Am Thu, Jun 08, 2023 at 03:37:12PM -0000 schrieb James Osbourn via
FreeIPA-users:
> Thanks I will take a look at the link.
>
> The krb5.conf file looks as follows
> includedir /etc/krb5.conf.d/
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = IPA.AD1.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
> rdns = false
> ticket_lifetime = 24h
> forwardable = true
> udp_preference_limit = 0
> default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
> IPA.AD1.COM = {
> kdc = ipa-3.ipa.ad1.com:88
> master_kdc = ipa-3.ipa.ad1.com:88
> kpasswd_server = ipa-3.ipa.ad1.com:464
> admin_server = ipa-3.ipa.ad1.com:749
> default_domain = ipa.ad1.com
> pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
> pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
> }
>
> [domain_realm]
> .ipa.ad1.com = IPA.AD1.COM
> ipa.ad1.com = IPA.AD1.COM
> ipa-3.ipa.ad1.com = IPA.AD1.COM
Hi,
assuming that auth.ssdis.loc is the domain with issues can you try if
adding
.auth.ssdis.loc = AUTH.SSDIS.LOC
auth.ssdis.loc = AUTH.SSDIS.LOC
to the [domain_realm] of /etc/krb5.conf makes is more reliable?
bye,
Sumit
>
> [dbmodules]
> IPA.AD1.COM = {
> db_library = ipadb.so
> }
>
> [plugins]
> certauth = {
> module = ipakdb:kdb/ipadb.so
> enable_only = ipakdb
> }
>
> Under the /var/lib/sss/pubconf/krb5.include.d/ directory the files and
> contents are as follows
> ::::::::::::::
> /var/lib/sss/pubconf/krb5.include.d/domain_realm_auth_ssdis_loc
> ::::::::::::::
> [domain_realm]
> .ssdis.loc = SSDIS.LOC
> ssdis.loc = SSDIS.LOC
> .ROOT.TES = ROOT.TES
> ROOT.TES = ROOT.TES
> .INTERNAL.ROOT.TES = INTERNAL.ROOT.TES
> INTERNAL.ROOT.TES = INTERNAL.ROOT.TES
> [capaths]
> SSDIS.LOC = {
> AUTH.SSDIS.LOC = SSDIS.LOC
> }
> ROOT.TES = {
> AUTH.SSDIS.LOC = ROOT.TES
> }
> INTERNAL.ROOT.TES = {
> AUTH.SSDIS.LOC = ROOT.TES
> }
> AUTH.SSDIS.LOC = {
> SSDIS.LOC = SSDIS.LOC
> ROOT.TES = ROOT.TES
> INTERNAL.ROOT.TES = ROOT.TES
> }
> ::::::::::::::
> /var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults
> ::::::::::::::
> [libdefaults]
> canonicalize = true
> ::::::::::::::
> /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
> ::::::::::::::
> [plugins]
> localauth = {
> module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
> }
>
> I am still looking into my problem, a reboot of an IPA server seems to allow
> authentication and AD group authorisation to work for a period of time and
> then it stops. Authentication will continue to work if the user is cached in
> the SSSD cache, but trying to use sudo fails as it can no longer get the
> membership details.
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
