Good morning,
I have recently setup an environment with FreeIPA 4.6.4-10 using CentOS 7 as the IPA Master. After setting up I joined the IPA master to the local AD and everything seemed to work fine.
The issue I'm facing is that after adding the external and POSIX group's I can authenticate to the IPA Master as an AD user but the server with the IPA client doesn't appear to be able to authenticate AD users.
The client server is unable to run getent or kinit against any ad user and returns 'Cannot find KDC for realm "<ad domain>"...'
From the krb5kdc log I can see what looks to be an issue with the TGS request, and the errors TGS_REQ ISSUE: authtime as well as AS_REQ: NEEDED_PREAUTH additional preauth required.
I have enabled debug logs for SSSD but nothing except sigterms has been logged so far.
Please let me know if I can send any logs.
Kind regards, HP
On to, 18 huhti 2019, Henry Pelke via FreeIPA-users wrote:
Good morning,
I have recently setup an environment with FreeIPA 4.6.4-10 using CentOS 7 as the IPA Master. After setting up I joined the IPA master to the local AD and everything seemed to work fine.
The issue I'm facing is that after adding the external and POSIX group's I can authenticate to the IPA Master as an AD user but the server with the IPA client doesn't appear to be able to authenticate AD users.
The client server is unable to run getent or kinit against any ad user and returns 'Cannot find KDC for realm "<ad domain>"...'
Make sure your clients have Kerberos configuration (in krb5.conf or /etc/krb5.conf.d/) that defines AD realms or allows to discover AD realms from DNS.
FWIW on your EL7 ipa-server you can find the krb-ad stuff under /var/lib/sss/pubconf/ and /var/lib/sss/pubconf/krb5.include.d/.
Like Alexander says, this config should be reflected in the ipa client's krb config.
HTH D
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Thursday, April 18, 2019 8:23 AM, Alexander Bokovoy via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On to, 18 huhti 2019, Henry Pelke via FreeIPA-users wrote:
Good morning, I have recently setup an environment with FreeIPA 4.6.4-10 using CentOS 7 as the IPA Master. After setting up I joined the IPA master to the local AD and everything seemed to work fine. The issue I'm facing is that after adding the external and POSIX group's I can authenticate to the IPA Master as an AD user but the server with the IPA client doesn't appear to be able to authenticate AD users. The client server is unable to run getent or kinit against any ad user and returns 'Cannot find KDC for realm "<ad domain>"...'
Make sure your clients have Kerberos configuration (in krb5.conf or /etc/krb5.conf.d/) that defines AD realms or allows to discover AD realms from DNS.
/ Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org