[Freeipa-users] IPA Trust AD and Illegal cross-realm ticket

Sumit Bose sbose at redhat.com
Wed Oct 15 15:43:32 UTC 2014 

On Wed, Oct 15, 2014 at 04:31:55PM +0200, crony wrote:
> Alex,
> thank you. Now it works, but not completely:
> 
> 1.
> 
> [leszek at ipa1 ~]$ ssh ipatst03.linux.acme.example.com -l
> user1 at acme.example.com
> Password:
> Last login: Wed Oct 15 16:11:27 2014
> 
> -sh-4.1$ id
> uid=127283727(user1 at acme.example.com) gid=127283727(user1 at acme.example.com)
> grupy=127283727(user1 at acme.example.com),127292838(
> linuxgroup at acme.example.com)
> 
> I can't see all my groups. User1 is a member of 15 different groups at AD
> side, not one as above: linuxgroup at acme.example.com

What type/scope do the AD groups have? If they are 'Domain Local' groups
they will not be available in the IPA domain.

HTH

bye,
Sumit

> 
> Could it be related?  I can see all these membership groups at IPA Server
> (id user1 at acme.example.com)
> 
> 2. After login ssh ipatst03.linux.acme.example.com -l user1 at acme.example.com
> 
> -sh-4.1$ klist
> klist: Included profile file could not be read while initializing krb5
> 
> Even kinit not works:
> 
> -sh-4.1$ kinit user1 at acme.example.com
> kinit: Included profile file could not be read while initializing Kerberos
> 5 library
> 
> What about that? I didn't see this error before. Related?
> 
> I have another, but related question, If you don't mind:  What if I would
> like to connect RHEL5 IPA client to my IPA Server AD Trust Setup? Do you
> think it is real and could it work?
> 
> Thank you in advanced
> 
> 
> 
> 2014-10-15 15:50 GMT+02:00 Alexander Bokovoy <abokovoy at redhat.com>:
> 
> > On Wed, 15 Oct 2014, crony wrote:
> >
> >> Hi,
> >> I've been following the AD integration guide for IPAv3:
> >> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
> >>
> >> My setup is:
> >> • 5 domain controllers with Windows 2008 R2 AD DC -> example.com as
> >> Forest
> >> Root Domain and acme.example.com as transitive child domain
> >> • RHEL7 as IPA server with domain: linux.acme.example.com
> >> • RHEL6.5 as IPA client server ipatst03.linux.acme.example.com
> >>
> >> Everything works correctly around IPA Server, but the problem is within
> >> IPA
> >> Client.
> >>
> >> I can not login by SSH or by su -:
> >>
> >> [leszek at ipatst03 ~]$ su - user1 at acme.example.com
> >> Password:
> >> su: incorrect password
> >>
> >> I found this error in /var/log/sssd/krb5_child.log :
> >>
> >> (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [validate_tgt]
> >> (0x0020): TGT failed verification using key for [host/
> >> ipatst03.linux.acme.example.com at LINUX.ACME.EXAMPLE.COM].
> >> (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [get_and_save_tgt]
> >> (0x0020): 988: [-1765328341][Illegal cross-realm ticket]
> >> (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [map_krb5_error]
> >> (0x0020): 1043: [-1765328341][Illegal cross-realm ticket]
> >> (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [k5c_send_data]
> >> (0x0200): Received error code 1432158209
> >> (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]]
> >> [pack_response_packet] (0x2000): response packet size: [20]
> >> (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [k5c_send_data]
> >> (0x4000): Response sent.
> >> (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [main] (0x0400):
> >> krb5_child completed successfully
> >>
> > Yes, this is known issue for transitive trusts. MIT Kerberos requires
> > for non-hierarchical trusts that [capaths] section contains proper map
> > of relationships between the realms. We've got an API to manage this map
> > from IPA KDC driver and we also write it down on the IPA masters with
> > the help of SSSD for KDC to use but on IPA clients it is not generated
> > as we hoped that receiving referrals from KDC would be enough.
> >
> > You can see that this is the issue by copying
> > /var/lib/sss/pubconf/krb5conf.d/domain_realm_linux_acme_example_com to
> > your client and placing it as
> > /var/lib/sss/pubconf/krb5conf.d/domain_realm_linux_acme_
> > example_com_capaths
> >
> > On next authentication attempt things will work.
> >
> > --
> > / Alexander Bokovoy
> >
> 
> 
> 
> -- 
> Pozdrawiam Leszek Miś
> www: http://cronylab.pl
> www: http://emerge.pl
> Nothing is secure, paranoia is your friend.

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list