[Freeipa-users] Debugging SSH password-based authentication when IPA client is in a different DNS domain
Alexander Bokovoy
abokovoy at redhat.com
Wed Oct 5 19:30:32 UTC 2016
On ke, 05 loka 2016, Chris Dagdigian wrote:
>
>Alexander Bokovoy wrote:
>>As http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain
>>explains, you need to have proper mapping of domains to realms and have
>>proper definitions for those realms.
>>
>>We don't see your krb5.conf, so if it deviates from what the wiki
>>describes, you need to be explicit in your details.
>Much appreciated. Here is the krb5.conf file -- I commented out the
>Include line for /var/lib/sss/pubconf/krb5.include.d/ and brought that
>data into the /etc/krb5.conf file so I only had a single file and set
>of settings to look at:
you don't have explicit definition for the AD realms and you don't allow
Kerberos to discover neither realms nor their KDCs via DNS SRV records.
The latter happened because you have used --server option when
configuring the client -- man page for ipa-client-install has a section
explaining discovery and influence of options on it.
That's your problem. It also reveals that your reading of the wiki was
cursory, but that's another problem. :)
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list