I have created a trust between my FreeIPA domain and an active directory domain. I can get a kerberos ticket properly from the other domain at the command line on the IPA server. I have also created sudo and HBAC rules to allow my AD users to logon to the IPA domain controller using the recommended nested external group setup. However, I can not actually login to the machines.
I should note that our AD domain is office.mydomain.net, but we use alternative UPN suffixes so the usernames are u...@mydomain.net. I read the patch notes and apparently support for client referrals that will allow alternate UPN suffixes in trusted domains was added in FreeIPA 4.2.1. Is there anything special I need to do to configure it beyond the creation of the original trust? Do I need to set special options in krb5.conf or sssd.conf to get it to work? ==============Kinit works========================== [root@dc1-ipa-dev-nvan log]# kinit nathan.pet...@office.mydomain.net Password for nathan.pet...@office.mydomain.net: [root@dc1-ipa-dev-nvan log]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_V7hjacL Default principal: nathan.pet...@office.mydomain.net Valid starting Expires Service principal 16/02/16 14:05:33 17/02/16 14:05:30 krbtgt/office.mydomain....@office.mydomain.net ============/var/log/messages during login failure=============== Feb 16 14:10:14 dc1-ipa-dev-nvan audit: CRYPTO_SESSION pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-client cipher=aes256-ctr ksize=256 mac=hmac-sha2-256 pfs=diffie-hellman-group14-sha1 spid=2020 suid=74 rport=9577 laddr=10.178.0.99 lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success' Feb 16 14:10:20 dc1-ipa-dev-nvan audit: USER_AUTH pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=gssapi acct="nathan.pet...@mydomain.net" exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=ssh res=failed' Feb 16 14:10:23 dc1-ipa-dev-nvan audit: USER_AUTH pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? acct="nathan.pet...@mydomain.net" exe="/usr/sbin/sshd" hostname=10.8.134.154 addr=10.8.134.154 terminal=ssh res=failed' Feb 16 14:10:23 dc1-ipa-dev-nvan audit: USER_AUTH pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=password acct="nathan.pet...@mydomain.net" exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=ssh res=failed' Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:28:cf:eb:e1:3f:61:00:c5:ff:62:da:54:cc:bb:62:7c:e5:07:d1:3a:62:9e:7c:c0:3b:bc:8e:08:90:9a:9b:83 direction=? spid=2020 suid=74 exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success' Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=2020 suid=74 rport=9577 laddr=10.178.0.99 lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success' Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:f2:5c:54:6f:2a:0e:38:19:8c:e4:94:ef:53:2e:9b:ce:07:7f:bb:af:e0:65:7d:11:82:30:cf:03:0d:35:1b:ca direction=? spid=2019 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success' Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:4b:0e:be:22:b5:28:65:28:72:90:5b:81:70:99:ff:47:5d:3c:90:a8:81:12:d1:1f:a0:e7:a3:d0:29:d1:25:1e direction=? spid=2019 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success' Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:28:cf:eb:e1:3f:61:00:c5:ff:62:da:54:cc:bb:62:7c:e5:07:d1:3a:62:9e:7c:c0:3b:bc:8e:08:90:9a:9b:83 direction=? spid=2019 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success' Feb 16 14:10:25 dc1-ipa-dev-nvan audit: USER_LOGIN pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="nathan.pet...@mydomain.net" exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=ssh res=failed' ===================/var/log/secure during login failure======================= Feb 16 14:09:56 dc1-ipa-dev-nvan polkitd[604]: Registered Authentication Agent for unix-process:1968:182654681 (system bus name :1.222 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_CA.UTF-8) Feb 16 14:09:56 dc1-ipa-dev-nvan polkitd[604]: Unregistered Authentication Agent for unix-process:1968:182654681 (system bus name :1.222, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_CA.UTF-8) (disconnected from bus) Feb 16 14:09:56 dc1-ipa-dev-nvan polkitd[604]: Registered Authentication Agent for unix-process:1979:182654684 (system bus name :1.223 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_CA.UTF-8) Feb 16 14:09:56 dc1-ipa-dev-nvan polkitd[604]: Unregistered Authentication Agent for unix-process:1979:182654684 (system bus name :1.223, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_CA.UTF-8) (disconnected from bus) Feb 16 14:10:02 dc1-ipa-dev-nvan sshd[2006]: Connection closed by 10.21.2.100 [preauth] Feb 16 14:10:23 dc1-ipa-dev-nvan sshd[2019]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.8.134.154 user=nathan.pet...@mydomain.net Feb 16 14:10:23 dc1-ipa-dev-nvan sshd[2019]: pam_sss(sshd:auth): received for user nathan.pet...@mydomain.net: 4 (System error) Feb 16 14:10:23 dc1-ipa-dev-nvan sshd[2019]: Failed password for nathan.pet...@mydomain.net from 10.8.134.154 port 9577 ssh2 Feb 16 14:10:25 dc1-ipa-dev-nvan sshd[2019]: error: Received disconnect from 10.8.134.154: 13: Unable to authenticate [preauth] Feb 16 14:10:25 dc1-ipa-dev-nvan sshd[2019]: Disconnected from 10.8.134.154 [preauth]
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project