[Freeipa-users] IPA Trust AD and Illegal cross-realm ticket

Alexander Bokovoy abokovoy at redhat.com
Wed Oct 15 13:50:59 UTC 2014 

On Wed, 15 Oct 2014, crony wrote:
>Hi,
>I've been following the AD integration guide for IPAv3:
>http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
>
>My setup is:
>• 5 domain controllers with Windows 2008 R2 AD DC -> example.com as Forest
>Root Domain and acme.example.com as transitive child domain
>• RHEL7 as IPA server with domain: linux.acme.example.com
>• RHEL6.5 as IPA client server ipatst03.linux.acme.example.com
>
>Everything works correctly around IPA Server, but the problem is within IPA
>Client.
>
>I can not login by SSH or by su -:
>
>[leszek at ipatst03 ~]$ su - user1 at acme.example.com
>Password:
>su: incorrect password
>
>I found this error in /var/log/sssd/krb5_child.log :
>
>(Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [validate_tgt]
>(0x0020): TGT failed verification using key for [host/
>ipatst03.linux.acme.example.com at LINUX.ACME.EXAMPLE.COM].
>(Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [get_and_save_tgt]
>(0x0020): 988: [-1765328341][Illegal cross-realm ticket]
>(Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [map_krb5_error]
>(0x0020): 1043: [-1765328341][Illegal cross-realm ticket]
>(Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [k5c_send_data]
>(0x0200): Received error code 1432158209
>(Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]]
>[pack_response_packet] (0x2000): response packet size: [20]
>(Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [k5c_send_data]
>(0x4000): Response sent.
>(Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [main] (0x0400):
>krb5_child completed successfully
Yes, this is known issue for transitive trusts. MIT Kerberos requires
for non-hierarchical trusts that [capaths] section contains proper map
of relationships between the realms. We've got an API to manage this map
from IPA KDC driver and we also write it down on the IPA masters with
the help of SSSD for KDC to use but on IPA clients it is not generated
as we hoped that receiving referrals from KDC would be enough.

You can see that this is the issue by copying
/var/lib/sss/pubconf/krb5conf.d/domain_realm_linux_acme_example_com to
your client and placing it as
/var/lib/sss/pubconf/krb5conf.d/domain_realm_linux_acme_example_com_capaths

On next authentication attempt things will work.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list