<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Verdana;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";
        mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Verdana","sans-serif";
        color:#262626;
        font-weight:normal;
        font-style:normal;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri","sans-serif";
        mso-fareast-language:EN-US;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-CA" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">I have created a trust between my FreeIPA domain and an active directory domain.  I can get a kerberos ticket properly from the other domain at the command
 line on the IPA server.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">I have also created sudo and HBAC rules to allow my AD users to logon to the IPA domain controller using the recommended nested external group setup.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">However, I can not actually login to the machines.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">I should note that our AD domain is office.mydomain.net, but we use alternative UPN suffixes so the usernames are user@mydomain.net.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">I read the patch notes and apparently support for client referrals that will allow alternate UPN suffixes in trusted domains was added in FreeIPA 4.2.1.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">Is there anything special I need to do to configure it beyond the creation of the original trust?  Do I need to set special options in krb5.conf or sssd.conf
 to get it to work?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">==============Kinit works==========================<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">[root@dc1-ipa-dev-nvan log]# kinit nathan.peters@OFFICE.MYDOMAIN.NET<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">Password for nathan.peters@OFFICE.MYDOMAIN.NET:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">[root@dc1-ipa-dev-nvan log]# klist<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">Ticket cache: KEYRING:persistent:0:krb_ccache_V7hjacL<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">Default principal: nathan.peters@OFFICE.MYDOMAIN.NET<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">Valid starting     Expires            Service principal<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">16/02/16 14:05:33  17/02/16 14:05:30  krbtgt/OFFICE.MYDOMAIN.NET@OFFICE.MYDOMAIN.NET<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">============/var/log/messages during login failure===============<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">Feb 16 14:10:14 dc1-ipa-dev-nvan audit: CRYPTO_SESSION pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-client cipher=aes256-ctr ksize=256
 mac=hmac-sha2-256 pfs=diffie-hellman-group14-sha1 spid=2020 suid=74 rport=9577 laddr=10.178.0.99 lport=22  exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">Feb 16 14:10:20 dc1-ipa-dev-nvan audit: USER_AUTH pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=gssapi acct="nathan.peters@mydomain.net" exe="/usr/sbin/sshd"
 hostname=? addr=10.8.134.154 terminal=ssh res=failed'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">Feb 16 14:10:23 dc1-ipa-dev-nvan audit: USER_AUTH pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? acct="nathan.peters@mydomain.net"
 exe="/usr/sbin/sshd" hostname=10.8.134.154 addr=10.8.134.154 terminal=ssh res=failed'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">Feb 16 14:10:23 dc1-ipa-dev-nvan audit: USER_AUTH pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=password acct="nathan.peters@mydomain.net" exe="/usr/sbin/sshd"
 hostname=? addr=10.8.134.154 terminal=ssh res=failed'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:28:cf:eb:e1:3f:61:00:c5:ff:62:da:54:cc:bb:62:7c:e5:07:d1:3a:62:9e:7c:c0:3b:bc:8e:08:90:9a:9b:83
 direction=? spid=2020 suid=74  exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=2020
 suid=74 rport=9577 laddr=10.178.0.99 lport=22  exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:f2:5c:54:6f:2a:0e:38:19:8c:e4:94:ef:53:2e:9b:ce:07:7f:bb:af:e0:65:7d:11:82:30:cf:03:0d:35:1b:ca
 direction=? spid=2019 suid=0  exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:4b:0e:be:22:b5:28:65:28:72:90:5b:81:70:99:ff:47:5d:3c:90:a8:81:12:d1:1f:a0:e7:a3:d0:29:d1:25:1e
 direction=? spid=2019 suid=0  exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:28:cf:eb:e1:3f:61:00:c5:ff:62:da:54:cc:bb:62:7c:e5:07:d1:3a:62:9e:7c:c0:3b:bc:8e:08:90:9a:9b:83
 direction=? spid=2019 suid=0  exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">Feb 16 14:10:25 dc1-ipa-dev-nvan audit: USER_LOGIN pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="nathan.peters@mydomain.net" exe="/usr/sbin/sshd"
 hostname=? addr=10.8.134.154 terminal=ssh res=failed'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">===================/var/log/secure during login failure=======================<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">Feb 16 14:09:56 dc1-ipa-dev-nvan polkitd[604]: Registered Authentication Agent for unix-process:1968:182654681 (system bus name :1.222 [/usr/bin/pkttyagent
 --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_CA.UTF-8)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">Feb 16 14:09:56 dc1-ipa-dev-nvan polkitd[604]: Unregistered Authentication Agent for unix-process:1968:182654681 (system bus name :1.222, object path /org/freedesktop/PolicyKit1/AuthenticationAgent,
 locale en_CA.UTF-8) (disconnected from bus)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">Feb 16 14:09:56 dc1-ipa-dev-nvan polkitd[604]: Registered Authentication Agent for unix-process:1979:182654684 (system bus name :1.223 [/usr/bin/pkttyagent
 --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_CA.UTF-8)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">Feb 16 14:09:56 dc1-ipa-dev-nvan polkitd[604]: Unregistered Authentication Agent for unix-process:1979:182654684 (system bus name :1.223, object path /org/freedesktop/PolicyKit1/AuthenticationAgent,
 locale en_CA.UTF-8) (disconnected from bus)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">Feb 16 14:10:02 dc1-ipa-dev-nvan sshd[2006]: Connection closed by 10.21.2.100 [preauth]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">Feb 16 14:10:23 dc1-ipa-dev-nvan sshd[2019]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.8.134.154 user=nathan.peters@mydomain.net<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">Feb 16 14:10:23 dc1-ipa-dev-nvan sshd[2019]: pam_sss(sshd:auth): received for user nathan.peters@mydomain.net: 4 (System error)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">Feb 16 14:10:23 dc1-ipa-dev-nvan sshd[2019]: Failed password for nathan.peters@mydomain.net from 10.8.134.154 port 9577 ssh2<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">Feb 16 14:10:25 dc1-ipa-dev-nvan sshd[2019]: error: Received disconnect from 10.8.134.154: 13: Unable to authenticate [preauth]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626">Feb 16 14:10:25 dc1-ipa-dev-nvan sshd[2019]: Disconnected from 10.8.134.154 [preauth]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:#262626"><o:p> </o:p></span></p>
</div>
</body>
</html>