Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

2015-07-10 Thread Jakub Hrozek
On Thu, Jul 09, 2015 at 08:59:11PM -0700, Angelo Pantano wrote: > I have the exact same problem, have a windows AD that trusts IPA server and > an IPA client that connect to the IPA server via sssd.If I try to ssh on > the IPA client using an AD user it fails authentication. The same happens > if I

Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

2015-07-10 Thread Angelo Pantano
I have the exact same problem, have a windows AD that trusts IPA server and an IPA client that connect to the IPA server via sssd.If I try to ssh on the IPA client using an AD user it fails authentication. The same happens if I try to su - ADuser. Basically IPA server is not correctly proxying the

Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

2015-05-07 Thread nathan
> On Wed, May 06, 2015 at 11:15:15AM -0700, nat...@nathanpeters.com wrote: >> Ok, I have attempted to set this up by adding the AD domain to my >> configuration and it still isn't working. >> I just want to confirm what I'm trying to accomplish here before I list >> what I've done to troubleshoot t

Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

2015-05-07 Thread Sumit Bose
On Wed, May 06, 2015 at 11:15:15AM -0700, nat...@nathanpeters.com wrote: > Ok, I have attempted to set this up by adding the AD domain to my > configuration and it still isn't working. > I just want to confirm what I'm trying to accomplish here before I list > what I've done to troubleshoot this. >

Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

2015-05-07 Thread nathan
> On 05/06/2015 12:14 AM, Nathan Peters wrote: >>> From this link : >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/active-directory-trust.html#comp-trust-krb >> >> >> The diagram in that section shows the client communicating with >> Free

Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

2015-05-06 Thread nathan
> On 05/06/2015 02:15 PM, nat...@nathanpeters.com wrote: >> Ok, I have attempted to set this up by adding the AD domain to my >> configuration and it still isn't working. >> I just want to confirm what I'm trying to accomplish here before I list >> what I've done to troubleshoot this. >> >> We have

Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

2015-05-06 Thread Dmitri Pal
On 05/06/2015 02:15 PM, nat...@nathanpeters.com wrote: Ok, I have attempted to set this up by adding the AD domain to my configuration and it still isn't working. I just want to confirm what I'm trying to accomplish here before I list what I've done to troubleshoot this. We have an AD domain cal

Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

2015-05-06 Thread Dmitri Pal
Subject: Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues On Tue, May 05, 2015 at 02:21:40PM -0700, nat...@nathanpeters.com wrote: I'm a little confused by that. If I add the AD dc, will my client try to contact AD directly to get a ticket?

Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

2015-05-06 Thread nathan
Ok, I have attempted to set this up by adding the AD domain to my configuration and it still isn't working. I just want to confirm what I'm trying to accomplish here before I list what I've done to troubleshoot this. We have an AD domain called corp.addomain.net. We have UPNs set so AD users logi

Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

2015-05-05 Thread Sumit Bose
y, May 05, 2015 8:43 PM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD > trust and UPN issues > > On Tue, May 05, 2015 at 02:21:40PM -0700, nat...@nathanpeters.com wrote: > >I'm a little confused by tha

Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

2015-05-05 Thread Nathan Peters
? -Original Message- From: Jakub Hrozek Sent: Tuesday, May 05, 2015 8:43 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues On Tue, May 05, 2015 at 02:21:40PM -0700, nat...@nathanpeters.com wrote: I&

Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

2015-05-05 Thread Jakub Hrozek
On Tue, May 05, 2015 at 02:21:40PM -0700, nat...@nathanpeters.com wrote: > I'm a little confused by that. > > If I add the AD dc, will my client try to contact AD directly to get a > ticket? > > Doesn't it have to do get the ticket through FreeIPA by proxy somehow? No, authentication is always p

Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

2015-05-05 Thread nathan
I'm a little confused by that. If I add the AD dc, will my client try to contact AD directly to get a ticket? Doesn't it have to do get the ticket through FreeIPA by proxy somehow? And to confirm what you meant by add the AD dc and realm, it would be like this ? SUB.ADDOMAIN.NET = { kdc = dc1.

Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

2015-05-05 Thread Sumit Bose
On Tue, May 05, 2015 at 09:53:38AM -0700, nat...@nathanpeters.com wrote: > Hmm, so if this is the [realms] section of my /etc/krb5.conf what do I > have to do ? > > [realms] > IPADOMAIN.NET = { > kdc = dc1.ipadomain.net:88 > master_kdc = dc1.ipadomain.net:88 > admin_server = dc1.ipadomain.n

Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

2015-05-05 Thread nathan
FYI, this is what I get when I added another realm section to my /etc/krb5.conf May 05 18:00:26 dc1.ipadomain.net [sssd[krb5_child[2792]]][2792]: Looping detected inside krb5_get_in_tkt May 05 18:00:26 dc1.ipadomain.net [sssd[krb5_child[2792]]][2792]: Looping detected inside krb5_get_in_tkt May 05

Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

2015-05-05 Thread nathan
Hmm, so if this is the [realms] section of my /etc/krb5.conf what do I have to do ? [realms] IPADOMAIN.NET = { kdc = dc1.ipadomain.net:88 master_kdc = dc1.ipadomain.net:88 admin_server = dc1.ipadomain.net:749 default_domain = ipadomain.net pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to

Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

2015-05-05 Thread Sumit Bose
On Tue, May 05, 2015 at 09:09:51AM -0700, nat...@nathanpeters.com wrote: > I am having some strange issues after upgrade from FreeIPA 4.1.2 to > 4.1.3/4.1.4 on CentOS 7. > > Here is my setup: > FreeIPA domain : ipadomain.net > Trusted AD domain : sub.addomain.net > > In my AD domain, we have our

[Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

2015-05-05 Thread nathan
I am having some strange issues after upgrade from FreeIPA 4.1.2 to 4.1.3/4.1.4 on CentOS 7. Here is my setup: FreeIPA domain : ipadomain.net Trusted AD domain : sub.addomain.net In my AD domain, we have our UPN set to addomain.net so users typically login as usern...@addomain.net instead of user