Hi!
I have a problem I could use help on resolving:
We have a working IPA Cluster and I try to join in with Ubuntu 16.04 freeipa-client. Everything seems to go smoothly, it creates config files that look just right. However when I try to login with SSH using AD Credentials I've joined the IPA with I can't login and auth.log gives me an error
-- Sep 5 15:46:29 testcomputer2 sshd[1907]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<ip> user=<user>@<ad.domain> Sep 5 15:46:29 testcomputer2 sshd[1907]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<ip> user=<user>@<ad.domain> Sep 5 15:46:29 testcomputer2 sshd[1907]: pam_sss(sshd:auth): received for user <user>@<ad.domain>: 4 (System error) Sep 5 15:46:31 testcomputer2 sshd[1907]: Failed password for <user>@<ad.domain> from <ip> port 42416 ssh2 --
Couldn't find anything solid but then I turned on debug levels and looked into krb5_child.log. Our ipadomain is ipa.company.domain but for some reason it tries to find the username from company.domain and of course it can't find the username there.
-- (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [<company.domain>] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927017: Getting initial credentials for <user>@<company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927076: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927109: Retrieving host/testcomputer2.<ipa.company.domain>@<ipa.company.domain> -> krb5_ccache_conf_data/fast_avail/krbtgt/<company.domain>@<company.domain>@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> with result: -1765328243/Matching credential not found (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927151: Sending request (172 bytes) to <company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938377: Retrying AS request with master KDC (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938418: Getting initial credentials for <user>@<company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938442: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938467: Retrieving host/testcomputer2.<ipa.company.domain>@<ipa.company.domain> -> krb5_ccache_conf_data/fast_avail/krbtgt/<company.domain>@<company.domain>@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> with result: -1765328243/Matching credential not found (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938511: Sending request (172 bytes) to <company.domain> (master) (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [get_and_save_tgt] (0x0020): 1232: [-1765328230][Cannot find KDC for realm "<company.domain>"] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [map_krb5_error] (0x0020): 1301: [-1765328230][Cannot find KDC for realm "<company.domain>"] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [pack_response_packet] (0x2000): response packet size: [4] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [k5c_send_data] (0x4000): Response sent. (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [main] (0x0400): krb5_child completed successfully --
Seems like it converts ad.domain to company.domain and not to ipa.company.domain for some reason. But like I said the configuration on /var/lib/sss/pubconf/krb5.include.d seems legit.
-- [domain_realm] .<ad.domain> = <AD.DOMAIN> <ad.domain> = <AD.DOMAIN> [capaths] <AD.DOMAIN> = { <IPA.COMPANY.DOMAIN> = <AD.DOMAIN> } <IPA.COMPANY.DOMAIN> = { <AD.DOMAIN> = <AD.DOMAIN> } --
Any ideas why it's dropping the subdomain out?
Eemeli
On Thu, Sep 05, 2019 at 01:11:44PM +0000, Jokinen Eemeli via FreeIPA-users wrote:
Hi!
I have a problem I could use help on resolving:
We have a working IPA Cluster and I try to join in with Ubuntu 16.04 freeipa-client. Everything seems to go smoothly, it creates config files that look just right. However when I try to login with SSH using AD Credentials I've joined the IPA with I can't login and auth.log gives me an error
-- Sep 5 15:46:29 testcomputer2 sshd[1907]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<ip> user=<user>@<ad.domain> Sep 5 15:46:29 testcomputer2 sshd[1907]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<ip> user=<user>@<ad.domain> Sep 5 15:46:29 testcomputer2 sshd[1907]: pam_sss(sshd:auth): received for user <user>@<ad.domain>: 4 (System error) Sep 5 15:46:31 testcomputer2 sshd[1907]: Failed password for <user>@<ad.domain> from <ip> port 42416 ssh2 --
Couldn't find anything solid but then I turned on debug levels and looked into krb5_child.log. Our ipadomain is ipa.company.domain but for some reason it tries to find the username from company.domain and of course it can't find the username there.
Hi,
which IPA version are you using on the server?
It looks like you have defined the user principal name of the user in AD as <user>@<company.domain>. Depending on the version of IPA there are two different solutions.
bye, Sumit
-- (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [<company.domain>] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927017: Getting initial credentials for <user>@<company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927076: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927109: Retrieving host/testcomputer2.<ipa.company.domain>@<ipa.company.domain> -> krb5_ccache_conf_data/fast_avail/krbtgt/<company.domain>@<company.domain>@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> with result: -1765328243/Matching credential not found (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927151: Sending request (172 bytes) to <company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938377: Retrying AS request with master KDC (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938418: Getting initial credentials for <user>@<company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938442: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938467: Retrieving host/testcomputer2.<ipa.company.domain>@<ipa.company.domain> -> krb5_ccache_conf_data/fast_avail/krbtgt/<company.domain>@<company.domain>@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> with result: -1765328243/Matching credential not found (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938511: Sending request (172 bytes) to <company.domain> (master) (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [get_and_save_tgt] (0x0020): 1232: [-1765328230][Cannot find KDC for realm "<company.domain>"] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [map_krb5_error] (0x0020): 1301: [-1765328230][Cannot find KDC for realm "<company.domain>"] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [pack_response_packet] (0x2000): response packet size: [4] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [k5c_send_data] (0x4000): Response sent. (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [main] (0x0400): krb5_child completed successfully --
Seems like it converts ad.domain to company.domain and not to ipa.company.domain for some reason. But like I said the configuration on /var/lib/sss/pubconf/krb5.include.d seems legit.
-- [domain_realm] .<ad.domain> = <AD.DOMAIN> <ad.domain> = <AD.DOMAIN> [capaths] <AD.DOMAIN> = { <IPA.COMPANY.DOMAIN> = <AD.DOMAIN> } <IPA.COMPANY.DOMAIN> = { <AD.DOMAIN> = <AD.DOMAIN> } --
Any ideas why it's dropping the subdomain out?
Eemeli
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi!
In the fact we're using RHEL 7 with ipa-server 4.6.4
Eemeli
-----Original Message----- From: Sumit Bose via FreeIPA-users freeipa-users@lists.fedorahosted.org Sent: torstai 5. syyskuuta 2019 16.36 To: freeipa-users@lists.fedorahosted.org Cc: Sumit Bose sbose@redhat.com Subject: [Freeipa-users] Re: Problems joining an Ubuntu client to IPA server and using AD Credentials
On Thu, Sep 05, 2019 at 01:11:44PM +0000, Jokinen Eemeli via FreeIPA-users wrote:
Hi!
I have a problem I could use help on resolving:
We have a working IPA Cluster and I try to join in with Ubuntu 16.04 freeipa-client. Everything seems to go smoothly, it creates config files that look just right. However when I try to login with SSH using AD Credentials I've joined the IPA with I can't login and auth.log gives me an error
-- Sep 5 15:46:29 testcomputer2 sshd[1907]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<ip> user=<user>@<ad.domain> Sep 5 15:46:29 testcomputer2 sshd[1907]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<ip> user=<user>@<ad.domain> Sep 5 15:46:29 testcomputer2 sshd[1907]: pam_sss(sshd:auth): received for user <user>@<ad.domain>: 4 (System error) Sep 5 15:46:31 testcomputer2 sshd[1907]: Failed password for <user>@<ad.domain> from
<ip> port 42416 ssh2
Couldn't find anything solid but then I turned on debug levels and looked into krb5_child.log. Our ipadomain is ipa.company.domain but for some reason it tries to find the username from company.domain and of course it can't find the username there.
Hi,
which IPA version are you using on the server?
It looks like you have defined the user principal name of the user in AD as <user>@<company.domain>. Depending on the version of IPA there are two different solutions.
bye, Sumit
-- (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [<company.domain>] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927017: Getting initial credentials for <user>@<company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927076: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927109: Retrieving host/testcomputer2.<ipa.company.domain>@<ipa.company.domain> -> krb5_ccache_conf_data/fast_avail/krbtgt/<company.domain>@<company.do main>@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> with result: -1765328243/Matching credential not found (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927151: Sending request (172 bytes) to <company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938377: Retrying AS request with master KDC (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938418: Getting initial credentials for <user>@<company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938442: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938467: Retrieving host/testcomputer2.<ipa.company.domain>@<ipa.company.domain> -> krb5_ccache_conf_data/fast_avail/krbtgt/<company.domain>@<company.do main>@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> with result: -1765328243/Matching credential not found (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938511: Sending request (172 bytes) to <company.domain> (master) (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [get_and_save_tgt] (0x0020): 1232: [-1765328230][Cannot find KDC for realm "<company.domain>"] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [map_krb5_error] (0x0020): 1301: [-1765328230][Cannot find KDC for realm "<company.domain>"] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [pack_response_packet] (0x2000): response packet size: [4] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [k5c_send_data] (0x4000): Response sent. (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [main] (0x0400): krb5_child completed successfully --
Seems like it converts ad.domain to company.domain and not to ipa.company.domain for some reason. But like I said the configuration on /var/lib/sss/pubconf/krb5.include.d seems legit.
-- [domain_realm] .<ad.domain> = <AD.DOMAIN> <ad.domain> = <AD.DOMAIN> [capaths] <AD.DOMAIN> = { <IPA.COMPANY.DOMAIN> = <AD.DOMAIN> } <IPA.COMPANY.DOMAIN> = { <AD.DOMAIN> = <AD.DOMAIN> } --
Any ideas why it's dropping the subdomain out?
Eemeli
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedor ahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Thu, Sep 05, 2019 at 03:03:17PM +0000, Jokinen Eemeli wrote:
Hi!
In the fact we're using RHEL 7 with ipa-server 4.6.4
Hi,
in this case please try to add
krb5_use_enterprise_principal = True
to the [domain/...] section of sssd.conf on the Ubuntu client.
HTH
bye, Sumit
Eemeli
-----Original Message----- From: Sumit Bose via FreeIPA-users freeipa-users@lists.fedorahosted.org Sent: torstai 5. syyskuuta 2019 16.36 To: freeipa-users@lists.fedorahosted.org Cc: Sumit Bose sbose@redhat.com Subject: [Freeipa-users] Re: Problems joining an Ubuntu client to IPA server and using AD Credentials
On Thu, Sep 05, 2019 at 01:11:44PM +0000, Jokinen Eemeli via FreeIPA-users wrote:
Hi!
I have a problem I could use help on resolving:
We have a working IPA Cluster and I try to join in with Ubuntu 16.04 freeipa-client. Everything seems to go smoothly, it creates config files that look just right. However when I try to login with SSH using AD Credentials I've joined the IPA with I can't login and auth.log gives me an error
-- Sep 5 15:46:29 testcomputer2 sshd[1907]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<ip> user=<user>@<ad.domain> Sep 5 15:46:29 testcomputer2 sshd[1907]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<ip> user=<user>@<ad.domain> Sep 5 15:46:29 testcomputer2 sshd[1907]: pam_sss(sshd:auth): received for user <user>@<ad.domain>: 4 (System error) Sep 5 15:46:31 testcomputer2 sshd[1907]: Failed password for <user>@<ad.domain> from
<ip> port 42416 ssh2
Couldn't find anything solid but then I turned on debug levels and looked into krb5_child.log. Our ipadomain is ipa.company.domain but for some reason it tries to find the username from company.domain and of course it can't find the username there.
Hi,
which IPA version are you using on the server?
It looks like you have defined the user principal name of the user in AD as <user>@<company.domain>. Depending on the version of IPA there are two different solutions.
bye, Sumit
-- (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [<company.domain>] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927017: Getting initial credentials for <user>@<company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927076: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927109: Retrieving host/testcomputer2.<ipa.company.domain>@<ipa.company.domain> -> krb5_ccache_conf_data/fast_avail/krbtgt/<company.domain>@<company.do main>@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> with result: -1765328243/Matching credential not found (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927151: Sending request (172 bytes) to <company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938377: Retrying AS request with master KDC (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938418: Getting initial credentials for <user>@<company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938442: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938467: Retrieving host/testcomputer2.<ipa.company.domain>@<ipa.company.domain> -> krb5_ccache_conf_data/fast_avail/krbtgt/<company.domain>@<company.do main>@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> with result: -1765328243/Matching credential not found (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938511: Sending request (172 bytes) to <company.domain> (master) (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [get_and_save_tgt] (0x0020): 1232: [-1765328230][Cannot find KDC for realm "<company.domain>"] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [map_krb5_error] (0x0020): 1301: [-1765328230][Cannot find KDC for realm "<company.domain>"] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [pack_response_packet] (0x2000): response packet size: [4] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [k5c_send_data] (0x4000): Response sent. (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [main] (0x0400): krb5_child completed successfully --
Seems like it converts ad.domain to company.domain and not to ipa.company.domain for some reason. But like I said the configuration on /var/lib/sss/pubconf/krb5.include.d seems legit.
-- [domain_realm] .<ad.domain> = <AD.DOMAIN> <ad.domain> = <AD.DOMAIN> [capaths] <AD.DOMAIN> = { <IPA.COMPANY.DOMAIN> = <AD.DOMAIN> } <IPA.COMPANY.DOMAIN> = { <AD.DOMAIN> = <AD.DOMAIN> } --
Any ideas why it's dropping the subdomain out?
Eemeli
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedor ahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi!
Nice! That seemed to do the trick after rebooting the client.
Is there a switch to set that up during "ipa-client-install" or should I use configuration management to deploy that when needed?
Eemeli
-----Original Message----- From: Sumit Bose sbose@redhat.com Sent: torstai 5. syyskuuta 2019 19.03 To: Jokinen Eemeli Eemeli.Jokinen@cinia.fi Cc: FreeIPA users list freeipa-users@lists.fedorahosted.org; Sumit Bose sbose@redhat.com Subject: Re: [Freeipa-users] Re: Problems joining an Ubuntu client to IPA server and using AD Credentials
On Thu, Sep 05, 2019 at 03:03:17PM +0000, Jokinen Eemeli wrote:
Hi!
In the fact we're using RHEL 7 with ipa-server 4.6.4
Hi,
in this case please try to add
krb5_use_enterprise_principal = True
to the [domain/...] section of sssd.conf on the Ubuntu client.
HTH
bye, Sumit
Eemeli
-----Original Message----- From: Sumit Bose via FreeIPA-users freeipa-users@lists.fedorahosted.org Sent: torstai 5. syyskuuta 2019 16.36 To: freeipa-users@lists.fedorahosted.org Cc: Sumit Bose sbose@redhat.com Subject: [Freeipa-users] Re: Problems joining an Ubuntu client to IPA server and using AD Credentials
On Thu, Sep 05, 2019 at 01:11:44PM +0000, Jokinen Eemeli via FreeIPA-users wrote:
Hi!
I have a problem I could use help on resolving:
We have a working IPA Cluster and I try to join in with Ubuntu 16.04 freeipa-client. Everything seems to go smoothly, it creates config files that look just right. However when I try to login with SSH using AD Credentials I've joined the IPA with I can't login and auth.log gives me an error
-- Sep 5 15:46:29 testcomputer2 sshd[1907]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<ip> user=<user>@<ad.domain> Sep 5 15:46:29 testcomputer2 sshd[1907]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<ip> user=<user>@<ad.domain> Sep 5 15:46:29 testcomputer2 sshd[1907]: pam_sss(sshd:auth): received for user <user>@<ad.domain>: 4 (System error) Sep 5 15:46:31 testcomputer2 sshd[1907]: Failed password for <user>@<ad.domain> from <ip> port 42416 ssh2 --
Couldn't find anything solid but then I turned on debug levels and looked into krb5_child.log. Our ipadomain is ipa.company.domain but for some reason it tries to find the username from company.domain and of course it can't find the username there.
Hi,
which IPA version are you using on the server?
It looks like you have defined the user principal name of the user in AD as <user>@<company.domain>. Depending on the version of IPA there are two different solutions.
bye, Sumit
-- (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [<company.domain>] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927017: Getting initial credentials for <user>@<company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927076: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927109: Retrieving host/testcomputer2.<ipa.company.domain>@<ipa.company.domain> -> krb5_ccache_conf_data/fast_avail/krbtgt/<company.domain>@<company. do main>@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> with result: -1765328243/Matching credential not found (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927151: Sending request (172 bytes) to <company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938377: Retrying AS request with master KDC (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938418: Getting initial credentials for <user>@<company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938442: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938467: Retrieving host/testcomputer2.<ipa.company.domain>@<ipa.company.domain> -> krb5_ccache_conf_data/fast_avail/krbtgt/<company.domain>@<company. do main>@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> with result: -1765328243/Matching credential not found (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938511: Sending request (172 bytes) to <company.domain> (master) (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [get_and_save_tgt] (0x0020): 1232: [-1765328230][Cannot find KDC for realm "<company.domain>"] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [map_krb5_error] (0x0020): 1301: [-1765328230][Cannot find KDC for realm "<company.domain>"] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [pack_response_packet] (0x2000): response packet size: [4] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [k5c_send_data] (0x4000): Response sent. (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [main] (0x0400): krb5_child completed successfully --
Seems like it converts ad.domain to company.domain and not to ipa.company.domain for some reason. But like I said the configuration on /var/lib/sss/pubconf/krb5.include.d seems legit.
-- [domain_realm] .<ad.domain> = <AD.DOMAIN> <ad.domain> = <AD.DOMAIN> [capaths] <AD.DOMAIN> = { <IPA.COMPANY.DOMAIN> = <AD.DOMAIN> } <IPA.COMPANY.DOMAIN> = { <AD.DOMAIN> = <AD.DOMAIN> } --
Any ideas why it's dropping the subdomain out?
Eemeli
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fed or ahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedor ahosted.org
On Fri, Sep 06, 2019 at 05:20:03AM +0000, Jokinen Eemeli wrote:
Hi!
Nice! That seemed to do the trick after rebooting the client.
Is there a switch to set that up during "ipa-client-install" or should I use configuration management to deploy that when needed?
Hi,
recent version of SSSD should be able to determine automatically if enterprise principals should be enabled or not. To investigate why this did not happen in your case please let me know which version of SSSD you are using and send the output of
ipa trust-show trusted.ad.forest.root
As a next step I might as you for the sssd_ipa.domain.log file with debug_level=9 in the [domain/...] section of sssd.conf which covers the startup of SSSD.
bye, Sumit
Eemeli
-----Original Message----- From: Sumit Bose sbose@redhat.com Sent: torstai 5. syyskuuta 2019 19.03 To: Jokinen Eemeli Eemeli.Jokinen@cinia.fi Cc: FreeIPA users list freeipa-users@lists.fedorahosted.org; Sumit Bose sbose@redhat.com Subject: Re: [Freeipa-users] Re: Problems joining an Ubuntu client to IPA server and using AD Credentials
On Thu, Sep 05, 2019 at 03:03:17PM +0000, Jokinen Eemeli wrote:
Hi!
In the fact we're using RHEL 7 with ipa-server 4.6.4
Hi,
in this case please try to add
krb5_use_enterprise_principal = True
to the [domain/...] section of sssd.conf on the Ubuntu client.
HTH
bye, Sumit
Eemeli
-----Original Message----- From: Sumit Bose via FreeIPA-users freeipa-users@lists.fedorahosted.org Sent: torstai 5. syyskuuta 2019 16.36 To: freeipa-users@lists.fedorahosted.org Cc: Sumit Bose sbose@redhat.com Subject: [Freeipa-users] Re: Problems joining an Ubuntu client to IPA server and using AD Credentials
On Thu, Sep 05, 2019 at 01:11:44PM +0000, Jokinen Eemeli via FreeIPA-users wrote:
Hi!
I have a problem I could use help on resolving:
We have a working IPA Cluster and I try to join in with Ubuntu 16.04 freeipa-client. Everything seems to go smoothly, it creates config files that look just right. However when I try to login with SSH using AD Credentials I've joined the IPA with I can't login and auth.log gives me an error
-- Sep 5 15:46:29 testcomputer2 sshd[1907]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<ip> user=<user>@<ad.domain> Sep 5 15:46:29 testcomputer2 sshd[1907]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<ip> user=<user>@<ad.domain> Sep 5 15:46:29 testcomputer2 sshd[1907]: pam_sss(sshd:auth): received for user <user>@<ad.domain>: 4 (System error) Sep 5 15:46:31 testcomputer2 sshd[1907]: Failed password for <user>@<ad.domain> from <ip> port 42416 ssh2 --
Couldn't find anything solid but then I turned on debug levels and looked into krb5_child.log. Our ipadomain is ipa.company.domain but for some reason it tries to find the username from company.domain and of course it can't find the username there.
Hi,
which IPA version are you using on the server?
It looks like you have defined the user principal name of the user in AD as <user>@<company.domain>. Depending on the version of IPA there are two different solutions.
bye, Sumit
-- (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [<company.domain>] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927017: Getting initial credentials for <user>@<company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927076: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927109: Retrieving host/testcomputer2.<ipa.company.domain>@<ipa.company.domain> -> krb5_ccache_conf_data/fast_avail/krbtgt/<company.domain>@<company. do main>@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> with result: -1765328243/Matching credential not found (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927151: Sending request (172 bytes) to <company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938377: Retrying AS request with master KDC (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938418: Getting initial credentials for <user>@<company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938442: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938467: Retrieving host/testcomputer2.<ipa.company.domain>@<ipa.company.domain> -> krb5_ccache_conf_data/fast_avail/krbtgt/<company.domain>@<company. do main>@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> with result: -1765328243/Matching credential not found (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938511: Sending request (172 bytes) to <company.domain> (master) (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [get_and_save_tgt] (0x0020): 1232: [-1765328230][Cannot find KDC for realm "<company.domain>"] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [map_krb5_error] (0x0020): 1301: [-1765328230][Cannot find KDC for realm "<company.domain>"] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [pack_response_packet] (0x2000): response packet size: [4] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [k5c_send_data] (0x4000): Response sent. (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [main] (0x0400): krb5_child completed successfully --
Seems like it converts ad.domain to company.domain and not to ipa.company.domain for some reason. But like I said the configuration on /var/lib/sss/pubconf/krb5.include.d seems legit.
-- [domain_realm] .<ad.domain> = <AD.DOMAIN> <ad.domain> = <AD.DOMAIN> [capaths] <AD.DOMAIN> = { <IPA.COMPANY.DOMAIN> = <AD.DOMAIN> } <IPA.COMPANY.DOMAIN> = { <AD.DOMAIN> = <AD.DOMAIN> } --
Any ideas why it's dropping the subdomain out?
Eemeli
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fed or ahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedor ahosted.org
Hi!
Trust show
-- Realm name: <ad.domain> Domain NetBIOS name: <ADNETBIOS> Domain Security Identifier: S-1-5-21-1014394416-1363177490-1625040996 Trust direction: Trusting forest Trust type: Active Directory domain UPN suffixes: <company.domain> --
I try to attach the log file here, not sure if it goes through...
Eemeli
-----Original Message----- From: Sumit Bose sbose@redhat.com Sent: perjantai 6. syyskuuta 2019 9.14 To: Jokinen Eemeli Eemeli.Jokinen@cinia.fi Cc: Sumit Bose sbose@redhat.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: Re: [Freeipa-users] Re: Problems joining an Ubuntu client to IPA server and using AD Credentials
On Fri, Sep 06, 2019 at 05:20:03AM +0000, Jokinen Eemeli wrote:
Hi!
Nice! That seemed to do the trick after rebooting the client.
Is there a switch to set that up during "ipa-client-install" or should I use configuration management to deploy that when needed?
Hi,
recent version of SSSD should be able to determine automatically if enterprise principals should be enabled or not. To investigate why this did not happen in your case please let me know which version of SSSD you are using and send the output of
ipa trust-show trusted.ad.forest.root
As a next step I might as you for the sssd_ipa.domain.log file with debug_level=9 in the [domain/...] section of sssd.conf which covers the startup of SSSD.
bye, Sumit
Eemeli
-----Original Message----- From: Sumit Bose sbose@redhat.com Sent: torstai 5. syyskuuta 2019 19.03 To: Jokinen Eemeli Eemeli.Jokinen@cinia.fi Cc: FreeIPA users list freeipa-users@lists.fedorahosted.org; Sumit Bose sbose@redhat.com Subject: Re: [Freeipa-users] Re: Problems joining an Ubuntu client to IPA server and using AD Credentials
On Thu, Sep 05, 2019 at 03:03:17PM +0000, Jokinen Eemeli wrote:
Hi!
In the fact we're using RHEL 7 with ipa-server 4.6.4
Hi,
in this case please try to add
krb5_use_enterprise_principal = True
to the [domain/...] section of sssd.conf on the Ubuntu client.
HTH
bye, Sumit
Eemeli
-----Original Message----- From: Sumit Bose via FreeIPA-users freeipa-users@lists.fedorahosted.org Sent: torstai 5. syyskuuta 2019 16.36 To: freeipa-users@lists.fedorahosted.org Cc: Sumit Bose sbose@redhat.com Subject: [Freeipa-users] Re: Problems joining an Ubuntu client to IPA server and using AD Credentials
On Thu, Sep 05, 2019 at 01:11:44PM +0000, Jokinen Eemeli via FreeIPA-users wrote:
Hi!
I have a problem I could use help on resolving:
We have a working IPA Cluster and I try to join in with Ubuntu 16.04 freeipa-client. Everything seems to go smoothly, it creates config files that look just right. However when I try to login with SSH using AD Credentials I've joined the IPA with I can't login and auth.log gives me an error
-- Sep 5 15:46:29 testcomputer2 sshd[1907]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<ip> user=<user>@<ad.domain> Sep 5 15:46:29 testcomputer2 sshd[1907]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<ip> user=<user>@<ad.domain> Sep 5 15:46:29 testcomputer2 sshd[1907]: pam_sss(sshd:auth): received for user <user>@<ad.domain>: 4 (System error) Sep 5 15:46:31 testcomputer2 sshd[1907]: Failed password for <user>@<ad.domain> from <ip> port 42416 ssh2 --
Couldn't find anything solid but then I turned on debug levels and looked into krb5_child.log. Our ipadomain is ipa.company.domain but for some reason it tries to find the username from company.domain and of course it can't find the username there.
Hi,
which IPA version are you using on the server?
It looks like you have defined the user principal name of the user in AD as <user>@<company.domain>. Depending on the version of IPA there are two different solutions.
bye, Sumit
-- (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [<company.domain>] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927017: Getting initial credentials for <user>@<company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927076: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927109: Retrieving host/testcomputer2.<ipa.company.domain>@<ipa.company.domain> -> krb5_ccache_conf_data/fast_avail/krbtgt/<company.domain>@<company. do main>@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> with result: -1765328243/Matching credential not found (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927151: Sending request (172 bytes) to <company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938377: Retrying AS request with master KDC (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938418: Getting initial credentials for <user>@<company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938442: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938467: Retrieving host/testcomputer2.<ipa.company.domain>@<ipa.company.domain> -> krb5_ccache_conf_data/fast_avail/krbtgt/<company.domain>@<company. do main>@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> with result: -1765328243/Matching credential not found (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938511: Sending request (172 bytes) to <company.domain> (master) (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [get_and_save_tgt] (0x0020): 1232: [-1765328230][Cannot find KDC for realm "<company.domain>"] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [map_krb5_error] (0x0020): 1301: [-1765328230][Cannot find KDC for realm "<company.domain>"] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [pack_response_packet] (0x2000): response packet size: [4] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [k5c_send_data] (0x4000): Response sent. (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [main] (0x0400): krb5_child completed successfully --
Seems like it converts ad.domain to company.domain and not to ipa.company.domain for some reason. But like I said the configuration on /var/lib/sss/pubconf/krb5.include.d seems legit.
-- [domain_realm] .<ad.domain> = <AD.DOMAIN> <ad.domain> = <AD.DOMAIN> [capaths] <AD.DOMAIN> = { <IPA.COMPANY.DOMAIN> = <AD.DOMAIN> } <IPA.COMPANY.DOMAIN> = { <AD.DOMAIN> = <AD.DOMAIN> } --
Any ideas why it's dropping the subdomain out?
Eemeli
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.f ed or ahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fed or ahosted.org
On Fri, Sep 06, 2019 at 06:54:56AM +0000, Jokinen Eemeli wrote:
Hi!
Trust show
-- Realm name: <ad.domain> Domain NetBIOS name: <ADNETBIOS> Domain Security Identifier: S-1-5-21-1014394416-1363177490-1625040996 Trust direction: Trusting forest Trust type: Active Directory domain UPN suffixes: <company.domain> --
I try to attach the log file here, not sure if it goes through...
Hi,
... (Fri Sep 6 09:22:12 2019) [sssd[be[<ipa.company.domain>]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=<ipa>,dc=<company>,dc=<domain>]. (Fri Sep 6 09:22:12 2019) [sssd[be[<ipa.company.domain>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Sep 6 09:22:12 2019) [sssd[be[<ipa.company.domain>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Fri Sep 6 09:22:12 2019) [sssd[be[<ipa.company.domain>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Fri Sep 6 09:22:12 2019) [sssd[be[<ipa.company.domain>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustDirection] (Fri Sep 6 09:22:12 2019) [sssd[be[<ipa.company.domain>]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 6 ...
this means you are using an older version of SSSD which cannot detect automatically if enterprise principals can be used, with newer versions you should see a '[ipaNTAdditionalSuffixes]' here as well. So you have to set the option manually.
'ipa-client-install' cannot set this you have to use a configuration management tool.
HTH
bye, Sumit
Eemeli
-----Original Message----- From: Sumit Bose sbose@redhat.com Sent: perjantai 6. syyskuuta 2019 9.14 To: Jokinen Eemeli Eemeli.Jokinen@cinia.fi Cc: Sumit Bose sbose@redhat.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: Re: [Freeipa-users] Re: Problems joining an Ubuntu client to IPA server and using AD Credentials
On Fri, Sep 06, 2019 at 05:20:03AM +0000, Jokinen Eemeli wrote:
Hi!
Nice! That seemed to do the trick after rebooting the client.
Is there a switch to set that up during "ipa-client-install" or should I use configuration management to deploy that when needed?
Hi,
recent version of SSSD should be able to determine automatically if enterprise principals should be enabled or not. To investigate why this did not happen in your case please let me know which version of SSSD you are using and send the output of
ipa trust-show trusted.ad.forest.root
As a next step I might as you for the sssd_ipa.domain.log file with debug_level=9 in the [domain/...] section of sssd.conf which covers the startup of SSSD.
bye, Sumit
Eemeli
-----Original Message----- From: Sumit Bose sbose@redhat.com Sent: torstai 5. syyskuuta 2019 19.03 To: Jokinen Eemeli Eemeli.Jokinen@cinia.fi Cc: FreeIPA users list freeipa-users@lists.fedorahosted.org; Sumit Bose sbose@redhat.com Subject: Re: [Freeipa-users] Re: Problems joining an Ubuntu client to IPA server and using AD Credentials
On Thu, Sep 05, 2019 at 03:03:17PM +0000, Jokinen Eemeli wrote:
Hi!
In the fact we're using RHEL 7 with ipa-server 4.6.4
Hi,
in this case please try to add
krb5_use_enterprise_principal = True
to the [domain/...] section of sssd.conf on the Ubuntu client.
HTH
bye, Sumit
Eemeli
-----Original Message----- From: Sumit Bose via FreeIPA-users freeipa-users@lists.fedorahosted.org Sent: torstai 5. syyskuuta 2019 16.36 To: freeipa-users@lists.fedorahosted.org Cc: Sumit Bose sbose@redhat.com Subject: [Freeipa-users] Re: Problems joining an Ubuntu client to IPA server and using AD Credentials
On Thu, Sep 05, 2019 at 01:11:44PM +0000, Jokinen Eemeli via FreeIPA-users wrote:
Hi!
I have a problem I could use help on resolving:
We have a working IPA Cluster and I try to join in with Ubuntu 16.04 freeipa-client. Everything seems to go smoothly, it creates config files that look just right. However when I try to login with SSH using AD Credentials I've joined the IPA with I can't login and auth.log gives me an error
-- Sep 5 15:46:29 testcomputer2 sshd[1907]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<ip> user=<user>@<ad.domain> Sep 5 15:46:29 testcomputer2 sshd[1907]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<ip> user=<user>@<ad.domain> Sep 5 15:46:29 testcomputer2 sshd[1907]: pam_sss(sshd:auth): received for user <user>@<ad.domain>: 4 (System error) Sep 5 15:46:31 testcomputer2 sshd[1907]: Failed password for <user>@<ad.domain> from <ip> port 42416 ssh2 --
Couldn't find anything solid but then I turned on debug levels and looked into krb5_child.log. Our ipadomain is ipa.company.domain but for some reason it tries to find the username from company.domain and of course it can't find the username there.
Hi,
which IPA version are you using on the server?
It looks like you have defined the user principal name of the user in AD as <user>@<company.domain>. Depending on the version of IPA there are two different solutions.
bye, Sumit
-- (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [<company.domain>] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927017: Getting initial credentials for <user>@<company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927076: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927109: Retrieving host/testcomputer2.<ipa.company.domain>@<ipa.company.domain> -> krb5_ccache_conf_data/fast_avail/krbtgt/<company.domain>@<company. do main>@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> with result: -1765328243/Matching credential not found (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927151: Sending request (172 bytes) to <company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938377: Retrying AS request with master KDC (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938418: Getting initial credentials for <user>@<company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938442: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938467: Retrieving host/testcomputer2.<ipa.company.domain>@<ipa.company.domain> -> krb5_ccache_conf_data/fast_avail/krbtgt/<company.domain>@<company. do main>@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> with result: -1765328243/Matching credential not found (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938511: Sending request (172 bytes) to <company.domain> (master) (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [get_and_save_tgt] (0x0020): 1232: [-1765328230][Cannot find KDC for realm "<company.domain>"] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [map_krb5_error] (0x0020): 1301: [-1765328230][Cannot find KDC for realm "<company.domain>"] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [pack_response_packet] (0x2000): response packet size: [4] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [k5c_send_data] (0x4000): Response sent. (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [main] (0x0400): krb5_child completed successfully --
Seems like it converts ad.domain to company.domain and not to ipa.company.domain for some reason. But like I said the configuration on /var/lib/sss/pubconf/krb5.include.d seems legit.
-- [domain_realm] .<ad.domain> = <AD.DOMAIN> <ad.domain> = <AD.DOMAIN> [capaths] <AD.DOMAIN> = { <IPA.COMPANY.DOMAIN> = <AD.DOMAIN> } <IPA.COMPANY.DOMAIN> = { <AD.DOMAIN> = <AD.DOMAIN> } --
Any ideas why it's dropping the subdomain out?
Eemeli
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.f ed or ahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fed or ahosted.org
Hi!
It surely does. Thank you!
Eemeli
-----Original Message----- From: Sumit Bose sbose@redhat.com Sent: perjantai 6. syyskuuta 2019 10.19 To: Jokinen Eemeli Eemeli.Jokinen@cinia.fi Cc: Sumit Bose sbose@redhat.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: Re: [Freeipa-users] Re: Problems joining an Ubuntu client to IPA server and using AD Credentials
On Fri, Sep 06, 2019 at 06:54:56AM +0000, Jokinen Eemeli wrote:
Hi!
Trust show
-- Realm name: <ad.domain> Domain NetBIOS name: <ADNETBIOS> Domain Security Identifier: S-1-5-21-1014394416-1363177490-1625040996 Trust direction: Trusting forest Trust type: Active Directory domain UPN suffixes: <company.domain> --
I try to attach the log file here, not sure if it goes through...
Hi,
... (Fri Sep 6 09:22:12 2019) [sssd[be[<ipa.company.domain>]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=<ipa>,dc=<company>,dc=<domain>]. (Fri Sep 6 09:22:12 2019) [sssd[be[<ipa.company.domain>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Sep 6 09:22:12 2019) [sssd[be[<ipa.company.domain>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Fri Sep 6 09:22:12 2019) [sssd[be[<ipa.company.domain>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Fri Sep 6 09:22:12 2019) [sssd[be[<ipa.company.domain>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustDirection] (Fri Sep 6 09:22:12 2019) [sssd[be[<ipa.company.domain>]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 6 ...
this means you are using an older version of SSSD which cannot detect automatically if enterprise principals can be used, with newer versions you should see a '[ipaNTAdditionalSuffixes]' here as well. So you have to set the option manually.
'ipa-client-install' cannot set this you have to use a configuration management tool.
HTH
bye, Sumit
Eemeli
-----Original Message----- From: Sumit Bose sbose@redhat.com Sent: perjantai 6. syyskuuta 2019 9.14 To: Jokinen Eemeli Eemeli.Jokinen@cinia.fi Cc: Sumit Bose sbose@redhat.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: Re: [Freeipa-users] Re: Problems joining an Ubuntu client to IPA server and using AD Credentials
On Fri, Sep 06, 2019 at 05:20:03AM +0000, Jokinen Eemeli wrote:
Hi!
Nice! That seemed to do the trick after rebooting the client.
Is there a switch to set that up during "ipa-client-install" or should I use configuration management to deploy that when needed?
Hi,
recent version of SSSD should be able to determine automatically if enterprise principals should be enabled or not. To investigate why this did not happen in your case please let me know which version of SSSD you are using and send the output of
ipa trust-show trusted.ad.forest.root
As a next step I might as you for the sssd_ipa.domain.log file with debug_level=9 in the [domain/...] section of sssd.conf which covers the startup of SSSD.
bye, Sumit
Eemeli
-----Original Message----- From: Sumit Bose sbose@redhat.com Sent: torstai 5. syyskuuta 2019 19.03 To: Jokinen Eemeli Eemeli.Jokinen@cinia.fi Cc: FreeIPA users list freeipa-users@lists.fedorahosted.org; Sumit Bose sbose@redhat.com Subject: Re: [Freeipa-users] Re: Problems joining an Ubuntu client to IPA server and using AD Credentials
On Thu, Sep 05, 2019 at 03:03:17PM +0000, Jokinen Eemeli wrote:
Hi!
In the fact we're using RHEL 7 with ipa-server 4.6.4
Hi,
in this case please try to add
krb5_use_enterprise_principal = True
to the [domain/...] section of sssd.conf on the Ubuntu client.
HTH
bye, Sumit
Eemeli
-----Original Message----- From: Sumit Bose via FreeIPA-users freeipa-users@lists.fedorahosted.org Sent: torstai 5. syyskuuta 2019 16.36 To: freeipa-users@lists.fedorahosted.org Cc: Sumit Bose sbose@redhat.com Subject: [Freeipa-users] Re: Problems joining an Ubuntu client to IPA server and using AD Credentials
On Thu, Sep 05, 2019 at 01:11:44PM +0000, Jokinen Eemeli via FreeIPA-users wrote:
Hi!
I have a problem I could use help on resolving:
We have a working IPA Cluster and I try to join in with Ubuntu 16.04 freeipa-client. Everything seems to go smoothly, it creates config files that look just right. However when I try to login with SSH using AD Credentials I've joined the IPA with I can't login and auth.log gives me an error
-- Sep 5 15:46:29 testcomputer2 sshd[1907]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<ip> user=<user>@<ad.domain> Sep 5 15:46:29 testcomputer2 sshd[1907]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<ip> user=<user>@<ad.domain> Sep 5 15:46:29 testcomputer2 sshd[1907]: pam_sss(sshd:auth): received for user <user>@<ad.domain>: 4 (System error) Sep 5 15:46:31 testcomputer2 sshd[1907]: Failed password for <user>@<ad.domain> from <ip> port 42416 ssh2 --
Couldn't find anything solid but then I turned on debug levels and looked into krb5_child.log. Our ipadomain is ipa.company.domain but for some reason it tries to find the username from company.domain and of course it can't find the username there.
Hi,
which IPA version are you using on the server?
It looks like you have defined the user principal name of the user in AD as <user>@<company.domain>. Depending on the version of IPA there are two different solutions.
bye, Sumit
-- (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [<company.domain>] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927017: Getting initial credentials for <user>@<company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927076: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927109: Retrieving host/testcomputer2.<ipa.company.domain>@<ipa.company.domain> -> krb5_ccache_conf_data/fast_avail/krbtgt/<company.domain>@<company. do main>@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> with result: -1765328243/Matching credential not found (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927151: Sending request (172 bytes) to <company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938377: Retrying AS request with master KDC (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938418: Getting initial credentials for <user>@<company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938442: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938467: Retrieving host/testcomputer2.<ipa.company.domain>@<ipa.company.domain> -> krb5_ccache_conf_data/fast_avail/krbtgt/<company.domain>@<company. do main>@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> with result: -1765328243/Matching credential not found (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938511: Sending request (172 bytes) to <company.domain> (master) (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [get_and_save_tgt] (0x0020): 1232: [-1765328230][Cannot find KDC for realm "<company.domain>"] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [map_krb5_error] (0x0020): 1301: [-1765328230][Cannot find KDC for realm "<company.domain>"] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [pack_response_packet] (0x2000): response packet size: [4] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [k5c_send_data] (0x4000): Response sent. (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [main] (0x0400): krb5_child completed successfully --
Seems like it converts ad.domain to company.domain and not to ipa.company.domain for some reason. But like I said the configuration on /var/lib/sss/pubconf/krb5.include.d seems legit.
-- [domain_realm] .<ad.domain> = <AD.DOMAIN> <ad.domain> = <AD.DOMAIN> [capaths] <AD.DOMAIN> = { <IPA.COMPANY.DOMAIN> = <AD.DOMAIN> } <IPA.COMPANY.DOMAIN> = { <AD.DOMAIN> = <AD.DOMAIN> } --
Any ideas why it's dropping the subdomain out?
Eemeli
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists .f ed or ahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.f ed or ahosted.org
freeipa-users@lists.fedorahosted.org