[Freeipa-users] IPA Trust AD and Illegal cross-realm ticket

crony leszek.mis at gmail.com
Wed Oct 15 12:47:05 UTC 2014


Hi,
I've been following the AD integration guide for IPAv3:
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup

My setup is:
• 5 domain controllers with Windows 2008 R2 AD DC -> example.com as Forest
Root Domain and acme.example.com as transitive child domain
• RHEL7 as IPA server with domain: linux.acme.example.com
• RHEL6.5 as IPA client server ipatst03.linux.acme.example.com

Everything works correctly around IPA Server, but the problem is within IPA
Client.

I can not login by SSH or by su -:

[leszek at ipatst03 ~]$ su - user1 at acme.example.com
Password:
su: incorrect password

I found this error in /var/log/sssd/krb5_child.log :

(Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [validate_tgt]
(0x0020): TGT failed verification using key for [host/
ipatst03.linux.acme.example.com at LINUX.ACME.EXAMPLE.COM].
(Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [get_and_save_tgt]
(0x0020): 988: [-1765328341][Illegal cross-realm ticket]
(Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [map_krb5_error]
(0x0020): 1043: [-1765328341][Illegal cross-realm ticket]
(Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [k5c_send_data]
(0x0200): Received error code 1432158209
(Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]]
[pack_response_packet] (0x2000): response packet size: [20]
(Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [k5c_send_data]
(0x4000): Response sent.
(Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [main] (0x0400):
krb5_child completed successfully


>From that IPA client I can run:

[root at ipatst03 ~]$ getent passwd user1 at acme.example.com
user1 at acme.example.com:*:127283727:127283727:user1:/home/
acme.example.com/user1:

Do you know what is wrong with my setup?

After adding krb5_validate = false to sssd.conf on IPA client ipatst03 I
can login by su/ssh but without kerberos principals and without groups
assigned:

[leszek at ipatst03 ~]$ su - user1 at acme.example.com
Password:
-sh-4.1$ id
uid=127283727(user1 at acme.example.com) gid=127283727(user1 at acme.example.com)
groups=127283727(user1 at acme.example.com)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.1$ klist
klist: No credentials cache found while retrieving principal name



Below you can find setup information from IPA Server where everything looks
good:

[root at ipa1 ~]# kinit admin
Password for admin at LINUX.ACME.EXAMPLE.COM:

[root at ipa1 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin at LINUX.ACME.EXAMPLE.COM

Valid starting       Expires              Service principal
10/15/2014 14:02:29  10/16/2014 14:02:25  krbtgt/
LINUX.ACME.EXAMPLE.COM at LINUX.ACME.EXAMPLE.COM

[root at ipa1 ~]# getent passwd user1 at acme.example.com
user1 at acme.example.com:*:127283727:127283727:user1:/home/
acme.example.com/user1:

[root at ipa1 ~]# su - user1 at acme.example.com
Last login: Wed Oct 15 13:05:11 CEST 2014 from 10.9.79.93 on pts/4
-sh-4.2$ id
uid=127283727(user1 at acme.example.com) gid=127283727(user1 at acme.example.com)
groups=127283727(user1 at acme.example.com),127200513(domain
users at acme.example.com)

-sh-4.2$ klist
Ticket cache: KEYRING:persistent:127283727:krb_ccache_Aablt0q
Default principal: USER1 at ACME.EXAMPLE.COM

Valid starting       Expires              Service principal
10/15/2014 13:05:22  10/15/2014 21:26:29  host/
ipatst03.linux.acme.example.com at LINUX.ACME.EXAMPLE.COM
renew until 10/16/2014 11:26:29
10/15/2014 13:05:20  10/15/2014 21:26:29  krbtgt/
LINUX.ACME.EXAMPLE.COM at EXAMPLE.COM
renew until 10/16/2014 11:26:29
10/15/2014 13:05:20  10/15/2014 21:26:29  krbtgt/
EXAMPLE.COM at ACME.EXAMPLE.COM
renew until 10/16/2014 11:26:29
10/15/2014 11:26:29  10/15/2014 21:26:29  krbtgt/
ACME.EXAMPLE.COM at ACME.EXAMPLE.COM
renew until 10/16/2014 11:26:29

[leszek at ipa1 ~]$ su - user1 at acme.example.com
Hasło:
-sh-4.2$ klist
Ticket cache: KEYRING:persistent:127283727:krb_ccache_Aablt0q
Default principal: USER1 at ACME.EXAMPLE.COM

Valid starting       Expires              Service principal
10/15/2014 14:43:00  10/16/2014 00:43:00  krbtgt/
ACME.EXAMPLE.COM at ACME.EXAMPLE.COM
renew until 10/16/2014 14:43:00



Everything looks good.

[root at ipa1 ipa trustdomain-find "example.com"
  Domain name: example.com
  Domain NetBIOS name: EXAMPLE
  Domain Security Identifier: S-1-5-21-827937240-19931235763-83952325
  Domain enabled: True

  Domain name: acme.example.com
  Domain NetBIOS name: ACME
  Domain Security Identifier: S-1-5-21-107454117-223899964-1235820382
  Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------

Any suggestions for help?

Thanks.

--
http://cronylab.pl
http://emerge.pl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141015/fb9b1391/attachment.htm>


More information about the Freeipa-users mailing list