[Freeipa-users] Re: AD Trust not authenticating users

Thu, 08 Jun 2023 08:37:35 -0700 

Thanks I will take a look at the link.

The krb5.conf file looks as follows
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = IPA.AD1.COM
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = true
 udp_preference_limit = 0
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 IPA.AD1.COM = {
  kdc = ipa-3.ipa.ad1.com:88
  master_kdc = ipa-3.ipa.ad1.com:88
  kpasswd_server = ipa-3.ipa.ad1.com:464
  admin_server = ipa-3.ipa.ad1.com:749
  default_domain = ipa.ad1.com
  pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
  pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}

[domain_realm]
 .ipa.ad1.com = IPA.AD1.COM
 ipa.ad1.com = IPA.AD1.COM
 ipa-3.ipa.ad1.com = IPA.AD1.COM

[dbmodules]
  IPA.AD1.COM = {
    db_library = ipadb.so
  }

[plugins]
 certauth = {
  module = ipakdb:kdb/ipadb.so
  enable_only = ipakdb
 }

Under the /var/lib/sss/pubconf/krb5.include.d/ directory the files and contents 
are as follows
::::::::::::::
/var/lib/sss/pubconf/krb5.include.d/domain_realm_auth_ssdis_loc
::::::::::::::
[domain_realm]
.ssdis.loc = SSDIS.LOC
ssdis.loc = SSDIS.LOC
.ROOT.TES = ROOT.TES
ROOT.TES = ROOT.TES
.INTERNAL.ROOT.TES = INTERNAL.ROOT.TES
INTERNAL.ROOT.TES = INTERNAL.ROOT.TES
[capaths]
SSDIS.LOC = {
  AUTH.SSDIS.LOC = SSDIS.LOC
}
ROOT.TES = {
  AUTH.SSDIS.LOC = ROOT.TES
}
INTERNAL.ROOT.TES = {
  AUTH.SSDIS.LOC = ROOT.TES
}
AUTH.SSDIS.LOC = {
  SSDIS.LOC = SSDIS.LOC
  ROOT.TES = ROOT.TES
  INTERNAL.ROOT.TES = ROOT.TES
}
::::::::::::::
/var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults
::::::::::::::
[libdefaults]
 canonicalize = true
::::::::::::::
/var/lib/sss/pubconf/krb5.include.d/localauth_plugin
::::::::::::::
[plugins]
 localauth = {
  module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
 }

I am still looking into my problem, a reboot of an IPA server seems to allow 
authentication and AD group authorisation to work for a period of time and then 
it stops.  Authentication will continue to work if the user is cached in the 
SSSD cache, but trying to use sudo fails as it can no longer get the membership 
details.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to