[Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues
nathan at nathanpeters.com
nathan at nathanpeters.com
Tue May 5 16:09:51 UTC 2015
I am having some strange issues after upgrade from FreeIPA 4.1.2 to
4.1.3/4.1.4 on CentOS 7.
Here is my setup:
FreeIPA domain : ipadomain.net
Trusted AD domain : sub.addomain.net
In my AD domain, we have our UPN set to addomain.net so users typically
login as username at addomain.net instead of username at sub.addomain.net.
In my /etc/sssd/sssd.conf on the ipa dc I have the following values set:
use_fully_qualified_names = True
[sssd]
default_domain_suffix = sub.addomain.net
This is what I see in the logs when I attempt to login as 'username' (with
do domain):
May 05 15:36:51 ipadc1.ipadomain.net [sssd[krb5_child[4376]]][4376]:
Cannot find KDC for realm "ADDOMAIN.NET"
May 05 15:36:51 ipadc1.ipadomain.net [sssd[krb5_child[4376]]][4376]:
Cannot find KDC for realm "ADDOMAIN.NET"
May 05 15:36:51 ipadc1.ipadomain.net sshd[4373]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.5.5.57 user=username
May 05 15:36:51 ipadc1.ipadomain.net sshd[4373]: pam_sss(sshd:auth):
received for user username: 4 (System error)
May 05 15:36:53 ipadc1.ipadomain.net sshd[4373]: Failed password for
username from 10.5.5.57 port 53118 ssh2
However, if in AD I switch the UPN on 'username' to the default of
'sub.addomain.net' I get a successful login:
May 04 23:10:57 ipadc1.ipadomain.net sshd[2293]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.5.5.57 user=username
May 04 23:10:58 ipadc1.ipadomain.net sshd[2293]: pam_sss(sshd:auth):
authentication success; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.5.5.57 user=username
May 04 23:11:01 ipadc1.ipadomain.net sshd[2293]: Accepted password for
username from 10.5.5.57 port 46077 ssh2
May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Starting
user-1539201103.slice.
May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Created slice
user-1539201103.slice.
May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Starting Session 3 of
user username at sub.addomain.net.
May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Started Session 3 of user
username at sub.addomain.net.
May 04 23:11:01 ipadc1.ipadomain.net systemd-logind[716]: New session 3 of
user username at sub.addomain.net.
May 04 23:11:02 ipadc1.ipadomain.net sshd[2293]: pam_unix(sshd:session):
session opened for user username by (uid=0)
As a temporary workaround I set dns_lookup_kdc = false in my
/etc/krb5.conf file and that worked to allow me to login with just
'username' but even after a successful login, I was seeing those 'cannot
find KDC for realm' message in the log.
Is there a proper way to allow people from a trusted AD domain to login
with their alternative UPNs?
More information about the Freeipa-users
mailing list