On (07/08/17 11:08), Supratik Goswami via FreeIPA-users wrote:
>Hi
>
>I am using trust between AD and IPA
>
>AD domain: ad.corp.example.com
>IPA domain: ipa.corp.example.com
>
>I am able to login using SSH to the IPA server using the AD user, when I am
>trying to login using
>SSH to the Linux client which is a member of the IPA domain it does not
>work.
>
>Please find my /etc/krb5.conf in the client machine below
>
>[libdefaults]
> #default_realm = IPA.CORP.EXAMPLE.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
> udp_preference_limit = 0
># default_ccache_name = KEYRING:persistent:%{uid}
>
>
>[realms]
> IPA.CORP.EXAMPLE.COM = {
> kdc = ipa01.ipa.corp.example.com:88
> master_kdc = ipa01.ipa.corp.example.com:88
> admin_server = ipa01.ipa.corp.example.com:749
> #default_domain = ipa.corp.example.com
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> auth_to_local = RULE:[1:$1@$0](^.*@AD.CORP.EXAMPLE.COM$)s/@
>AD.CORP.EXAMPLE.COM/@ad.corp.example.com/
> auth_to_local = DEFAULT
>
> }
>
> AD.CORP.EXAMPLE.COM = {
> kdc = ad01.ad.corp.example.com:88
> master_kdc = ad01.ad.corp.example.com:88
> }
>
>[domain_realm]
> .ipa.corp.example.com = IPA.CORP.EXAMPLE.COM
> ipa.corp.example.com = IPA.CORP.EXAMPLE.COM
> .ad.corp.example.com = AD.CORP.EXAMPLE.COM
> ad.corp.example.com = AD.CORP.EXAMPLE.COM
>
>
>Please find my SSD config below
>
>[sssd]
>config_file_version = 2
>services = nss, sudo, pam, ssh
>domains = ipa.corp.exampl.com
>
>[nss]
>homedir_substring = /home
>
>[domain/ipa.corp.example.com]
>debug_level = 9
>krb5_store_password_if_offline = True
>id_provider = ipa
>auth_provider = ipa
>access_provider = ipa
>cache_credentials = True
>krb5_store_password_if_offline = True
>ipa_domain = ipa.corp.example.com
>ipa_hostname = host01.ipa.corp.example.com
>ipa_server = _srv_, ipa01.ipa.corp.example.com
>chpass_provider = ipa
>ldap_tls_cacert = /etc/ipa/ca.crt
>dns_discovery_domain = ipa.corp.example.com
>
>[pam]
>
>[sudo]
>
>[autofs]
>
>[ssh]
>
>[pac]
>
>[ifp]
>
>
>Please find the krb5_child.log attached.
>
Which version of sssd do you use?
BTW here might be a reason:
(Mon Aug 7 05:30:11 2017) [[sssd[krb5_child[26785]]]] [main] (0x0400): Will
perform online auth
(Mon Aug 7 05:30:11 2017) [[sssd[krb5_child[26785]]]] [tgt_req_child]
(0x1000): Attempting to get a TGT
(Mon Aug 7 05:30:11 2017) [[sssd[krb5_child[26785]]]] [get_and_save_tgt]
(0x0400): Attempting kinit for realm [AD.CORP.EXAMPLE.COM]
(Mon Aug 7 05:30:11 2017) [[sssd[krb5_child[26785]]]]
[sss_child_krb5_trace_cb] (0x4000): [26785] 1502083811.711333: Getting initial
credentials for [email protected]
(Mon Aug 7 05:30:11 2017) [[sssd[krb5_child[26785]]]]
[sss_child_krb5_trace_cb] (0x4000): [26785] 1502083811.711406: FAST armor
ccache:
+MEMORY:/var/lib/sss/db/fast_ccache_IPA.CORP.EXAMPLE.COM
(Mon Aug 7 05:30:11 2017) [[sssd[krb5_child[26785]]]]
[sss_child_krb5_trace_cb] (0x4000): [26785] 1502083811.711468: Retrieving
host/[email protected] ->
+krb5_ccache_conf_data/fast_avail/krbtgt\/AD.CORP.EXAMPLE.COM\@AD.CORP.EXAMPLE.COM@X-CACHECONF:
from MEMORY:/var/lib/sss/db/fast_ccache_IPA.CORP.EXAMPLE.COM with result:
+-1765328243/Matching credential not found
(Mon Aug 7 05:30:11 2017) [[sssd[krb5_child[26785]]]]
[sss_child_krb5_trace_cb] (0x4000): [26785] 1502083811.711534: Sending request
(192 bytes) to AD.CORP.EXAMPLE.COM
(Mon Aug 7 05:30:11 2017) [[sssd[krb5_child[26785]]]]
[sss_child_krb5_trace_cb] (0x4000): [26785] 1502083811.711658: Resolving
hostname ad01.ad.corp.example.com
(Mon Aug 7 05:30:11 2017) [[sssd[krb5_child[26785]]]] [get_and_save_tgt]
(0x0020): 1234: [-1765328228][Cannot contact any KDC for realm
'AD.CORP.EXAMPLE.COM']
(Mon Aug 7 05:30:11 2017) [[sssd[krb5_child[26785]]]] [map_krb5_error]
(0x0020): 1303: [-1765328228][Cannot contact any KDC for realm
'AD.CORP.EXAMPLE.COM']
(Mon Aug 7 05:30:11 2017) [[sssd[krb5_child[26785]]]] [k5c_send_data]
(0x0200): Received error code 1432158222
"Cannot contact any KDC for realm 'AD.CORP.EXAMPLE.COM'" is main problem
Failures wit permission denied was when sssd was in offline mode.
I would also recommend to follow instructions on following page
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
LS
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
