[Freeipa-users] This again :) - ssh authentication for users in complex AD forest - where am I going wrong?
Sumit Bose
sbose at redhat.com
Wed Nov 23 11:07:12 UTC 2016
On Tue, Nov 22, 2016 at 11:17:37AM -0500, Chris Dagdigian wrote:
>
>
> Sumit Bose wrote:
> > Please send the full krb5_child.log with debug_level=10 in the
> > [domain/...] section of sssd.conf. My current guess is the ticket
> > validation fails. Which version of SSSD are you using?
> >
> > bye,
> > Sumit
>
>
> This is a CentOS 7 client running SSSD-1.13
>
> Thank you. Lots of interesting info in this log. I've sanitized hostnames,
> username and IP but that was it:
>
> ### log data below ####
>
>
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [main] (0x0400):
> krb5_child started.
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [unpack_buffer]
> (0x1000): total buffer size: [158]
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [unpack_buffer]
> (0x0100): cmd [241] uid [1843770609] gid [1843770609] validate [true]
> enterprise principal [false] offline [false] UPN [username at COMPANY.ORG]
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [unpack_buffer]
> (0x0100): ccname: [KEYRING:persistent:1843770609] old_ccname:
> [KEYRING:persistent:1843770609] keytab: [/etc/krb5.keytab]
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [switch_creds]
> (0x0200): Switch user to [1843770609][1843770609].
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]]
> [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired.
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [switch_creds]
> (0x0200): Switch user to [0][0].
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [k5c_check_old_ccache]
> (0x4000): Ccache_file is [KEYRING:persistent:1843770609] and is not active
> and TGT is valid.
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [k5c_precreate_ccache]
> (0x4000): Recreating ccache
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [k5c_setup_fast]
> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to
> [host/usaeilvdip001.company-aws.org at company-idm.org]
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]]
> [find_principal_in_keytab] (0x4000): Trying to find principal
> host/usaeilvdip001.company-aws.org at company-idm.org in keytab.
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [match_principal]
> (0x1000): Principal matched to the sample
> (host/usaeilvdip001.company-aws.org at company-idm.org).
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [check_fast_ccache]
> (0x0200): FAST TGT is still valid.
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [become_user]
> (0x0200): Trying to become user [1843770609][1843770609].
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [main] (0x2000):
> Running as [1843770609][1843770609].
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [k5c_setup] (0x2000):
> Running as [1843770609][1843770609].
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [set_lifetime_options]
> (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [set_lifetime_options]
> (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]]
> [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [main] (0x0400): Will
> perform online auth
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [tgt_req_child]
> (0x1000): Attempting to get a TGT
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]] [get_and_save_tgt]
> (0x0400): Attempting kinit for realm [COMPANY.ORG]
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830567.899271: Getting
> initial credentials for username at COMPANY.ORG
>
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830567.899337: FAST armor
> ccache: MEMORY:/var/lib/sss/db/fast_ccache_company-idm.org
>
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830567.899368: Retrieving
> host/usaeilvdip001.company-aws.org at company-idm.org -> krb5_ccache_conf_data/fast_avail/krbtgt\/COMPANY.ORG\@COMPANY.ORG at X-CACHECONF:
> from MEMORY:/var/lib/sss/db/fast_ccache_company-idm.org with result:
> -1765328243/Matching credential not found
>
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830567.899415: Sending
> request (169 bytes) to COMPANY.ORG
>
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830567.899575: Resolving
> hostname COMPANY.ORG
>
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830567.900935: Initiating TCP
> connection to stream 192.141.1.15:88
>
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830567.987925: Sending TCP
> request to stream 192.141.1.15:88
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.75357: Received answer
> (118 bytes) from stream 192.141.1.15:88
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.75404: Terminating TCP
> connection to stream 192.141.1.15:88
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.75502: Response was
> from master KDC
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.75529: Received error
> from KDC: -1765328316/Realm not local to KDC
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.75544: Following
> referral to realm NAFTA.COMPANY.ORG
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.75559: FAST armor
> ccache: MEMORY:/var/lib/sss/db/fast_ccache_company-idm.org
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.75586: Retrieving
> host/usaeilvdip001.company-aws.org at company-idm.org -> krb5_ccache_conf_data/fast_avail/krbtgt\/NAFTA.COMPANY.ORG\@NAFTA.COMPANY.ORG at X-CACHECONF:
> from MEMORY:/var/lib/sss/db/fast_ccache_company-idm.org with result:
> -1765328243/Matching credential not found
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.75621: Sending request
> (181 bytes) to NAFTA.COMPANY.ORG
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.81119: Resolving
> hostname usetwadsfsmo03.nafta.COMPANY.ORG.
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.81947: Sending initial
> UDP request to dgram 192.189.131.30:88
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.99200: Received answer
> (205 bytes) from dgram 192.189.131.30:88
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.100064: Response was
> not from master KDC
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.100103: Received error
> from KDC: -1765328359/Additional pre-authentication required
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.100136: Processing
> preauth types: 16, 15, 19, 2
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.100155: Selected etype
> info: etype aes256-cts, salt "NAFTA.COMPANY.ORGusername", params ""
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.108691: AS key
> obtained for encrypted timestamp: aes256-cts/3D3B
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.108766: Encrypted
> timestamp (for 1479830568.478875): plain
> 301AA011180F32303136313132323136303234385AA1050203074E9B, encrypted 133359586FCB362BF70E6CC90D509C68D6B19903CE0113AD37826E22256090F77B2B7F0BE410C1D7E72F890C437A77FE4BE1DA21848F6209
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.108787: Preauth module
> encrypted_timestamp (2) (real) returned: 0/Success
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.108794: Produced
> preauth for next request: 2
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.108829: Sending
> request (260 bytes) to NAFTA.COMPANY.ORG
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.114751: Resolving
> hostname usetwadsfsmo03.nafta.COMPANY.ORG.
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.115601: Sending
> initial UDP request to dgram 192.189.131.30:88
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.133353: Received
> answer (108 bytes) from dgram 192.189.131.30:88
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.134326: Response was
> not from master KDC
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.134360: Received error
> from KDC: -1765328332/Response too big for UDP, retry with TCP
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.134370: Request or
> response is too big for UDP; retrying with TCP
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.134379: Sending
> request (260 bytes) to NAFTA.COMPANY.ORG (tcp only)
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.137246: Resolving
> hostname friawadsgc12.nafta.COMPANY.ORG.
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.138084: Initiating TCP
> connection to stream 192.141.1.52:88
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.224054: Sending TCP
> request to stream 192.141.1.52:88
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.311440: Received
> answer (2178 bytes) from stream 192.141.1.52:88
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.311483: Terminating
> TCP connection to stream 192.141.1.52:88
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312325: Response was
> not from master KDC
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312369: Processing
> preauth types: 19
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312381: Selected etype
> info: etype aes256-cts, salt "NAFTA.COMPANY.ORGusername", params ""
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312390: Produced
> preauth for next request: (empty)
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312401: AS key
> determined by preauth: aes256-cts/3D3B
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312459: Decrypted AS
> reply; session key is: aes256-cts/43A1
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312498: FAST
> negotiation: unavailable
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_krb5_expire_callback_func] (0x2000): exp_time: [3966060]
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] [validate_tgt]
> (0x2000): Keytab entry with the realm of the credential not found in keytab.
> Using the last entry.
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312579: Retrieving
> host/usaeilvdip001.company-aws.org at company-idm.org from
> MEMORY:/etc/krb5.keytab (vno 0, enctype 0) with result: 0/Success
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312588: Resolving
> unique ccache of type MEMORY
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312602: Initializing
> MEMORY:Fnv4hCg with default princ username at NAFTA.COMPANY.ORG
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312621: Storing
> username at NAFTA.COMPANY.ORG -> krbtgt/NAFTA.COMPANY.ORG at NAFTA.COMPANY.ORG in
> MEMORY:Fnv4hCg
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312642: Getting
> credentials username at NAFTA.COMPANY.ORG ->
> host/usaeilvdip001.company-aws.org at company-idm.org using ccache
> MEMORY:Fnv4hCg
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312668: Retrieving
> username at NAFTA.COMPANY.ORG ->
> host/usaeilvdip001.company-aws.org at company-idm.org from MEMORY:Fnv4hCg with
> result: -1765328243/Matching credential not found
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312683: Retrieving
> username at NAFTA.COMPANY.ORG -> krbtgt/company-idm.org at company-idm.org from
> MEMORY:Fnv4hCg with result: -1765328243/Matching credential not found
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312698: Retrieving
> username at NAFTA.COMPANY.ORG -> krbtgt/NAFTA.COMPANY.ORG at NAFTA.COMPANY.ORG
> from MEMORY:Fnv4hCg with result: 0/Success
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312706: Starting with
> TGT for client realm: username at NAFTA.COMPANY.ORG ->
> krbtgt/NAFTA.COMPANY.ORG at NAFTA.COMPANY.ORG
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312721: Retrieving
> username at NAFTA.COMPANY.ORG -> krbtgt/company-idm.org at company-idm.org from
> MEMORY:Fnv4hCg with result: -1765328243/Matching credential not found
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312729: Requesting TGT
> krbtgt/company-idm.org at NAFTA.COMPANY.ORG using TGT
> krbtgt/NAFTA.COMPANY.ORG at NAFTA.COMPANY.ORG
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312747: Generated
> subkey for TGS request: aes256-cts/57A1
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312787: etypes
> requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac,
> camellia128-cts, camellia256-cts
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312840: Encoding
> request body and padata into FAST request
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.312894: Sending
> request (2313 bytes) to NAFTA.COMPANY.ORG
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.318783: Resolving
> hostname friawadsgc02.nafta.COMPANY.ORG.
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.319777: Sending
> initial UDP request to dgram 192.141.1.11:88
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.406882: Received
> answer (105 bytes) from dgram 192.141.1.11:88
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.407810: Response was
> not from master KDC
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.407847: TGS request
> result: -1765328377/Server not found in Kerberos database
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]]
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830568.407869: Destroying
> ccache MEMORY:Fnv4hCg
>
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] [validate_tgt]
> (0x0020): TGT failed verification using key for
> [host/usaeilvdip001.company-aws.org at company-idm.org].
ok, it is the ticket validation which fails. You can get around this for
testing by setting 'krb5_validate = false' in the [domain/...] section
of sssd.conf. But please use this only for testing because this error
indicates that there are issues in your setup/configuration.
But your host principal
host/usaeilvdip001.company-aws.org at company-idm.org looks odd as well.
Why is the host in the AD DNS domain, this calls for trouble.
Additionally I wonder why the realm part '@company-idm.org' was created
in lower-case while joining the IPA this should be created upper-case.
Or is this all due to sanitation?
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] [get_and_save_tgt]
> (0x0020): 1242: [-1765328377][Server not found in Kerberos database]
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] [map_krb5_error]
> (0x0020): 1303: [-1765328377][Server not found in Kerberos database]
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] [k5c_send_data]
> (0x0200): Received error code 1432158209
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] [pack_response_packet]
> (0x2000): response packet size: [20]
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] [k5c_send_data]
> (0x4000): Response sent.
> (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369]]]] [main] (0x0400):
> krb5_child completed successfully
> [root at usaeilvdip001 sssd]#
>
>
The logs indicate that the user actually come from the member domain in
the forest: username at NAFTA.COMPANY.ORG. But the [capath] section you
added to krb5.conf only contains the forest root.
> COMPANY-AWS.ORG = {
>
> COMPANY-IDM.ORG = COMPANY-AWS.ORG
>
> }
>
> COMPANY-IDM.ORG = {
>
> COMPANY-AWS.ORG = COMPANY-AWS.ORG
>
> }
>
Please try to add the member domain as well. The result might look like
this: (assuming COMPANY-AWS is the forest root, NAFTA is the member
domain and COMPANY-IDM is the IPA domain)
COMPANY-AWS.ORG = {
COMPANY-IDM.ORG = COMPANY-AWS.ORG
}
COMPANY-IDM.ORG = {
COMPANY-AWS.ORG = COMPANY-AWS.ORG
NAFTA.COMPANY.ORG = COMPANY-AWS.ORG
}
NAFTA.COMPANY.ORG = {
COMPANY-IDM.ORG = COMPANY-AWS.ORG
}
You can test the configuration independent of SSSD by calling
kdestroy -A
kinit username at NAFTA.COMPANY.ORG
kvno host/usaeilvdip001.company-aws.org at COMPANY-IDM.ORG
If kvno returns an error please rerun as
KRB5_TRACE=/dev/stdout kvno host/usaeilvdip001.company-aws.org at COMPANY-IDM.ORG
and send the output.
HTH
bye,
Sumit
More information about the Freeipa-users
mailing list