[Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues
Sumit Bose
sbose at redhat.com
Tue May 5 16:39:59 UTC 2015
On Tue, May 05, 2015 at 09:09:51AM -0700, nathan at nathanpeters.com wrote:
> I am having some strange issues after upgrade from FreeIPA 4.1.2 to
> 4.1.3/4.1.4 on CentOS 7.
>
> Here is my setup:
> FreeIPA domain : ipadomain.net
> Trusted AD domain : sub.addomain.net
>
> In my AD domain, we have our UPN set to addomain.net so users typically
> login as username at addomain.net instead of username at sub.addomain.net.
>
> In my /etc/sssd/sssd.conf on the ipa dc I have the following values set:
> use_fully_qualified_names = True
> [sssd]
> default_domain_suffix = sub.addomain.net
>
>
> This is what I see in the logs when I attempt to login as 'username' (with
> do domain):
>
> May 05 15:36:51 ipadc1.ipadomain.net [sssd[krb5_child[4376]]][4376]:
> Cannot find KDC for realm "ADDOMAIN.NET"
> May 05 15:36:51 ipadc1.ipadomain.net [sssd[krb5_child[4376]]][4376]:
> Cannot find KDC for realm "ADDOMAIN.NET"
> May 05 15:36:51 ipadc1.ipadomain.net sshd[4373]: pam_sss(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.5.5.57 user=username
> May 05 15:36:51 ipadc1.ipadomain.net sshd[4373]: pam_sss(sshd:auth):
> received for user username: 4 (System error)
> May 05 15:36:53 ipadc1.ipadomain.net sshd[4373]: Failed password for
> username from 10.5.5.57 port 53118 ssh2
>
> However, if in AD I switch the UPN on 'username' to the default of
> 'sub.addomain.net' I get a successful login:
>
> May 04 23:10:57 ipadc1.ipadomain.net sshd[2293]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.5.5.57 user=username
> May 04 23:10:58 ipadc1.ipadomain.net sshd[2293]: pam_sss(sshd:auth):
> authentication success; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.5.5.57 user=username
> May 04 23:11:01 ipadc1.ipadomain.net sshd[2293]: Accepted password for
> username from 10.5.5.57 port 46077 ssh2
> May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Starting
> user-1539201103.slice.
> May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Created slice
> user-1539201103.slice.
> May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Starting Session 3 of
> user username at sub.addomain.net.
> May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Started Session 3 of user
> username at sub.addomain.net.
> May 04 23:11:01 ipadc1.ipadomain.net systemd-logind[716]: New session 3 of
> user username at sub.addomain.net.
> May 04 23:11:02 ipadc1.ipadomain.net sshd[2293]: pam_unix(sshd:session):
> session opened for user username by (uid=0)
>
> As a temporary workaround I set dns_lookup_kdc = false in my
> /etc/krb5.conf file and that worked to allow me to login with just
> 'username' but even after a successful login, I was seeing those 'cannot
> find KDC for realm' message in the log.
>
> Is there a proper way to allow people from a trusted AD domain to login
> with their alternative UPNs?
I'm afraid currently the only way doing this is by adding a ADDOMAIN.NET
section to the realms section of /etc/krb5.conf to all IPA clients and
servers.
Although SSSD as a client in a AD domain can handle those UPNs there is
a missing part on the FreeIPA server side which is needed to make it
work. The item is tracked in
https://fedorahosted.org/freeipa/ticket/3559 .
Since the UPN-suffix can be freely chosen, i.e. it does not have to be a
DNS domain, the client will ask it's local KDC with a special so called
enterprise principal if it knows about this UPN suffix and if the KDC
knows about it it will tell the client where to ask for it. IF ticket
#3559 gets implemented the entry in /etc/krb5.conf would not be needed
anymore.
HTH
bye,
Sumit
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list