I am having some strange issues after upgrade from FreeIPA 4.1.2 to 4.1.3/4.1.4 on CentOS 7.
Here is my setup: FreeIPA domain : ipadomain.net Trusted AD domain : sub.addomain.net In my AD domain, we have our UPN set to addomain.net so users typically login as [email protected] instead of [email protected]. In my /etc/sssd/sssd.conf on the ipa dc I have the following values set: use_fully_qualified_names = True [sssd] default_domain_suffix = sub.addomain.net This is what I see in the logs when I attempt to login as 'username' (with do domain): May 05 15:36:51 ipadc1.ipadomain.net [sssd[krb5_child[4376]]][4376]: Cannot find KDC for realm "ADDOMAIN.NET" May 05 15:36:51 ipadc1.ipadomain.net [sssd[krb5_child[4376]]][4376]: Cannot find KDC for realm "ADDOMAIN.NET" May 05 15:36:51 ipadc1.ipadomain.net sshd[4373]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.5.5.57 user=username May 05 15:36:51 ipadc1.ipadomain.net sshd[4373]: pam_sss(sshd:auth): received for user username: 4 (System error) May 05 15:36:53 ipadc1.ipadomain.net sshd[4373]: Failed password for username from 10.5.5.57 port 53118 ssh2 However, if in AD I switch the UPN on 'username' to the default of 'sub.addomain.net' I get a successful login: May 04 23:10:57 ipadc1.ipadomain.net sshd[2293]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.5.5.57 user=username May 04 23:10:58 ipadc1.ipadomain.net sshd[2293]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.5.5.57 user=username May 04 23:11:01 ipadc1.ipadomain.net sshd[2293]: Accepted password for username from 10.5.5.57 port 46077 ssh2 May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Starting user-1539201103.slice. May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Created slice user-1539201103.slice. May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Starting Session 3 of user [email protected]. May 04 23:11:01 ipadc1.ipadomain.net systemd[1]: Started Session 3 of user [email protected]. May 04 23:11:01 ipadc1.ipadomain.net systemd-logind[716]: New session 3 of user [email protected]. May 04 23:11:02 ipadc1.ipadomain.net sshd[2293]: pam_unix(sshd:session): session opened for user username by (uid=0) As a temporary workaround I set dns_lookup_kdc = false in my /etc/krb5.conf file and that worked to allow me to login with just 'username' but even after a successful login, I was seeing those 'cannot find KDC for realm' message in the log. Is there a proper way to allow people from a trusted AD domain to login with their alternative UPNs? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
