[Freeipa-users] Debugging SSH password-based authentication when IPA client is in a different DNS domain
Chris Dagdigian
dag at sonsorol.org
Wed Oct 5 19:14:14 UTC 2016
Alexander Bokovoy wrote:
> As
> http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain
> explains, you need to have proper mapping of domains to realms and have
> proper definitions for those realms.
>
> We don't see your krb5.conf, so if it deviates from what the wiki
> describes, you need to be explicit in your details.
Much appreciated. Here is the krb5.conf file -- I commented out the
Include line for /var/lib/sss/pubconf/krb5.include.d/ and brought that
data into the /etc/krb5.conf file so I only had a single file and set of
settings to look at:
Regards,
Chris
#File modified by ipa-client-install
#includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = COMPANY-IDM.ORG
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
COMPANY-IDM.ORG = {
kdc = usaeilidmp001.COMPANY-IDM.org:88
master_kdc = usaeilidmp001.COMPANY-IDM.org:88
admin_server = usaeilidmp001.COMPANY-IDM.org:749
default_domain = COMPANY-IDM.org
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.COMPANY-IDM.org = COMPANY-IDM.ORG
COMPANY-IDM.org = COMPANY-IDM.ORG
.company-aws.org = COMPANY-IDM.ORG
company-aws.org = COMPANY-IDM.ORG
.company-test.org = COMPANY-IDM.ORG
company-test.org = COMPANY-IDM.ORG
[capaths]
company-aws.org = {
COMPANY-IDM.ORG = company-aws.org
}
COMPANY-IDM.ORG = {
company-aws.org = company-aws.org
}
company-test.org = {
COMPANY-IDM.ORG = company-test.org
}
COMPANY-IDM.ORG = {
company-test.org = company-test.org
}
More information about the Freeipa-users
mailing list