[Freeipa-users] Unable to enumerate IPA users from AD side of 2-way trust due to kerberos error
John Meyers
john+freeipa at themeyers.us
Tue May 17 16:21:58 UTC 2016
All,
I have established a 2-way forest trust between FreeIPA (4.2.4-1.fc23)
and AD (Windows 2012R2). The IPA side works perfect and AD users can
authenticate against IPA resources. However, when one tries to add an
IPA user or group to a Windows permission set (e.g. an NTFS ACL or user
right), Windows successfully obtains a Kerberos ticket for the IPA user
but then fails when trying to obtain the LDAP principal of the IPA
server. KDC logs follows:
krb5kdc[19373](info): AS_REQ (6 etypes {18 17 23 24 -135 3})
adserver.addomain NEEDED_PREAUTH: admin at IPADOMAIN for
krbtgt/IPADOMAIN at IPADOMAIN, Additional pre-authentication required
krb5kdc[19373](info): closing down fd 12
krb5kdc[19373](info): AS_REQ (6 etypes {18 17 23 24 -135 3})
adserver.addomain: ISSUE: authtime 1463500682, etypes {rep=18 tkt=18
ses=18}, admin at IPADOMAIN for krbtgt/IPADOMAIN at IPADOMAIN
----> Great! We've successfully authenticated as our IPA admin user
from Windows. But now the wheels come off the wagon.
krb5kdc[19373](info): closing down fd 12
krb5kdc[19373](info): TGS_REQ (5 etypes {18 17 23 24 -135})
adserver.addomain: LOOKING_UP_SERVER: authtime 0, admin at IPADOMAIN for
ldap/ipaserver.ipadomain/ipadomain at IPADOMAIN, Server not found in
Kerberos database
krb5kdc[19373](info): closing down fd 12
---> Oh oh! For some odd reason Windows is appending the lowercase
'/ipadomain' the kerberos request. ldap/ipaserver.ipadomain at IPADOMAIN
exists as a principal, ldap/ipaserver.ipadomain/ipadomain at IPADOMAIN does
not. Since we can't authenticate to LDAP, we can't resolve a user.
Help would be appreciated.
John
More information about the Freeipa-users
mailing list