[Freeipa-users] FreeIPA 4.3.0 Kerberos client referrals not working?
Alexander Bokovoy
abokovoy at redhat.com
Wed Feb 17 07:07:38 UTC 2016
On Tue, 16 Feb 2016, Nathan Peters wrote:
>I have created a trust between my FreeIPA domain and an active
>directory domain. I can get a kerberos ticket properly from the other
>domain at the command line on the IPA server. I have also created sudo
>and HBAC rules to allow my AD users to logon to the IPA domain
>controller using the recommended nested external group setup.
>However, I can not actually login to the machines.
>
>I should note that our AD domain is office.mydomain.net, but we use
>alternative UPN suffixes so the usernames are user at mydomain.net.
>
>I read the patch notes and apparently support for client referrals that
>will allow alternate UPN suffixes in trusted domains was added in
>FreeIPA 4.2.1.
>
>Is there anything special I need to do to configure it beyond the
>creation of the original trust? Do I need to set special options in
>krb5.conf or sssd.conf to get it to work?
Not sure what are you trying to achieve. In the output of your 'kinit'
call you are not talking to IPA KDC. Instead, you are talking directly
to your AD DCs. You can verify it by setting KRB5_TRACE=/dev/stderr in
the environment where you would run 'kinit user at AD'. How is IPA KDC
involved?
>Feb 16 14:10:23 dc1-ipa-dev-nvan sshd[2019]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.8.134.154 user=nathan.peters at mydomain.net
>Feb 16 14:10:23 dc1-ipa-dev-nvan sshd[2019]: pam_sss(sshd:auth): received for user nathan.peters at mydomain.net: 4 (System error)
>Feb 16 14:10:23 dc1-ipa-dev-nvan sshd[2019]: Failed password for nathan.peters at mydomain.net from 10.8.134.154 port 9577 ssh2
>Feb 16 14:10:25 dc1-ipa-dev-nvan sshd[2019]: error: Received disconnect from 10.8.134.154: 13: Unable to authenticate [preauth]
>Feb 16 14:10:25 dc1-ipa-dev-nvan sshd[2019]: Disconnected from 10.8.134.154 [preauth]
Use https://fedorahosted.org/sssd/wiki/Troubleshooting to produce sssd
logs that can be analyzed. The logs above are mostly useless, they don't
tell anything.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list