[Freeipa-users] FreeIPA 4.3.0 Kerberos client referrals not working?

Nathan Peters Nathan.Peters at globalrelay.net
Tue Feb 16 22:23:30 UTC 2016 

I have created a trust between my FreeIPA domain and an active directory domain.  I can get a kerberos ticket properly from the other domain at the command line on the IPA server.
I have also created sudo and HBAC rules to allow my AD users to logon to the IPA domain controller using the recommended nested external group setup.
However, I can not actually login to the machines.

I should note that our AD domain is office.mydomain.net, but we use alternative UPN suffixes so the usernames are user at mydomain.net.

I read the patch notes and apparently support for client referrals that will allow alternate UPN suffixes in trusted domains was added in FreeIPA 4.2.1.

Is there anything special I need to do to configure it beyond the creation of the original trust?  Do I need to set special options in krb5.conf or sssd.conf to get it to work?

==============Kinit works==========================
[root at dc1-ipa-dev-nvan log]# kinit nathan.peters at OFFICE.MYDOMAIN.NET
Password for nathan.peters at OFFICE.MYDOMAIN.NET:
[root at dc1-ipa-dev-nvan log]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_V7hjacL
Default principal: nathan.peters at OFFICE.MYDOMAIN.NET

Valid starting     Expires            Service principal
16/02/16 14:05:33  17/02/16 14:05:30  krbtgt/OFFICE.MYDOMAIN.NET at OFFICE.MYDOMAIN.NET

============/var/log/messages during login failure===============
Feb 16 14:10:14 dc1-ipa-dev-nvan audit: CRYPTO_SESSION pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-client cipher=aes256-ctr ksize=256 mac=hmac-sha2-256 pfs=diffie-hellman-group14-sha1 spid=2020 suid=74 rport=9577 laddr=10.178.0.99 lport=22  exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success'
Feb 16 14:10:20 dc1-ipa-dev-nvan audit: USER_AUTH pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=gssapi acct="nathan.peters at mydomain.net" exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=ssh res=failed'
Feb 16 14:10:23 dc1-ipa-dev-nvan audit: USER_AUTH pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? acct="nathan.peters at mydomain.net" exe="/usr/sbin/sshd" hostname=10.8.134.154 addr=10.8.134.154 terminal=ssh res=failed'
Feb 16 14:10:23 dc1-ipa-dev-nvan audit: USER_AUTH pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=password acct="nathan.peters at mydomain.net" exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=ssh res=failed'
Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:28:cf:eb:e1:3f:61:00:c5:ff:62:da:54:cc:bb:62:7c:e5:07:d1:3a:62:9e:7c:c0:3b:bc:8e:08:90:9a:9b:83 direction=? spid=2020 suid=74  exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success'
Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=2020 suid=74 rport=9577 laddr=10.178.0.99 lport=22  exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success'
Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:f2:5c:54:6f:2a:0e:38:19:8c:e4:94:ef:53:2e:9b:ce:07:7f:bb:af:e0:65:7d:11:82:30:cf:03:0d:35:1b:ca direction=? spid=2019 suid=0  exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success'
Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:4b:0e:be:22:b5:28:65:28:72:90:5b:81:70:99:ff:47:5d:3c:90:a8:81:12:d1:1f:a0:e7:a3:d0:29:d1:25:1e direction=? spid=2019 suid=0  exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success'
Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:28:cf:eb:e1:3f:61:00:c5:ff:62:da:54:cc:bb:62:7c:e5:07:d1:3a:62:9e:7c:c0:3b:bc:8e:08:90:9a:9b:83 direction=? spid=2019 suid=0  exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success'
Feb 16 14:10:25 dc1-ipa-dev-nvan audit: USER_LOGIN pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="nathan.peters at mydomain.net" exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=ssh res=failed'

===================/var/log/secure during login failure=======================
Feb 16 14:09:56 dc1-ipa-dev-nvan polkitd[604]: Registered Authentication Agent for unix-process:1968:182654681 (system bus name :1.222 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_CA.UTF-8)
Feb 16 14:09:56 dc1-ipa-dev-nvan polkitd[604]: Unregistered Authentication Agent for unix-process:1968:182654681 (system bus name :1.222, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_CA.UTF-8) (disconnected from bus)
Feb 16 14:09:56 dc1-ipa-dev-nvan polkitd[604]: Registered Authentication Agent for unix-process:1979:182654684 (system bus name :1.223 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_CA.UTF-8)
Feb 16 14:09:56 dc1-ipa-dev-nvan polkitd[604]: Unregistered Authentication Agent for unix-process:1979:182654684 (system bus name :1.223, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_CA.UTF-8) (disconnected from bus)
Feb 16 14:10:02 dc1-ipa-dev-nvan sshd[2006]: Connection closed by 10.21.2.100 [preauth]
Feb 16 14:10:23 dc1-ipa-dev-nvan sshd[2019]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.8.134.154 user=nathan.peters at mydomain.net
Feb 16 14:10:23 dc1-ipa-dev-nvan sshd[2019]: pam_sss(sshd:auth): received for user nathan.peters at mydomain.net: 4 (System error)
Feb 16 14:10:23 dc1-ipa-dev-nvan sshd[2019]: Failed password for nathan.peters at mydomain.net from 10.8.134.154 port 9577 ssh2
Feb 16 14:10:25 dc1-ipa-dev-nvan sshd[2019]: error: Received disconnect from 10.8.134.154: 13: Unable to authenticate [preauth]
Feb 16 14:10:25 dc1-ipa-dev-nvan sshd[2019]: Disconnected from 10.8.134.154 [preauth]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160216/c3b67d27/attachment.htm>

More information about the Freeipa-users mailing list