[Freeipa-users] Debugging SSH password-based authentication when IPA client is in a different DNS domain
Chris Dagdigian
dag at sonsorol.org
Wed Oct 5 20:12:51 UTC 2016
Alexander Bokovoy wrote:
> you don't have explicit definition for the AD realms and you don't allow
> Kerberos to discover neither realms nor their KDCs via DNS SRV records.
>
> The latter happened because you have used --server option when
> configuring the client -- man page for ipa-client-install has a section
> explaining discovery and influence of options on it.
>
> That's your problem. It also reveals that your reading of the wiki was
> cursory, but that's another problem. :)
>
>
Huge thanks to Alexander Bokovoy for his patient guidance.
Following up to close out this thread with a solution that worked for
our multi AD forest setup where client DNS name is different from
IDM/IPA domain/realm
There were 2 changes needed to /etc/krb5.conf to get password login via
SSH working along with everything else ...
Change #1 was simplifying the [domain_realm] settings down to a very
tightly scoped config that would allow additional things to be auto
discovered via DNS
Change #2 was setting "dns_lookup_realm = true" and "dns_lookup_kdc =
true" in [libdefaults] -- this was the main thing I missed because the
wiki page at
http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain
displays example config with these values already set to true. These
settings were actually false on my client's krb5.conf file due to the
way I ran the ipa-client-install command. It was my mistake to not
carefully compare the full file contents.
So wrapping it all up, this is the /etc/krb5.conf file that enabled
password logins via SSH - the other change in the file below is I
commented out the includedir file and put those settings into the
/etc/krb5.conf file so I could have everything in one place for
troubleshooting.
To recap our setup we have 2 AD Forests and an IDM/IPA server running on
it's own domain name rather than subdomain
AD Servers & IPA:
------------------------
AD Forest #1: company-test.org
AD Forest #2: company-aws.org
IPA Server : company-ipa.org (successful 1-way trusts to
company-test.org and company-aws.org)
IPA Client:
Client test hostname: client.company-aws.org
-Chris
####-----------------
#File modified by ipa-client-install
#includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = COMPANY-IDM.ORG
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
COMPANY-IDM.ORG = {
kdc = usaeilidmp001.COMPANY-IDM.org:88
master_kdc = usaeilidmp001.COMPANY-IDM.org:88
admin_server = usaeilidmp001.COMPANY-IDM.org:749
default_domain = COMPANY-IDM.org
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
client.company-aws.org = COMPANY-IDM.ORG
[capaths]
company-aws.org = {
COMPANY-IDM.ORG = company-aws.org
}
COMPANY-IDM.ORG = {
company-aws.org = company-aws.org
}
company-test.org = {
COMPANY-IDM.ORG = company-test.org
}
COMPANY-IDM.ORG = {
company-test.org = company-test.org
}
More information about the Freeipa-users
mailing list