[Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

Sumit Bose sbose at redhat.com
Tue May 5 18:28:40 UTC 2015 

On Tue, May 05, 2015 at 09:53:38AM -0700, nathan at nathanpeters.com wrote:
> Hmm, so if this is the [realms] section of my /etc/krb5.conf what do I
> have to do ?
> 
> [realms]
>  IPADOMAIN.NET = {
>   kdc = dc1.ipadomain.net:88
>   master_kdc = dc1.ipadomain.net:88
>   admin_server = dc1.ipadomain.net:749
>   default_domain = ipadomain.net
>   pkinit_anchors = FILE:/etc/ipa/ca.crt
>   auth_to_local =
> RULE:[1:$1@$0](^.*@SUB.ADDOMAIN.NET$)s/@SUB.ADDOMAIN.NET/@sub.addomain.net/
>   auth_to_local = DEFAULT
> }
> 
> Would I just literally copy that section and change the names?
> eg:
> 
>  SUB.ADDOMAIN.NET = {
>   kdc = dc1.ipadomain.net:88
>   master_kdc = dc1.ipadomain.net:88
>   admin_server = dc1.ipadomain.net:749
>   default_domain = ipadomain.net

you should add the AD DC and AD realm here

The following lines you can just drop.

HTH

bye,
Sumit

>   pkinit_anchors = FILE:/etc/ipa/ca.crt
>   auth_to_local =
> RULE:[1:$1@$0](^.*@SUB.ADDOMAIN.NET$)s/@SUB.ADDOMAIN.NET/@sub.addomain.net/
>   auth_to_local = DEFAULT
> }
> 
> 
> > On Tue, May 05, 2015 at 09:09:51AM -0700, nathan at nathanpeters.com wrote:
> >> I am having some strange issues after upgrade from FreeIPA 4.1.2 to
> >> 4.1.3/4.1.4 on CentOS 7.
> >>
> >> Here is my setup:
> >> FreeIPA domain : ipadomain.net
> >> Trusted AD domain : sub.addomain.net
> >>
> >> In my AD domain, we have our UPN set to addomain.net so users typically
> >> login as username at addomain.net instead of username at sub.addomain.net.
> >>
> >> In my /etc/sssd/sssd.conf on the ipa dc I have the following values set:
> >> use_fully_qualified_names = True
> >> [sssd]
> >> default_domain_suffix = sub.addomain.net
> >>
> >>
> >> This is what I see in the logs when I attempt to login as 'username'
> >> (with
> >> do domain):
> >>
> >> May 05 15:36:51 ipadc1.ipadomain.net [sssd[krb5_child[4376]]][4376]:
> >> Cannot find KDC for realm "ADDOMAIN.NET"
> >> May 05 15:36:51 ipadc1.ipadomain.net [sssd[krb5_child[4376]]][4376]:
> >> Cannot find KDC for realm "ADDOMAIN.NET"
> >> May 05 15:36:51 ipadc1.ipadomain.net sshd[4373]: pam_sss(sshd:auth):
> >> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> >> rhost=10.5.5.57 user=username
> >> May 05 15:36:51 ipadc1.ipadomain.net sshd[4373]: pam_sss(sshd:auth):
> >> received for user username: 4 (System error)
> >> May 05 15:36:53 ipadc1.ipadomain.net sshd[4373]: Failed password for
> >> username from 10.5.5.57 port 53118 ssh2
> >>
> >> However, if in AD I switch the UPN on 'username' to the default of
> >> 'sub.addomain.net' I get a successful login:
> >>
> >> May 04 23:10:57 ipadc1.ipadomain.net sshd[2293]: pam_unix(sshd:auth):
> >> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> >> rhost=10.5.5.57  user=username
> >> May 04 23:10:58 ipadc1.ipadomain.net sshd[2293]: pam_sss(sshd:auth):
> >> authentication success; logname= uid=0 euid=0 tty=ssh ruser=
> >> rhost=10.5.5.57 user=username
> >> May 04 23:11:01 ipadc1.ipadomain.net sshd[2293]: Accepted password for
> >> username from 10.5.5.57 port 46077 ssh2
> >> May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Starting
> >> user-1539201103.slice.
> >> May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Created slice
> >> user-1539201103.slice.
> >> May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Starting Session 3 of
> >> user username at sub.addomain.net.
> >> May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Started Session 3 of
> >> user
> >> username at sub.addomain.net.
> >> May 04 23:11:01 ipadc1.ipadomain.net systemd-logind[716]: New session 3
> >> of
> >> user username at sub.addomain.net.
> >> May 04 23:11:02 ipadc1.ipadomain.net sshd[2293]: pam_unix(sshd:session):
> >> session opened for user username by (uid=0)
> >>
> >> As a temporary workaround I set dns_lookup_kdc = false in my
> >> /etc/krb5.conf file and that worked to allow me to login with just
> >> 'username' but even after a successful login, I was seeing those 'cannot
> >> find KDC for realm' message in the log.
> >>
> >> Is there a proper way to allow people from a trusted AD domain to login
> >> with their alternative UPNs?
> >
> > I'm afraid currently the only way doing this is by adding a ADDOMAIN.NET
> > section to the realms section of /etc/krb5.conf to all IPA clients and
> > servers.
> >
> > Although SSSD as a client in a AD domain can handle those UPNs there is
> > a missing part on the FreeIPA server side which is needed to make it
> > work. The item is tracked in
> > https://fedorahosted.org/freeipa/ticket/3559 .
> >
> > Since the UPN-suffix can be freely chosen, i.e. it does not have to be a
> > DNS domain, the client will ask it's local KDC with a special so called
> > enterprise principal if it knows about this UPN suffix and if the KDC
> > knows about it it will tell the client where to ask for it. IF ticket
> > #3559 gets implemented the entry in /etc/krb5.conf would not be needed
> > anymore.
> >
> > HTH
> >
> > bye,
> > Sumit
> >
> >>
> >>
> >> --
> >> Manage your subscription for the Freeipa-users mailing list:
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >> Go to http://freeipa.org for more info on the project
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> >
> 
>

More information about the Freeipa-users mailing list