[Freeipa-users] Debugging SSH password-based authentication when IPA client is in a different DNS domain
Alexander Bokovoy
abokovoy at redhat.com
Wed Oct 5 18:53:24 UTC 2016
On ke, 05 loka 2016, Chris Dagdigian wrote:
>Hello again,
>
>Following up on an early query about configuring IPA clients that are
>in different DNS domains than the IPA server domain & realm
>
>This is our setup:
>
>AD Servers & IPA:
>------------------------
>AD Forest #1: company-test.org
>AD Forest #2: company-aws.org
>IPA Server : company-ipa.org
>
>I don't really need Kerberos or Kerberized SSO -- I really just want
>to get SSH logins via passwords working before moving on to SSH keys -
>my understanding of the way I'm configuring things basically breaks
>Kerberos but should allow other user and authentication services to
>work.
>
>Client Machine:
>------------------
>Hostname: client.company-aws.org
>
>I was able to configure a client in the domain 'company-aws.org' by
>abusing the ipa-client-install command:
>
>$ client.company-aws.org> # ipa-client-install --server
>ipa.company-ipa.org --domain company-ipa.com
>
>Barring the usual warnings about losing autodiscover based failover
>the above command actually worked and took me pretty far. I can launch
>an AWS host and give it the standard "company-aws.org" hostname but
>still bind it explicitly to an IPA server running in a different DNS
>domain and realm.
>
>The nice thing is that it appears that everything but SSH w/ passwords
>is working on the client machine with the different DNS domain name
>
> # id user at company-test.org works
> # id user at company-aws.org works
> # id <local IPA user> works
> # getent passwd user at company-test.org works
> # getent passwd user at company-aws.org works
> # getent passwd <local IPA user> works
> # su - user at company-test.org works
> # su - user at company-aws.org works
> # su - <local IPA user> works
>
>
>What fails are things like:
>
> $ ssh localhost -l user at company-aws.org
>
>The client sees a standard "Permission Denied, please try again" error
>
>On the client host I mainly see this in /var/log/messages:
>
> client.company-aws.org: [sssd[krb5_child[2311]]]: Cannot find KDC
>for realm "COMPANY-AWS.ORG"
>
>I'm hesitant to make significant changes for fear of breaking the fact
>that my client can actually resolve users and passwords! I'm
>incredibly happy to even have the basic identities being recognized.
As http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain
explains, you need to have proper mapping of domains to realms and have
proper definitions for those realms.
We don't see your krb5.conf, so if it deviates from what the wiki
describes, you need to be explicit in your details.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list