[Freeipa-users] FreeIPA 4.3.0 Kerberos client referrals not working?

Sumit Bose sbose at redhat.com
Wed Feb 17 08:13:00 UTC 2016 

On Tue, Feb 16, 2016 at 10:23:30PM +0000, Nathan Peters wrote:
> I have created a trust between my FreeIPA domain and an active directory domain.  I can get a kerberos ticket properly from the other domain at the command line on the IPA server.
> I have also created sudo and HBAC rules to allow my AD users to logon to the IPA domain controller using the recommended nested external group setup.
> However, I can not actually login to the machines.
> 
> I should note that our AD domain is office.mydomain.net, but we use alternative UPN suffixes so the usernames are user at mydomain.net.
> 
> I read the patch notes and apparently support for client referrals that will allow alternate UPN suffixes in trusted domains was added in FreeIPA 4.2.1.

While client referrals with the realm derived from the domain name
already work the UPN support is currently WIP
(https://fedorahosted.org/freeipa/ticket/5354).

HTH

bye,
Sumit

> 
> Is there anything special I need to do to configure it beyond the creation of the original trust?  Do I need to set special options in krb5.conf or sssd.conf to get it to work?
> 
> ==============Kinit works==========================
> [root at dc1-ipa-dev-nvan log]# kinit nathan.peters at OFFICE.MYDOMAIN.NET
> Password for nathan.peters at OFFICE.MYDOMAIN.NET:
> [root at dc1-ipa-dev-nvan log]# klist
> Ticket cache: KEYRING:persistent:0:krb_ccache_V7hjacL
> Default principal: nathan.peters at OFFICE.MYDOMAIN.NET
> 
> Valid starting     Expires            Service principal
> 16/02/16 14:05:33  17/02/16 14:05:30  krbtgt/OFFICE.MYDOMAIN.NET at OFFICE.MYDOMAIN.NET
> 
> ============/var/log/messages during login failure===============
> Feb 16 14:10:14 dc1-ipa-dev-nvan audit: CRYPTO_SESSION pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-client cipher=aes256-ctr ksize=256 mac=hmac-sha2-256 pfs=diffie-hellman-group14-sha1 spid=2020 suid=74 rport=9577 laddr=10.178.0.99 lport=22  exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success'
> Feb 16 14:10:20 dc1-ipa-dev-nvan audit: USER_AUTH pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=gssapi acct="nathan.peters at mydomain.net" exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=ssh res=failed'
> Feb 16 14:10:23 dc1-ipa-dev-nvan audit: USER_AUTH pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? acct="nathan.peters at mydomain.net" exe="/usr/sbin/sshd" hostname=10.8.134.154 addr=10.8.134.154 terminal=ssh res=failed'
> Feb 16 14:10:23 dc1-ipa-dev-nvan audit: USER_AUTH pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=password acct="nathan.peters at mydomain.net" exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=ssh res=failed'
> Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:28:cf:eb:e1:3f:61:00:c5:ff:62:da:54:cc:bb:62:7c:e5:07:d1:3a:62:9e:7c:c0:3b:bc:8e:08:90:9a:9b:83 direction=? spid=2020 suid=74  exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success'
> Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=2020 suid=74 rport=9577 laddr=10.178.0.99 lport=22  exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success'
> Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:f2:5c:54:6f:2a:0e:38:19:8c:e4:94:ef:53:2e:9b:ce:07:7f:bb:af:e0:65:7d:11:82:30:cf:03:0d:35:1b:ca direction=? spid=2019 suid=0  exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success'
> Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:4b:0e:be:22:b5:28:65:28:72:90:5b:81:70:99:ff:47:5d:3c:90:a8:81:12:d1:1f:a0:e7:a3:d0:29:d1:25:1e direction=? spid=2019 suid=0  exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success'
> Feb 16 14:10:25 dc1-ipa-dev-nvan audit: CRYPTO_KEY_USER pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:28:cf:eb:e1:3f:61:00:c5:ff:62:da:54:cc:bb:62:7c:e5:07:d1:3a:62:9e:7c:c0:3b:bc:8e:08:90:9a:9b:83 direction=? spid=2019 suid=0  exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=? res=success'
> Feb 16 14:10:25 dc1-ipa-dev-nvan audit: USER_LOGIN pid=2019 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="nathan.peters at mydomain.net" exe="/usr/sbin/sshd" hostname=? addr=10.8.134.154 terminal=ssh res=failed'
> 
> ===================/var/log/secure during login failure=======================
> Feb 16 14:09:56 dc1-ipa-dev-nvan polkitd[604]: Registered Authentication Agent for unix-process:1968:182654681 (system bus name :1.222 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_CA.UTF-8)
> Feb 16 14:09:56 dc1-ipa-dev-nvan polkitd[604]: Unregistered Authentication Agent for unix-process:1968:182654681 (system bus name :1.222, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_CA.UTF-8) (disconnected from bus)
> Feb 16 14:09:56 dc1-ipa-dev-nvan polkitd[604]: Registered Authentication Agent for unix-process:1979:182654684 (system bus name :1.223 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_CA.UTF-8)
> Feb 16 14:09:56 dc1-ipa-dev-nvan polkitd[604]: Unregistered Authentication Agent for unix-process:1979:182654684 (system bus name :1.223, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_CA.UTF-8) (disconnected from bus)
> Feb 16 14:10:02 dc1-ipa-dev-nvan sshd[2006]: Connection closed by 10.21.2.100 [preauth]
> Feb 16 14:10:23 dc1-ipa-dev-nvan sshd[2019]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.8.134.154 user=nathan.peters at mydomain.net
> Feb 16 14:10:23 dc1-ipa-dev-nvan sshd[2019]: pam_sss(sshd:auth): received for user nathan.peters at mydomain.net: 4 (System error)
> Feb 16 14:10:23 dc1-ipa-dev-nvan sshd[2019]: Failed password for nathan.peters at mydomain.net from 10.8.134.154 port 9577 ssh2
> Feb 16 14:10:25 dc1-ipa-dev-nvan sshd[2019]: error: Received disconnect from 10.8.134.154: 13: Unable to authenticate [preauth]
> Feb 16 14:10:25 dc1-ipa-dev-nvan sshd[2019]: Disconnected from 10.8.134.154 [preauth]
> 

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list