[Freeipa-users] IPA Trust AD and Illegal cross-realm ticket

crony leszek.mis at gmail.com
Wed Oct 15 14:31:55 UTC 2014

thank you. Now it works, but not completely:


[leszek at ipa1 ~]$ ssh ipatst03.linux.acme.example.com -l
user1 at acme.example.com
Last login: Wed Oct 15 16:11:27 2014

-sh-4.1$ id
uid=127283727(user1 at acme.example.com) gid=127283727(user1 at acme.example.com)
grupy=127283727(user1 at acme.example.com),127292838(
linuxgroup at acme.example.com)

I can't see all my groups. User1 is a member of 15 different groups at AD
side, not one as above: linuxgroup at acme.example.com

Could it be related?  I can see all these membership groups at IPA Server
(id user1 at acme.example.com)

2. After login ssh ipatst03.linux.acme.example.com -l user1 at acme.example.com

-sh-4.1$ klist
klist: Included profile file could not be read while initializing krb5

Even kinit not works:

-sh-4.1$ kinit user1 at acme.example.com
kinit: Included profile file could not be read while initializing Kerberos
5 library

What about that? I didn't see this error before. Related?

I have another, but related question, If you don't mind:  What if I would
like to connect RHEL5 IPA client to my IPA Server AD Trust Setup? Do you
think it is real and could it work?

Thank you in advanced

2014-10-15 15:50 GMT+02:00 Alexander Bokovoy <abokovoy at redhat.com>:

> On Wed, 15 Oct 2014, crony wrote:
>> Hi,
>> I've been following the AD integration guide for IPAv3:
>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
>> My setup is:
>> • 5 domain controllers with Windows 2008 R2 AD DC -> example.com as
>> Forest
>> Root Domain and acme.example.com as transitive child domain
>> • RHEL7 as IPA server with domain: linux.acme.example.com
>> • RHEL6.5 as IPA client server ipatst03.linux.acme.example.com
>> Everything works correctly around IPA Server, but the problem is within
>> IPA
>> Client.
>> I can not login by SSH or by su -:
>> [leszek at ipatst03 ~]$ su - user1 at acme.example.com
>> Password:
>> su: incorrect password
>> I found this error in /var/log/sssd/krb5_child.log :
>> (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [validate_tgt]
>> (0x0020): TGT failed verification using key for [host/
>> ipatst03.linux.acme.example.com at LINUX.ACME.EXAMPLE.COM].
>> (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [get_and_save_tgt]
>> (0x0020): 988: [-1765328341][Illegal cross-realm ticket]
>> (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [map_krb5_error]
>> (0x0020): 1043: [-1765328341][Illegal cross-realm ticket]
>> (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [k5c_send_data]
>> (0x0200): Received error code 1432158209
>> (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]]
>> [pack_response_packet] (0x2000): response packet size: [20]
>> (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [k5c_send_data]
>> (0x4000): Response sent.
>> (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [main] (0x0400):
>> krb5_child completed successfully
> Yes, this is known issue for transitive trusts. MIT Kerberos requires
> for non-hierarchical trusts that [capaths] section contains proper map
> of relationships between the realms. We've got an API to manage this map
> from IPA KDC driver and we also write it down on the IPA masters with
> the help of SSSD for KDC to use but on IPA clients it is not generated
> as we hoped that receiving referrals from KDC would be enough.
> You can see that this is the issue by copying
> /var/lib/sss/pubconf/krb5conf.d/domain_realm_linux_acme_example_com to
> your client and placing it as
> /var/lib/sss/pubconf/krb5conf.d/domain_realm_linux_acme_
> example_com_capaths
> On next authentication attempt things will work.
> --
> / Alexander Bokovoy

Pozdrawiam Leszek Miś
www: http://cronylab.pl
www: http://emerge.pl
Nothing is secure, paranoia is your friend.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141015/01ceaccc/attachment.htm>

More information about the Freeipa-users mailing list