[Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

Dmitri Pal dpal at redhat.com
Thu May 7 00:16:38 UTC 2015 

On 05/06/2015 02:15 PM, nathan at nathanpeters.com wrote:
> Ok, I have attempted to set this up by adding the AD domain to my
> configuration and it still isn't working.
> I just want to confirm what I'm trying to accomplish here before I list
> what I've done to troubleshoot this.
>
> We have an AD domain called corp.addomain.net.  We have UPNs set so AD
> users login to the AD domain as adusername at addomain.net when they login to
> windows machines.
>
> The linux clients in our network are currently just using straight up
> kerberos authentication against the domain and can currently login as
> 'username' without entering any suffix.
>
> Because this means we can't control sudo policies centrally by our current
> direct kerberos connection, we want to switch to logging in through
> FreeIPA.
> I need to be clear that we want to maintain the current logins of just
> 'username' on Linux servers.
>
> To accomplish this, I added the following line to the sssd.conf file:
> default_domain_suffix = corp.addomain.net

I am not by any mean a specialist here but shouldn't it be the actual 
suffix that is appended to the user name, i.e.

default_domain_suffix = addomain.net



>
> I have tried 3 different combinations of kerberos config to try to get the
> logins to work, but am running into errors in each case.  I have tried to
> follow the suggestions given earlier in this thread.  Here are the 3
> krb.conf configurations I tried and the errors given on each try.
>
> -------------- configuration 1 -------------------
>
> [realms]
>   IPADOMAIN.NET = {
>    kdc = dc1.ipadomain.net:88
>    master_kdc = dc1.ipadomain.net:88
>    admin_server = dc1.ipadomain.net:749
>    default_domain = ipadomain.net
>    pkinit_anchors = FILE:/etc/ipa/ca.crt
>    auth_to_local =
> RULE:[1:$1@$0](^.*@CORP.ADDOMAIN.NET$)s/@CORP.ADDOMAIN.NET/@corp.addomain.net/
>    auth_to_local = DEFAULT
> }
> CORP.ADDOMAIN.NET = {
>    kdc = dc3.corp.addomain.net:88
>    master_kdc = dc3.corp.addomain.net:88
> }
>
> [domain_realm]
>   .ipadomain.net = IPADOMAIN.NET
>   ipadomain.net = IPADOMAIN.NET
>   .corp.addomain.net = CORP.ADDOMAIN.NET
>   corp.addomain.net = CORP.ADDOMAIN.NET
>
>
> May 06 16:43:53 dc1.ipadomain.net [sssd[krb5_child[7512]]][7512]: Cannot
> find KDC for realm "ADDOMAIN.NET"
> May 06 16:43:53 dc1.ipadomain.net [sssd[krb5_child[7512]]][7512]: Cannot
> find KDC for realm "ADDOMAIN.NET"
> May 06 16:43:53 dc1.ipadomain.net sshd[7508]: pam_sss(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.5.5.57 user=adusername
> May 06 16:43:53 dc1.ipadomain.net sshd[7508]: pam_sss(sshd:auth): received
> for user adusername: 4 (System error)
> May 06 16:43:55 dc1.ipadomain.net sshd[7508]: Failed password for
> adusername from 10.5.5.57 port 1832 ssh2
>
> ----------- configuration 2 ----------------
>
> Notes : since the above error seemed to imply that I needed to add the
> 'UPN realm' to the [realms] section I tried to add it.
>
> [realms]
>   IPADOMAIN.NET = {
>    kdc = dc1.ipadomain.net:88
>    master_kdc = dc1.ipadomain.net:88
>    admin_server = dc1.ipadomain.net:749
>    default_domain = ipadomain.net
>    pkinit_anchors = FILE:/etc/ipa/ca.crt
>    auth_to_local =
> RULE:[1:$1@$0](^.*@CORP.ADDOMAIN.NET$)s/@CORP.ADDOMAIN.NET/@corp.addomain.net/
>    auth_to_local = DEFAULT
>
> }
>   ADDOMAIN.NET = {
>    kdc = dc3.corp.addomain.net:88
>    master_kdc = dc3.corp.addomain.net:88
> }
>
> [domain_realm]
>   .ipadomain.net = IPADOMAIN.NET
>   ipadomain.net = IPADOMAIN.NET
>   addomain.net = ADDOMAIN.NET
>   .addomain.net = ADDOMAIN.NET
>
> May 06 16:48:32 dc1.ipadomain.net [sssd[krb5_child[7546]]][7546]: Realm
> not local to KDC
> May 06 16:48:32 dc1.ipadomain.net [sssd[krb5_child[7546]]][7546]: Realm
> not local to KDC
> May 06 16:48:32 dc1.ipadomain.net sshd[7542]: pam_sss(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.5.5.57 user=adusername
> May 06 16:48:32 dc1.ipadomain.net sshd[7542]: pam_sss(sshd:auth): received
> for user adusername: 4 (System error)
> May 06 16:48:34 dc1.ipadomain.net sshd[7542]: Failed password for
> adusername from 10.5.5.57 port 1870 ssh2
>
> ---- configuration 3 -----
> Notes : Since the eror message given in the second try indicated that the
> realm wasn't local, I thought it might need both variations to recognize
> it as local.
>
> [realms]
>   IPADOMAIN.NET = {
>    kdc = dc1.ipadomain.net:88
>    master_kdc = dc1.ipadomain.net:88
>    admin_server = dc1.ipadomain.net:749
>    default_domain = ipadomain.net
>    pkinit_anchors = FILE:/etc/ipa/ca.crt
> }
>   ADDOMAIN.NET = {
>    kdc = dc3.corp.addomain.net:88
>    master_kdc = dc3.corp.addomain.net:88
> }
>
>   CORP.ADDOMAIN.NET = {
>    kdc = dc3.corp.addomain.net:88
>    master_kdc = dc3.corp.addomain.net:88
> }
>
> [domain_realm]
>   .ipadomain.net = IPADOMAIN.NET
>   ipadomain.net = IPADOMAIN.NET
>   addomain.net = ADDOMAIN.NET
>   .addomain.net = ADDOMAIN.NET
>   corp.addomain.net = CORP.ADDOMAIN.NET
>   .corp.addomain.net = CORP.ADDOMAIN.NET
>
> May 06 16:56:25 dc1.ipadomain.net [sssd[krb5_child[7664]]][7664]: Realm
> not local to KDC
> May 06 16:56:25 dc1.ipadomain.net [sssd[krb5_child[7664]]][7664]: Realm
> not local to KDC
> May 06 16:56:25 dc1.ipadomain.net sshd[7660]: pam_sss(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.5.5.57 user=adusername
> May 06 16:56:25 dc1.ipadomain.net sshd[7660]: pam_sss(sshd:auth): received
> for user adusername: 4 (System error)
> May 06 16:56:28 dc1.ipadomain.net sshd[7660]: Failed password for
> adusername from 10.5.5.57 port 1964 ssh2
>
>
>
>> If you want to look up user data like e.g. the UID  or the home
>> directory the IPA client will talk to the IPA server exclusively, if the
>> server does not know about the requested AD user it will try to get this
>> information from a AD DC.
>>
>> For authentication this is different, because only the AD DC should know
>> the password of the user. Hence authentication ans password changes as
>> well are done directly with the AD DC.
>>
>>> Also this page here :
>>> https://www.freeipa.org/page/Active_Directory_trust_setup
>>>
>>> does not list having to add the AD domain in the krb5.conf.  Is that not
>>> necessary in the example because they are not using a different UPN for
>>> their users like we are?
>> yes, it is because of the UPN in your case. As I said before this
>> special entry in krb5.conf would not be needed anymore if the IPA KDC
>> supports the Kerberos client referrals for the trusted domains. Adding
>> the entry to krb5.conf in only a work-around here.
>>
>> bye,
>> Sumit
>
>


-- 
Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list