[Freeipa-users] Cross Domain Trust
Zoske, Fabian
f.zoske at euroimmun.de
Thu Jan 28 09:22:40 UTC 2016
Thank you Jakub, this solves the issue.
Best regards,
Fabian
-----Ursprüngliche Nachricht-----
Von: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] Im Auftrag von Jakub Hrozek
Gesendet: Montag, 18. Januar 2016 18:46
An: freeipa-users at redhat.com
Betreff: Re: [Freeipa-users] Cross Domain Trust
On Mon, Jan 18, 2016 at 06:02:43PM +0100, Lukas Slebodnik wrote:
> On (12/01/16 11:11), Lukas Slebodnik wrote:
> >On (12/01/16 08:25), Zoske, Fabian wrote:
> >>We recently upgraded our IPA-Server from CentOS 7.1 to CentOS 7.2. So far no differences.
> >>
> >Then please provide sssd logfiles (1.13.3) from client and also log
> >files from sssd on freeipa server (sssd on freeipa server is used
> >indirectly by extop plugin in 389-ds)
> >
> >Please provide log files from the same time when you reproduced an issue.
> >
> Thank you very much for log files.
>
> Authentication on client failed Due to following error:
> (Thu Jan 14 12:58:36 2016) [[sssd[krb5_child[992]]]]
> [sss_child_krb5_trace_cb] (0x4000): [992] 1452772716.736098: Sending
> request (173 bytes) to EUROIMMUN.TEST (master)
>
> (Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992]]]]
> [get_and_save_tgt] (0x0020): 1232: [-1765328230][Cannot find KDC for
> realm "EUROIMMUN.TEST"] (Thu Jan 14 12:58:37 2016)
> [[sssd[krb5_child[992]]]] [map_krb5_error] (0x0020): 1301:
> [-1765328230][Cannot find KDC for realm "EUROIMMUN.TEST"] (Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992]]]] [pack_response_packet] (0x2000): response packet size: [4] (Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992]]]] [k5c_send_data] (0x4000): Response sent.
> (Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992]]]] [main] (0x0400):
> krb5_child completed successfully
>
>
> Do you have defineded the realm "EUROIMMUN.TEST" in your krb5.conf?
>
> It is possible that sssd wrote snippet to the directory
> /var/lib/sss/pubconf/krb5.include.d/
> but this directory is not included in krb5.conf.
>
> $ grep includedir /etc/krb5.conf
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
> BTW you can test the same operation as sssd did from command line.
>
> KRB5_TRACE=/dev/stderr kinit f.zoske at EUROIMMUN.TEST
>
> or is this principal name an enterprise name?
IIRC this came up in a private conversation, too. In short, enterprise principals are not supported in a IPA-AD trust scenario, but one can work around that by using:
subdomain_inherit = ldap_user_principal
ldap_user_principal = nosuchattr
and thus tricking sssd into 'deriving' the UPN from the domain name.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list