Hi, I've been following the AD integration guide for IPAv3: http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
My setup is: • 5 domain controllers with Windows 2008 R2 AD DC -> example.com as Forest Root Domain and acme.example.com as transitive child domain • RHEL7 as IPA server with domain: linux.acme.example.com • RHEL6.5 as IPA client server ipatst03.linux.acme.example.com Everything works correctly around IPA Server, but the problem is within IPA Client. I can not login by SSH or by su -: [leszek@ipatst03 ~]$ su - [email protected] Password: su: incorrect password I found this error in /var/log/sssd/krb5_child.log : (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [validate_tgt] (0x0020): TGT failed verification using key for [host/ [email protected]]. (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [get_and_save_tgt] (0x0020): 988: [-1765328341][Illegal cross-realm ticket] (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [map_krb5_error] (0x0020): 1043: [-1765328341][Illegal cross-realm ticket] (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [pack_response_packet] (0x2000): response packet size: [20] (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [k5c_send_data] (0x4000): Response sent. (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [main] (0x0400): krb5_child completed successfully >From that IPA client I can run: [root@ipatst03 ~]$ getent passwd [email protected] [email protected]:*:127283727:127283727:user1:/home/ acme.example.com/user1: Do you know what is wrong with my setup? After adding krb5_validate = false to sssd.conf on IPA client ipatst03 I can login by su/ssh but without kerberos principals and without groups assigned: [leszek@ipatst03 ~]$ su - [email protected] Password: -sh-4.1$ id uid=127283727([email protected]) gid=127283727([email protected]) groups=127283727([email protected]) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -sh-4.1$ klist klist: No credentials cache found while retrieving principal name Below you can find setup information from IPA Server where everything looks good: [root@ipa1 ~]# kinit admin Password for [email protected]: [root@ipa1 ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: [email protected] Valid starting Expires Service principal 10/15/2014 14:02:29 10/16/2014 14:02:25 krbtgt/ [email protected] [root@ipa1 ~]# getent passwd [email protected] [email protected]:*:127283727:127283727:user1:/home/ acme.example.com/user1: [root@ipa1 ~]# su - [email protected] Last login: Wed Oct 15 13:05:11 CEST 2014 from 10.9.79.93 on pts/4 -sh-4.2$ id uid=127283727([email protected]) gid=127283727([email protected]) groups=127283727([email protected]),127200513(domain [email protected]) -sh-4.2$ klist Ticket cache: KEYRING:persistent:127283727:krb_ccache_Aablt0q Default principal: [email protected] Valid starting Expires Service principal 10/15/2014 13:05:22 10/15/2014 21:26:29 host/ [email protected] renew until 10/16/2014 11:26:29 10/15/2014 13:05:20 10/15/2014 21:26:29 krbtgt/ [email protected] renew until 10/16/2014 11:26:29 10/15/2014 13:05:20 10/15/2014 21:26:29 krbtgt/ [email protected] renew until 10/16/2014 11:26:29 10/15/2014 11:26:29 10/15/2014 21:26:29 krbtgt/ [email protected] renew until 10/16/2014 11:26:29 [leszek@ipa1 ~]$ su - [email protected] Hasło: -sh-4.2$ klist Ticket cache: KEYRING:persistent:127283727:krb_ccache_Aablt0q Default principal: [email protected] Valid starting Expires Service principal 10/15/2014 14:43:00 10/16/2014 00:43:00 krbtgt/ [email protected] renew until 10/16/2014 14:43:00 Everything looks good. [root@ipa1 ipa trustdomain-find "example.com" Domain name: example.com Domain NetBIOS name: EXAMPLE Domain Security Identifier: S-1-5-21-827937240-19931235763-83952325 Domain enabled: True Domain name: acme.example.com Domain NetBIOS name: ACME Domain Security Identifier: S-1-5-21-107454117-223899964-1235820382 Domain enabled: True ---------------------------- Number of entries returned 2 ---------------------------- Any suggestions for help? Thanks. -- http://cronylab.pl http://emerge.pl
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
