On ke, 14 joulu 2022, Carlos Mogas da Silva via FreeIPA-users wrote:
On 2022-12-14 14:48, Alexander Bokovoy via FreeIPA-users wrote:
On ke, 14 joulu 2022, Carlos Mogas da Silva wrote:
# egrep -v "^\s*#|^$" /var/lib/sss/pubconf/krb5.include.d/* /var/lib/sss/pubconf/krb5.include.d/domain_realm_int_r3pek_org:[domain_realm] /var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults:[libdefaults] /var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults: canonicalize = true /var/lib/sss/pubconf/krb5.include.d/localauth_plugin:[plugins] /var/lib/sss/pubconf/krb5.include.d/localauth_plugin: localauth = { /var/lib/sss/pubconf/krb5.include.d/localauth_plugin: module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so /var/lib/sss/pubconf/krb5.include.d/localauth_plugin: }
While also testing some stuff out, if I force the IP address of the mail01.r3pek.org server to be the internal one, the auth works. Am I missing something or is the normal?
You have canonicalization set to true, this is default configuration in IPA, so krb5 will do 'mail01.int.r3pek.org' -> IP address -> hostname transformation. This means whatever hostname is obtained afterwards is used then. If it is mail01.r3pek.org, then Kerberos realm of r3pek.org domain would be used. Is it R3PEK.ORG or INT.R3PEK.ORG? It can be changed via _kerberos TXT record.
Well, the external domain is mail01.r3pek.org, which has the public IPs. The REALM and the internal domains are INT.R3PEK.ORG. Email domains are @r3pek.org
The external domain is r3pek.org, you mean. Just add
_kerberos.r3pek.org TXT "INT.R3PEK.ORG"
TXT record to your public domain. You also would need to add {smtp,imap}/mail01.r3pek.org as a principal alias to {smtp,imap}/mail01.int.r3pek.org to make it using the same Kerberos principal entry.