On 05/06/2015 02:15 PM, nat...@nathanpeters.com wrote:
Ok, I have attempted to set this up by adding the AD domain to my
configuration and it still isn't working.
I just want to confirm what I'm trying to accomplish here before I list
what I've done to troubleshoot this.
We have an AD domain called corp.addomain.net. We have UPNs set so AD
users login to the AD domain as adusern...@addomain.net when they login to
windows machines.
The linux clients in our network are currently just using straight up
kerberos authentication against the domain and can currently login as
'username' without entering any suffix.
Because this means we can't control sudo policies centrally by our current
direct kerberos connection, we want to switch to logging in through
FreeIPA.
I need to be clear that we want to maintain the current logins of just
'username' on Linux servers.
To accomplish this, I added the following line to the sssd.conf file:
default_domain_suffix = corp.addomain.net
I am not by any mean a specialist here but shouldn't it be the actual
suffix that is appended to the user name, i.e.
default_domain_suffix = addomain.net
I have tried 3 different combinations of kerberos config to try to get the
logins to work, but am running into errors in each case. I have tried to
follow the suggestions given earlier in this thread. Here are the 3
krb.conf configurations I tried and the errors given on each try.
-------------- configuration 1 -------------------
[realms]
IPADOMAIN.NET = {
kdc = dc1.ipadomain.net:88
master_kdc = dc1.ipadomain.net:88
admin_server = dc1.ipadomain.net:749
default_domain = ipadomain.net
pkinit_anchors = FILE:/etc/ipa/ca.crt
auth_to_local =
RULE:[1:$1@$0](^.*@CORP.ADDOMAIN.NET$)s/@CORP.ADDOMAIN.NET/@corp.addomain.net/
auth_to_local = DEFAULT
}
CORP.ADDOMAIN.NET = {
kdc = dc3.corp.addomain.net:88
master_kdc = dc3.corp.addomain.net:88
}
[domain_realm]
.ipadomain.net = IPADOMAIN.NET
ipadomain.net = IPADOMAIN.NET
.corp.addomain.net = CORP.ADDOMAIN.NET
corp.addomain.net = CORP.ADDOMAIN.NET
May 06 16:43:53 dc1.ipadomain.net [sssd[krb5_child[7512]]][7512]: Cannot
find KDC for realm "ADDOMAIN.NET"
May 06 16:43:53 dc1.ipadomain.net [sssd[krb5_child[7512]]][7512]: Cannot
find KDC for realm "ADDOMAIN.NET"
May 06 16:43:53 dc1.ipadomain.net sshd[7508]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.5.5.57 user=adusername
May 06 16:43:53 dc1.ipadomain.net sshd[7508]: pam_sss(sshd:auth): received
for user adusername: 4 (System error)
May 06 16:43:55 dc1.ipadomain.net sshd[7508]: Failed password for
adusername from 10.5.5.57 port 1832 ssh2
----------- configuration 2 ----------------
Notes : since the above error seemed to imply that I needed to add the
'UPN realm' to the [realms] section I tried to add it.
[realms]
IPADOMAIN.NET = {
kdc = dc1.ipadomain.net:88
master_kdc = dc1.ipadomain.net:88
admin_server = dc1.ipadomain.net:749
default_domain = ipadomain.net
pkinit_anchors = FILE:/etc/ipa/ca.crt
auth_to_local =
RULE:[1:$1@$0](^.*@CORP.ADDOMAIN.NET$)s/@CORP.ADDOMAIN.NET/@corp.addomain.net/
auth_to_local = DEFAULT
}
ADDOMAIN.NET = {
kdc = dc3.corp.addomain.net:88
master_kdc = dc3.corp.addomain.net:88
}
[domain_realm]
.ipadomain.net = IPADOMAIN.NET
ipadomain.net = IPADOMAIN.NET
addomain.net = ADDOMAIN.NET
.addomain.net = ADDOMAIN.NET
May 06 16:48:32 dc1.ipadomain.net [sssd[krb5_child[7546]]][7546]: Realm
not local to KDC
May 06 16:48:32 dc1.ipadomain.net [sssd[krb5_child[7546]]][7546]: Realm
not local to KDC
May 06 16:48:32 dc1.ipadomain.net sshd[7542]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.5.5.57 user=adusername
May 06 16:48:32 dc1.ipadomain.net sshd[7542]: pam_sss(sshd:auth): received
for user adusername: 4 (System error)
May 06 16:48:34 dc1.ipadomain.net sshd[7542]: Failed password for
adusername from 10.5.5.57 port 1870 ssh2
---- configuration 3 -----
Notes : Since the eror message given in the second try indicated that the
realm wasn't local, I thought it might need both variations to recognize
it as local.
[realms]
IPADOMAIN.NET = {
kdc = dc1.ipadomain.net:88
master_kdc = dc1.ipadomain.net:88
admin_server = dc1.ipadomain.net:749
default_domain = ipadomain.net
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
ADDOMAIN.NET = {
kdc = dc3.corp.addomain.net:88
master_kdc = dc3.corp.addomain.net:88
}
CORP.ADDOMAIN.NET = {
kdc = dc3.corp.addomain.net:88
master_kdc = dc3.corp.addomain.net:88
}
[domain_realm]
.ipadomain.net = IPADOMAIN.NET
ipadomain.net = IPADOMAIN.NET
addomain.net = ADDOMAIN.NET
.addomain.net = ADDOMAIN.NET
corp.addomain.net = CORP.ADDOMAIN.NET
.corp.addomain.net = CORP.ADDOMAIN.NET
May 06 16:56:25 dc1.ipadomain.net [sssd[krb5_child[7664]]][7664]: Realm
not local to KDC
May 06 16:56:25 dc1.ipadomain.net [sssd[krb5_child[7664]]][7664]: Realm
not local to KDC
May 06 16:56:25 dc1.ipadomain.net sshd[7660]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.5.5.57 user=adusername
May 06 16:56:25 dc1.ipadomain.net sshd[7660]: pam_sss(sshd:auth): received
for user adusername: 4 (System error)
May 06 16:56:28 dc1.ipadomain.net sshd[7660]: Failed password for
adusername from 10.5.5.57 port 1964 ssh2
If you want to look up user data like e.g. the UID or the home
directory the IPA client will talk to the IPA server exclusively, if the
server does not know about the requested AD user it will try to get this
information from a AD DC.
For authentication this is different, because only the AD DC should know
the password of the user. Hence authentication ans password changes as
well are done directly with the AD DC.
Also this page here :
https://www.freeipa.org/page/Active_Directory_trust_setup
does not list having to add the AD domain in the krb5.conf. Is that not
necessary in the example because they are not using a different UPN for
their users like we are?
yes, it is because of the UPN in your case. As I said before this
special entry in krb5.conf would not be needed anymore if the IPA KDC
supports the Kerberos client referrals for the trusted domains. Adding
the entry to krb5.conf in only a work-around here.
bye,
Sumit
--
Thank you,
Dmitri Pal
Director of Engineering for IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
