[Freeipa-users] Cross domain trust

Steve Dainard sdainard at miovision.com
Thu Feb 6 18:28:51 UTC 2014 

On Thu, Feb 6, 2014 at 12:42 PM, Alexander Bokovoy <abokovoy at redhat.com>wrote:

> On Thu, 06 Feb 2014, Steve Dainard wrote:
>
>>    In newer versions (FreeIPA 3.3+, SSSD 1.11+) this is done on IPA master
>>>    automatically by setting       ipa_master_mode = True
>>>
>>>    On RHEL 6.x one needs to add the parameters manually.
>>>
>>> 2. /etc/krb5.conf has to contain auth_to_local rules that map AD
>>>    principals to lower-cased versions because some applications (SSH)
>>>    are very picky about user/principal name mapping. This has to be done
>>>    on both IPA masters and IPA clients.
>>>
>>>
>> This was done on the IPA server, but the RHEL 6.5 client doesn't have this
>> file.
>>
>> On the IPA server:
>>
>> [realms]
>> MIOLINUX.CORP = {
>>  kdc = ipa1.miolinux.corp:88
>>  master_kdc = ipa1.miolinux.corp:88
>>  admin_server = ipa1.miolinux.corp:749
>>  default_domain = miolinux.corp
>>  pkinit_anchors = FILE:/etc/ipa/ca.crt
>> auth_to_local = RULE:[1:$1@$0](^.*@MIOVISION$)s/@MIOVISION/@miovision/
>> auth_to_local = DEFAULT
>>
>> [root at ipa1 ~]# kinit sdainard at miovision.corp
>> Password for sdainard at miovision.corp:
>> kinit: KDC reply did not match expectations while getting initial
>> credentials
>>
> MIT Kerberos is case-sensitive for the realm, so it should always be
>  kinit sdainard at MIOVISION.CORP
>
> make also sure that your rule above has proper realm. If your realm is
> MIOVISION.CORP, then auth_to_local rule is
>
> auth_to_local = RULE:[1:$1@$0](^.*@MIOVISION.CORP$)s/@MIOVISION.CORP/@
> miovision.corp/
>

OK that makes sense. I wasn't sure if it was NETBIOS or not. Changed.

>
> In MIT Kerberos 1.13 we'll have an interface that will allow SSSD to
> automatically generate (and supply) these rules. Prior to that we have
> to have explicit configuration on all clients and servers.


Excellent, do you work with whomever is maintaining the Ubuntu PPA on this
as well? One of our dev teams is exclusively on Ubuntu 12.04 and I've had
some serious issues with the joining clients from distro.

>
>
>  A CentOS 6.5 client has this file. The docs didn't mention the manual
>> client config, I just assumed the IPA server would proxy the request.
>> After
>> adding, no change.
>>
> A request to IPA server needs to come from a client and a client needs
> to know about that. We changed SSSD 1.11+ to discover IPA capabilities
> and self-configure but for older clients (1.9..1.10) you need to perform
> it through explicit config.
>
>
>     With these changes SSSD on IPA client will recognize AD users and
>>>    request IPA master to perform name/SID/etc resolution, and also will
>>>    make an attempt to parse special part of the Kerberos ticket
>>>    generated by AD DC (MS-PAC) that contains signed cached copy of group
>>>    ownership for AD users.
>>>
>>> SSSD needs restart after each config change.
>>>
>>> You can do checks step by step to see whether things are working:
>>>
>>> 1. Ensure that SSSD on IPA master resolves AD user properly:
>>>
>>>    getent passwd user at ad.domain
>>>
>>>    Should return non-empty entry.
>>>
>>>
>> Returns no values.
>>
>> [root at ipa1 ~]# getent passwd sdainard at miovision.corp
>> [root at ipa1 ~]#
>>
> Can you add debug_level=9 to [domain/...] section in
> /etc/sssd/sssd.conf, restart sssd and try again?
>
> In /var/log/sssd/sssd_<domain>.log there will be a lot of debug
> information that I'd like to see (send it privately).
>
> If sssd properly tries to talk to winbindd to resolve id, I'd like to
> see winbind logs then:
>
> # smbcontrol all debug 100
> # getent passwd sdainard at miovision.corp
> # smbcontrol all debug 1
>
> and send me logs from /var/log/samba.
>
>
>
Done, sending logs outside of list.

There are some communications errors. I dropped the firewall on the IPA
server to test the last couple runs at 'getent passwd
sdainard at MIOVISION.CORP'.



>
>>
>>
>>
>>
>>> 2. Ensure that SSSD on IPA client resolves AD user properly:
>>>
>>>    getent passwd user at ad.domain
>>>
>>>    Should return non-empty entry.
>>>
>>>
>> [root at snapshot-test ~]# getent passwd sdainard at miovision.corp
>> [root at snapshot-test ~]#
>>
>>  Once we solve it for IPA master, we can continue with this part.
>
>
>
>>
>>
>>
>>> 3. Ensure that Kerberos infrastructure works:
>>>
>>>    kinit user at ad.domain
>>>    kvno -S host ipa.client.domain
>>>
>>>
>> [root at ipa1 ~]# kinit sdainard at miovision.corp
>> Password for sdainard at miovision.corp:
>> kinit: KDC reply did not match expectations while getting initial
>> credentials
>>
> Expected (realm is case-sensitive).
>
>
>
>> [root at ipa1 ~]# kinit sdainard at MIOVISION.CORP
>> Password for sdainard at MIOVISION.CORP:
>>
>> [root at ipa1 ~]# kvno cifs/dc1.miovision.corp at MIOVISION.CORP
>> cifs/dc1.miovision.corp at MIOVISION.CORP: kvno = 41
>>
>> [root at ipa1 ~]# kvno -S host ipa1.miolinux.corp
>> host/ipa1.miolinux.corp at MIOLINUX.CORP: kvno = 2
>>
>> [root at ipa1 ~]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: sdainard at MIOVISION.CORP
>>
>> Valid starting     Expires            Service principal
>> 02/06/14 11:54:55  02/06/14 21:54:57  krbtgt/MIOVISION.CORP@
>> MIOVISION.CORP
>> renew until 02/07/14 11:54:55
>> 02/06/14 11:55:38  02/06/14 21:54:57  cifs/dc1.miovision.corp@
>> MIOVISION.CORP
>> renew until 02/07/14 11:54:55
>> 02/06/14 11:56:50  02/06/14 21:54:57  krbtgt/MIOLINUX.CORP at MIOVISION.CORP
>> renew until 02/07/14 11:54:55
>> 02/06/14 11:57:05  02/06/14 21:54:57  host/ipa1.miolinux.corp@
>> MIOLINUX.CORP
>> renew until 02/07/14 11:54:55
>>
> Kerberos infrastructure works fine.
>
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140206/6319a686/attachment.htm>

More information about the Freeipa-users mailing list