_sss(sshd:auth): > >> received for user username: 4 (System error) > >> May 05 15:36:53 ipadc1.ipadomain.net sshd[4373]: Failed password for > >> username from 10.5.5.57 port 53118 ssh2 > >> > >> However, if in AD I switch the UPN on 'username' to the default of > >> 'sub.addomain.net' I get a successful login: > >> > >> May 04 23:10:57 ipadc1.ipadomain.net sshd[2293]: pam_unix(sshd:auth): > >> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > >> rhost=10.5.5.57 user=username > >> May 04 23:10:58 ipadc1.ipadomain.net sshd[2293]: pam_sss(sshd:auth): > >> authentication success; logname= uid=0 euid=0 tty=ssh ruser= > >> rhost=10.5.5.57 user=username > >> May 04 23:11:01 ipadc1.ipadomain.net sshd[2293]: Accepted password for > >> username from 10.5.5.57 port 46077 ssh2 > >> May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Starting > >> user-1539201103.slice. > >> May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Created slice > >> user-1539201103.slice. > >> May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Starting Session 3 of > >> user usern...@sub.addomain.net. > >> May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Started Session 3 of > >> user > >> usern...@sub.addomain.net. > >> May 04 23:11:01 ipadc1.ipadomain.net systemd-logind[716]: New session 3 > >> of > >> user usern...@sub.addomain.net. > >> May 04 23:11:02 ipadc1.ipadomain.net sshd[2293]: pam_unix(sshd:session): > >> session opened for user username by (uid=0) > >> > >> As a temporary workaround I set dns_lookup_kdc = false in my > >> /etc/krb5.conf file and that worked to allow me to login with just > >> 'username' but even after a successful login, I was seeing those 'cannot > >> find KDC for realm' message in the log. > >> > >> Is there a proper way to allow people from a trusted AD domain to login > >> with their alternative UPNs? > > > > I'm afraid currently the only way doing this is by adding a ADDOMAIN.NET > > section to the realms section of /etc/krb5.conf to all IPA clients and > > servers. > > > > Although SSSD as a client in a AD domain can handle those UPNs there is > > a missing part on the FreeIPA server side which is needed to make it > > work. The item is tracked in > > https://fedorahosted.org/freeipa/ticket/3559 . > > > > Since the UPN-suffix can be freely chosen, i.e. it does not have to be a > > DNS domain, the client will ask it's local KDC with a special so called > > enterprise principal if it knows about this UPN suffix and if the KDC > > knows about it it will tell the client where to ask for it. IF ticket > > #3559 gets implemented the entry in /etc/krb5.conf would not be needed > > anymore. > > > > HTH > > > > bye, > > Sumit > > > >> > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go to http://freeipa.org for more info on the project > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project