[Freeipa-users] Debugging SSH password-based authentication when IPA client is in a different DNS domain

Wed Oct 5 20:12:51 UTC 2016

Alexander Bokovoy wrote:
> you don't have explicit definition for the AD realms and you don't allow
> Kerberos to discover neither realms nor their KDCs via DNS SRV records.
>
> The latter happened because you have used --server option when
> configuring the client -- man page for ipa-client-install has a section
> explaining discovery and influence of options on it.
>
> That's your problem. It also reveals that your reading of the wiki was
> cursory, but that's another problem. :)
>
>
Huge thanks to Alexander Bokovoy for his patient guidance.

Following up to close out this thread with a solution that worked for 
our multi AD forest setup where client DNS name is different from 
IDM/IPA domain/realm

There were 2 changes needed to /etc/krb5.conf  to get password login via 
SSH working along with everything else ...

Change #1 was simplifying the [domain_realm] settings down to a very 
tightly scoped config that would allow additional things to be auto 
discovered via DNS

Change #2 was setting "dns_lookup_realm = true" and "dns_lookup_kdc = 
true" in [libdefaults]  -- this was the main thing I missed because the 
wiki page at 
http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain 
displays example config with these values already set to true. These 
settings were actually false on my client's krb5.conf file due to the 
way I ran the ipa-client-install command. It was my mistake to not 
carefully compare the full file contents.

So wrapping it all up, this is the /etc/krb5.conf file that enabled 
password logins via SSH - the other change in the file below is I 
commented out the includedir file and put those settings into the 
/etc/krb5.conf file so I could have everything in one place for 
troubleshooting.

To recap our setup we have 2 AD Forests and an IDM/IPA server running on 
it's own domain name rather than subdomain

AD Servers & IPA:
------------------------
AD Forest #1:   company-test.org
AD Forest #2:   company-aws.org
IPA Server    :   company-ipa.org   (successful 1-way trusts to 
company-test.org and company-aws.org)

IPA Client:
Client test hostname:  client.company-aws.org

-Chris

####-----------------

#File modified by ipa-client-install
#includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
default_realm = COMPANY-IDM.ORG
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
COMPANY-IDM.ORG = {
kdc = usaeilidmp001.COMPANY-IDM.org:88
master_kdc = usaeilidmp001.COMPANY-IDM.org:88
admin_server = usaeilidmp001.COMPANY-IDM.org:749
default_domain = COMPANY-IDM.org
pkinit_anchors = FILE:/etc/ipa/ca.crt
}

[domain_realm]
client.company-aws.org = COMPANY-IDM.ORG

[capaths]
company-aws.org = {
   COMPANY-IDM.ORG = company-aws.org
}
COMPANY-IDM.ORG = {
   company-aws.org = company-aws.org
}
company-test.org = {
COMPANY-IDM.ORG = company-test.org
}
COMPANY-IDM.ORG = {
company-test.org = company-test.org
}