[Freeipa-users] dns_lookup_kdc question

Aly Khimji aly.khimji at gmail.com
Wed Sep 23 19:38:39 UTC 2015 

Hey guys,

Quick question. Just running through a poc and ran into a question.

I have a simple AD DC (win2k8r2 box) with a trust setup to our IPA server.
Trust and all is setup properly and I can see users on the client/ipa
server and on the ipa server I can ssh into it with the AD user.

I am finding that users are unable to log into the "client nodes" and are
getting a "4: System Error" failure in the ssh log. When I dig into the
sssd in debug mode I can see its failing to find KDC for the "realm". Makes
sense so far. So I enable dns_lookup_kdc = true and now it is able to find
the realm and login is successful.

My question is, this "dns_lookup_kdc = true" required in any setup with
AD/IPA trust + ssh into IPA client with AD users?

I am wondering as there may be a use case where the AD server is in another
network and IPA clients won't have direct access to AD. I was wondering if
there is any model in which the client only ever talks to IPA server and
all the AD/Kerbos communication is handled via the IPA server and if so how
is this done?
I have read a bit and this looks as though what I am doing here is a
"legacy" setup. Just wondering if this is different in sssd 1.9 or if kdc =
True is always required.

I am not doing anything extra on the client other then the ipa-client
install.
No manual adjustment of sssd.conf or krb5.conf. If I am missing something
please advise.

Thanks guys

Aly


SW info:

Server
ipa-admintools-4.1.0-18.el7.centos.4.x86_64
ipa-python-4.1.0-18.el7.centos.4.x86_64
ipa-client-4.1.0-18.el7.centos.4.x86_64
ipa-server-trust-ad-4.1.0-18.el7.centos.4.x86_64
ipa-server-4.1.0-18.el7.centos.4.x86_64


el7 Client
sssd-client-1.12.2-58.el7_1.17.x86_64
sssd-common-1.12.2-58.el7_1.17.x86_64
sssd-ad-1.12.2-58.el7_1.17.x86_64
sssd-proxy-1.12.2-58.el7_1.17.x86_64
sssd-krb5-1.12.2-58.el7_1.17.x86_64
ipa-python-4.1.0-18.el7.centos.4.x86_64
sssd-krb5-common-1.12.2-58.el7_1.17.x86_64
sssd-common-pac-1.12.2-58.el7_1.17.x86_64
sssd-ipa-1.12.2-58.el7_1.17.x86_64
sssd-ldap-1.12.2-58.el7_1.17.x86_64
sssd-1.12.2-58.el7_1.17.x86_64
ipa-client-4.1.0-18.el7.centos.4.x86_64

el6 client
sssd-common-1.12.4-47.el6.x86_64
sssd-proxy-1.12.4-47.el6.x86_64
sssd-krb5-common-1.12.4-47.el6.x86_64
sssd-ad-1.12.4-47.el6.x86_64
sssd-1.12.4-47.el6.x86_64
ipa-python-3.0.0-47.el6.centos.x86_64
sssd-client-1.12.4-47.el6.x86_64
sssd-ipa-1.12.4-47.el6.x86_64
sssd-krb5-1.12.4-47.el6.x86_64
ipa-client-3.0.0-47.el6.centos.x86_64
sssd-common-pac-1.12.4-47.el6.x86_64
sssd-ldap-1.12.4-47.el6.x86_64
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150923/98075642/attachment.htm>

More information about the Freeipa-users mailing list