[Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

[nathan at nathanpeters.com]

> On 05/06/2015 02:15 PM, nathan at nathanpeters.com wrote:
>> Ok, I have attempted to set this up by adding the AD domain to my
>> configuration and it still isn't working.
>> I just want to confirm what I'm trying to accomplish here before I list
>> what I've done to troubleshoot this.
>>
>> We have an AD domain called corp.addomain.net.  We have UPNs set so AD
>> users login to the AD domain as adusername at addomain.net when they login
>> to
>> windows machines.
>>
>> The linux clients in our network are currently just using straight up
>> kerberos authentication against the domain and can currently login as
>> 'username' without entering any suffix.
>>
>> Because this means we can't control sudo policies centrally by our
>> current
>> direct kerberos connection, we want to switch to logging in through
>> FreeIPA.
>> I need to be clear that we want to maintain the current logins of just
>> 'username' on Linux servers.
>>
>> To accomplish this, I added the following line to the sssd.conf file:
>> default_domain_suffix = corp.addomain.net
>
> I am not by any mean a specialist here but shouldn't it be the actual
> suffix that is appended to the user name, i.e.
>
> default_domain_suffix = addomain.net

I don't think so.  I think it is technically supposed to be the actual
domain, since the upn is just an alias at the username level. When I try
with addomain.net instead of the actual domain corp.addomain.net it
doesnt' even recognize the username or try to contact any kdc.  Here is
the log entry:

May 07 04:38:24 dc1.ipadomain.net sshd[9893]: Invalid user adusername from
10.5.5.57
May 07 04:38:24 dc1.ipadomain.net sshd[9893]: input_userauth_request:
invalid user adusername [preauth]
May 07 04:38:27 dc1.ipadomain.net sshd[9893]: pam_unix(sshd:auth): check
pass; user unknown
May 07 04:38:27 dc1.ipadomain.net sshd[9893]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.5.5.57
May 07 04:38:28 dc1.ipadomain.net sshd[9893]: Failed password for invalid
user adusername from 10.5.5.57 port 10921 ssh2



>
>
>
>>
>> I have tried 3 different combinations of kerberos config to try to get
>> the
>> logins to work, but am running into errors in each case.  I have tried
>> to
>> follow the suggestions given earlier in this thread.  Here are the 3
>> krb.conf configurations I tried and the errors given on each try.
>>
>> -------------- configuration 1 -------------------
>>
>> [realms]
>>   IPADOMAIN.NET = {
>>    kdc = dc1.ipadomain.net:88
>>    master_kdc = dc1.ipadomain.net:88
>>    admin_server = dc1.ipadomain.net:749
>>    default_domain = ipadomain.net
>>    pkinit_anchors = FILE:/etc/ipa/ca.crt
>>    auth_to_local =
>> RULE:[1:$1@$0](^.*@CORP.ADDOMAIN.NET$)s/@CORP.ADDOMAIN.NET/@corp.addomain.net/
>>    auth_to_local = DEFAULT
>> }
>> CORP.ADDOMAIN.NET = {
>>    kdc = dc3.corp.addomain.net:88
>>    master_kdc = dc3.corp.addomain.net:88
>> }
>>
>> [domain_realm]
>>   .ipadomain.net = IPADOMAIN.NET
>>   ipadomain.net = IPADOMAIN.NET
>>   .corp.addomain.net = CORP.ADDOMAIN.NET
>>   corp.addomain.net = CORP.ADDOMAIN.NET
>>
>>
>> May 06 16:43:53 dc1.ipadomain.net [sssd[krb5_child[7512]]][7512]: Cannot
>> find KDC for realm "ADDOMAIN.NET"
>> May 06 16:43:53 dc1.ipadomain.net [sssd[krb5_child[7512]]][7512]: Cannot
>> find KDC for realm "ADDOMAIN.NET"
>> May 06 16:43:53 dc1.ipadomain.net sshd[7508]: pam_sss(sshd:auth):
>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
>> rhost=10.5.5.57 user=adusername
>> May 06 16:43:53 dc1.ipadomain.net sshd[7508]: pam_sss(sshd:auth):
>> received
>> for user adusername: 4 (System error)
>> May 06 16:43:55 dc1.ipadomain.net sshd[7508]: Failed password for
>> adusername from 10.5.5.57 port 1832 ssh2
>>
>> ----------- configuration 2 ----------------
>>
>> Notes : since the above error seemed to imply that I needed to add the
>> 'UPN realm' to the [realms] section I tried to add it.
>>
>> [realms]
>>   IPADOMAIN.NET = {
>>    kdc = dc1.ipadomain.net:88
>>    master_kdc = dc1.ipadomain.net:88
>>    admin_server = dc1.ipadomain.net:749
>>    default_domain = ipadomain.net
>>    pkinit_anchors = FILE:/etc/ipa/ca.crt
>>    auth_to_local =
>> RULE:[1:$1@$0](^.*@CORP.ADDOMAIN.NET$)s/@CORP.ADDOMAIN.NET/@corp.addomain.net/
>>    auth_to_local = DEFAULT
>>
>> }
>>   ADDOMAIN.NET = {
>>    kdc = dc3.corp.addomain.net:88
>>    master_kdc = dc3.corp.addomain.net:88
>> }
>>
>> [domain_realm]
>>   .ipadomain.net = IPADOMAIN.NET
>>   ipadomain.net = IPADOMAIN.NET
>>   addomain.net = ADDOMAIN.NET
>>   .addomain.net = ADDOMAIN.NET
>>
>> May 06 16:48:32 dc1.ipadomain.net [sssd[krb5_child[7546]]][7546]: Realm
>> not local to KDC
>> May 06 16:48:32 dc1.ipadomain.net [sssd[krb5_child[7546]]][7546]: Realm
>> not local to KDC
>> May 06 16:48:32 dc1.ipadomain.net sshd[7542]: pam_sss(sshd:auth):
>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
>> rhost=10.5.5.57 user=adusername
>> May 06 16:48:32 dc1.ipadomain.net sshd[7542]: pam_sss(sshd:auth):
>> received
>> for user adusername: 4 (System error)
>> May 06 16:48:34 dc1.ipadomain.net sshd[7542]: Failed password for
>> adusername from 10.5.5.57 port 1870 ssh2
>>
>> ---- configuration 3 -----
>> Notes : Since the eror message given in the second try indicated that
>> the
>> realm wasn't local, I thought it might need both variations to recognize
>> it as local.
>>
>> [realms]
>>   IPADOMAIN.NET = {
>>    kdc = dc1.ipadomain.net:88
>>    master_kdc = dc1.ipadomain.net:88
>>    admin_server = dc1.ipadomain.net:749
>>    default_domain = ipadomain.net
>>    pkinit_anchors = FILE:/etc/ipa/ca.crt
>> }
>>   ADDOMAIN.NET = {
>>    kdc = dc3.corp.addomain.net:88
>>    master_kdc = dc3.corp.addomain.net:88
>> }
>>
>>   CORP.ADDOMAIN.NET = {
>>    kdc = dc3.corp.addomain.net:88
>>    master_kdc = dc3.corp.addomain.net:88
>> }
>>
>> [domain_realm]
>>   .ipadomain.net = IPADOMAIN.NET
>>   ipadomain.net = IPADOMAIN.NET
>>   addomain.net = ADDOMAIN.NET
>>   .addomain.net = ADDOMAIN.NET
>>   corp.addomain.net = CORP.ADDOMAIN.NET
>>   .corp.addomain.net = CORP.ADDOMAIN.NET
>>
>> May 06 16:56:25 dc1.ipadomain.net [sssd[krb5_child[7664]]][7664]: Realm
>> not local to KDC
>> May 06 16:56:25 dc1.ipadomain.net [sssd[krb5_child[7664]]][7664]: Realm
>> not local to KDC
>> May 06 16:56:25 dc1.ipadomain.net sshd[7660]: pam_sss(sshd:auth):
>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
>> rhost=10.5.5.57 user=adusername
>> May 06 16:56:25 dc1.ipadomain.net sshd[7660]: pam_sss(sshd:auth):
>> received
>> for user adusername: 4 (System error)
>> May 06 16:56:28 dc1.ipadomain.net sshd[7660]: Failed password for
>> adusername from 10.5.5.57 port 1964 ssh2
>>
>>
>>
>>> If you want to look up user data like e.g. the UID  or the home
>>> directory the IPA client will talk to the IPA server exclusively, if
>>> the
>>> server does not know about the requested AD user it will try to get
>>> this
>>> information from a AD DC.
>>>
>>> For authentication this is different, because only the AD DC should
>>> know
>>> the password of the user. Hence authentication ans password changes as
>>> well are done directly with the AD DC.
>>>
>>>> Also this page here :
>>>> https://www.freeipa.org/page/Active_Directory_trust_setup
>>>>
>>>> does not list having to add the AD domain in the krb5.conf.  Is that
>>>> not
>>>> necessary in the example because they are not using a different UPN
>>>> for
>>>> their users like we are?
>>> yes, it is because of the UPN in your case. As I said before this
>>> special entry in krb5.conf would not be needed anymore if the IPA KDC
>>> supports the Kerberos client referrals for the trusted domains. Adding
>>> the entry to krb5.conf in only a work-around here.
>>>
>>> bye,
>>> Sumit
>>
>>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Director of Engineering for IdM portfolio
> Red Hat, Inc.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>