Yes, as long as AD is not a sub-domain of
IPA in terms of AD domain +
DNS domain, that would work. You'd need to re-establish trust,
obviously.
On Mon, Aug 14, 2017 at 2:24 PM, Alexander Bokovoy <abokovoy(a)redhat.com>
wrote:
> On ma, 14 elo 2017, Steve Weeks wrote:
>
>> It is
example.com and
ad.example.com, but all DNS is handled by an
>> external
>> server so I assumed neither was a subdomain. I don't understand DNS much
>> and it seems to work just fine with Fedora 25 ipa clients and ad users.
>>
> Which DNS server handles DNS zones is irrelevant. It is not about DNS
> zones, it is an issue with how Active Directory treats own domains (AD
> domain != DNS domain). You can check
>
https://lists.fedoraproject.org/archives/list/freeipa-users@
>
lists.fedorahosted.org/message/76P2HI7JYH6QXAQGAEEF5G7KFHMVO3E7/
> for more details.
>
> However, your specific arrangement of
example.com for IPA and
>
ad.example.com for AD is known to not work, as I said earlier.
>
>
>
>
>> On Mon, Aug 14, 2017 at 1:36 PM, Alexander Bokovoy <abokovoy(a)redhat.com>
>> wrote:
>>
>> On ma, 14 elo 2017, Steve Weeks wrote:
>>>
>>> No, the IPA and AD domains are separate, but do have a cross-trust.
>>>>
>>>> We are running IPA 4.4. This all works fine on Fedora 25 systems.
>>>>
>>>> Can you be more specific? In your logs below you choose
ad.example.com
>>> and
example.com. This is known to not work. If this is not your
>>> configuration then why did you choose it to obfuscate? Details matter.
>>>
>>>
>>>
>>>
>>> On Mon, Aug 14, 2017 at 12:14 PM, Alexander Bokovoy <abokovoy(a)redhat.com
>>>> >
>>>> wrote:
>>>>
>>>> On ma, 14 elo 2017, Steve Weeks via FreeIPA-users wrote:
>>>>
>>>>>
>>>>> I'm having trouble logging in via the gui console to an Ubuntu
16
>>>>> Desktop
>>>>>
>>>>>> host that is affiliated with a FreeIPA server, which in turn is
>>>>>> affiliated
>>>>>> with an Active Directory server.
>>>>>>
>>>>>> When I try to log in with debugging turned up on the SSSD I see
an
>>>>>> underlying error in the krb5_child log file: Cannot find KDC for
>>>>>> realm "
>>>>>> EXAMPLE.COM" while getting credentials for host/
>>>>>> myhost.example.com(a)EXAMPLE.COM
>>>>>>
>>>>>> Following an example from the freeipa-users mailing list, I am
just
>>>>>> working
>>>>>> with kinit and kvno to identify the underlying problem. I get the
same
>>>>>> error, which I suppose is good. But I don't know how to
resolve it
>>>>>> from
>>>>>> here. The transcript is below. On the first try at kvno, I get
the
>>>>>> same
>>>>>> error. On the second try, it works. Any idea why? I suspect the
>>>>>> failure
>>>>>> on
>>>>>> the first try is the real problem with authentication from the
>>>>>> console.
>>>>>>
>>>>>> Any hints what to try next?
>>>>>>
>>>>>> Do you really have AD as a subdomain of IPA?
>>>>>>
>>>>>
>>>>> I suspect you hit
https://bugzilla.redhat.com/show_bug.cgi?id=1421869
>>>>> There is no currently resolution for this. If you'd use
different
>>>>> domain trees (
example.com v
example.org) it would work. It would
work
>>>>> also for AD owning
example.com and IPA being in
ipa.example.com.
>>>>>
>>>>>
>>>>> Thanks
>>>>>
>>>>>>
>>>>>> ----- /etc/krb5.conf -----
>>>>>> #File modified by ipa-client-install
>>>>>>
>>>>>> includedir */var/lib/sss/pubconf/krb5.include.d/*
>>>>>>
>>>>>>
>>>>>> [libdefaults]
>>>>>> default_realm =
EXAMPLE.COM
>>>>>> dns_lookup_realm = true
>>>>>> dns_lookup_kdc = true
>>>>>> rdns = false
>>>>>> ticket_lifetime = 24h
>>>>>> forwardable = true
>>>>>> udp_preference_limit = 0
>>>>>> default_ccache_name = KEYRING:persistent:%{uid}
>>>>>>
>>>>>>
>>>>>> [realms]
>>>>>>
EXAMPLE.COM = {
>>>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt
>>>>>>
>>>>>> }
>>>>>>
>>>>>>
>>>>>> [domain_realm]
>>>>>> .example.com =
EXAMPLE.COM
>>>>>>
example.com =
EXAMPLE.COM
>>>>>>
>>>>>>
>>>>>>
>>>>>> ----- Transcript -----
>>>>>>
>>>>>>
>>>>>> $ kdestroy -A
>>>>>>
>>>>>>
>>>>>> $ kinit aduser(a)AD.EXAMPLE.COM
>>>>>> Password for aduser(a)AD.EXAMPLE.COM:
>>>>>>
>>>>>>
>>>>>> $ klist
>>>>>> Ticket cache: KEYRING:persistent:1000:1000
>>>>>> Default principal: aduser(a)AD.EXAMPLE.COM
>>>>>>
>>>>>> Valid starting Expires Service principal
>>>>>> 08/14/2017 09:59:22 08/14/2017 19:59:22
>>>>>> krbtgt/AD.EXAMPLE.COM(a)AD.EXAMP
>>>>>>
LE.COM
>>>>>> renew until 08/15/2017 09:59:17
>>>>>>
>>>>>>
>>>>>> $ KRB5_TRACE=/dev/stdout kvno
host/myhost.example.com(a)EXAMPLE.COM
>>>>>> [1994] 1502719211.714019: Getting credentials
aduser(a)AD.EXAMPLE.COM
>>>>>> ->
>>>>>> host/myhost.example.com(a)EXAMPLE.COM using ccache
>>>>>> KEYRING:persistent:1000:1000
>>>>>> [1994] 1502719211.714237: Retrieving aduser(a)AD.EXAMPLE.COM ->
>>>>>> host/myhost.example.com(a)EXAMPLE.COM from
KEYRING:persistent:1000:1000
>>>>>> with result: -1765328243/Matching credential not found
>>>>>> [1994] 1502719211.714318: Retrieving aduser(a)AD.EXAMPLE.COM ->
>>>>>> krbtgt/EXAMPLE.COM(a)EXAMPLE.COM from KEYRING:persistent:1000:1000
with
>>>>>> result: -1765328243/Matching credential not found
>>>>>> [1994] 1502719211.714376: Retrieving aduser(a)AD.EXAMPLE.COM ->
>>>>>> krbtgt/AD.EXAMPLE.COM(a)AD.EXAMPLE.COM from
>>>>>> KEYRING:persistent:1000:1000
>>>>>> with result: 0/Success
>>>>>> [1994] 1502719211.714395: Starting with TGT for client realm:
>>>>>> aduser(a)AD.EXAMPLE.COM -> krbtgt/AD.EXAMPLE.COM(a)AD.EXAMPLE.COM
>>>>>> [1994] 1502719211.714439: Retrieving aduser(a)AD.EXAMPLE.COM ->
>>>>>> krbtgt/EXAMPLE.COM(a)EXAMPLE.COM from KEYRING:persistent:1000:1000
with
>>>>>> result: -1765328243/Matching credential not found
>>>>>> [1994] 1502719211.714456: Requesting TGT
>>>>>> krbtgt/EXAMPLE.COM(a)AD.EXAMPLE.COM using TGT
>>>>>> krbtgt/AD.EXAMPLE.COM(a)AD.EXAMPLE.COM
>>>>>> [1994] 1502719211.714486: Generated subkey for TGS request:
>>>>>> aes256-cts/020C
>>>>>> [1994] 1502719211.714525: etypes requested in TGS request:
aes256-cts,
>>>>>> aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts,
camellia256-cts
>>>>>> [1994] 1502719211.714605: Encoding request body and padata into
FAST
>>>>>> request
>>>>>> [1994] 1502719211.714662: Sending request (1686 bytes) to
>>>>>>
AD.EXAMPLE.COM
>>>>>> [1994] 1502719211.717532: Resolving hostname
ad-host.ad.example.com.
>>>>>> [1994] 1502719211.719053: Sending initial UDP request to dgram
>>>>>> 192.168.1.2:88
>>>>>> [1994] 1502719211.742171: Received answer (309 bytes) from dgram
>>>>>> 192.168.1.2:88
>>>>>> [1994] 1502719211.743066: Response was not from master KDC
>>>>>> [1994] 1502719211.743082: Decoding FAST response
>>>>>> [1994] 1502719211.743109: Request or response is too big for
UDP;
>>>>>> retrying with TCP
>>>>>> [1994] 1502719211.743113: Sending request (1686 bytes) to
>>>>>>
AD.EXAMPLE.COM (tcp only)
>>>>>> [1994] 1502719211.743971: Resolving hostname
ad-host.ad.example.com.
>>>>>> [1994] 1502719211.744908: Initiating TCP connection to stream
>>>>>> 192.168.1.2:88
>>>>>> [1994] 1502719211.764062: Sending TCP request to stream
>>>>>> 192.168.1.2:88
>>>>>> [1994] 1502719211.805666: Received answer (1643 bytes) from
stream
>>>>>> 192.168.1.2:88
>>>>>> [1994] 1502719211.805678: Terminating TCP connection to stream
>>>>>> 192.168.1.2:88
>>>>>> [1994] 1502719211.806709: Response was not from master KDC
>>>>>> [1994] 1502719211.806735: Decoding FAST response
>>>>>> [1994] 1502719211.806789: FAST reply key: aes256-cts/820C
>>>>>> [1994] 1502719211.806808: TGS reply is for aduser(a)AD.EXAMPLE.COM
->
>>>>>> krbtgt/EXAMPLE.COM(a)AD.EXAMPLE.COM with session key
aes256-cts/B56C
>>>>>> [1994] 1502719211.806822: TGS request result: 0/Success
>>>>>> [1994] 1502719211.806826: Storing aduser(a)AD.EXAMPLE.COM ->
>>>>>> krbtgt/EXAMPLE.COM(a)AD.EXAMPLE.COM in
KEYRING:persistent:1000:1000
>>>>>> [1994] 1502719211.806912: Received TGT for service realm:
>>>>>> krbtgt/EXAMPLE.COM(a)AD.EXAMPLE.COM
>>>>>> [1994] 1502719211.806915: Requesting tickets for
>>>>>> host/myhost.example.com(a)EXAMPLE.COM, referrals on
>>>>>> [1994] 1502719211.806924: Generated subkey for TGS request:
>>>>>> aes256-cts/D365
>>>>>> [1994] 1502719211.806940: etypes requested in TGS request:
aes256-cts,
>>>>>> aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts,
camellia256-cts
>>>>>> [1994] 1502719211.806968: Encoding request body and padata into
FAST
>>>>>> request
>>>>>> [1994] 1502719211.806994: Sending request (1676 bytes) to
EXAMPLE.COM
>>>>>> (tcp only)
>>>>>> kvno: Cannot find KDC for realm "EXAMPLE.COM" while
getting
>>>>>> credentials for host/myhost.example.com(a)EXAMPLE.COM
>>>>>>
>>>>>>
>>>>>> $ KRB5_TRACE=/dev/stdout kvno
host/myhost.example.com(a)EXAMPLE.COM
>>>>>> [1995] 1502719219.601419: Getting credentials
aduser(a)AD.EXAMPLE.COM
>>>>>> ->
>>>>>> host/myhost.example.com(a)EXAMPLE.COM using ccache
>>>>>> KEYRING:persistent:1000:1000
>>>>>> [1995] 1502719219.601516: Retrieving aduser(a)AD.EXAMPLE.COM ->
>>>>>> host/myhost.example.com(a)EXAMPLE.COM from
KEYRING:persistent:1000:1000
>>>>>> with result: -1765328243/Matching credential not found
>>>>>> [1995] 1502719219.601556: Retrieving aduser(a)AD.EXAMPLE.COM ->
>>>>>> krbtgt/EXAMPLE.COM(a)EXAMPLE.COM from KEYRING:persistent:1000:1000
with
>>>>>> result: 0/Success
>>>>>> [1995] 1502719219.601559: Found cached TGT for service realm:
>>>>>> aduser(a)AD.EXAMPLE.COM -> krbtgt/EXAMPLE.COM(a)AD.EXAMPLE.COM
>>>>>> [1995] 1502719219.601561: Requesting tickets for
>>>>>> host/myhost.example.com(a)EXAMPLE.COM, referrals on
>>>>>> [1995] 1502719219.601573: Generated subkey for TGS request:
>>>>>> aes256-cts/5EC1
>>>>>> [1995] 1502719219.601592: etypes requested in TGS request:
aes256-cts,
>>>>>> aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts,
camellia256-cts
>>>>>> [1995] 1502719219.601639: Encoding request body and padata into
FAST
>>>>>> request
>>>>>> [1995] 1502719219.601666: Sending request (1676 bytes) to
EXAMPLE.COM
>>>>>> [1995] 1502719219.603587: Resolving hostname
idsg-test16.example.com.
>>>>>> [1995] 1502719219.604856: Sending initial UDP request to dgram
>>>>>> 192.168.1.1:88
>>>>>> [1995] 1502719219.621855: Received answer (1680 bytes) from
dgram
>>>>>> 192.168.1.1:88
>>>>>> [1995] 1502719219.622767: Response was not from master KDC
>>>>>> [1995] 1502719219.622783: Decoding FAST response
>>>>>> [1995] 1502719219.622834: FAST reply key: aes256-cts/14A3
>>>>>> [1995] 1502719219.622852: TGS reply is for aduser(a)AD.EXAMPLE.COM
->
>>>>>> host/myhost.example.com(a)EXAMPLE.COM with session key
aes256-cts/B41C
>>>>>> [1995] 1502719219.622866: TGS request result: 0/Success
>>>>>> [1995] 1502719219.622868: Received creds for desired service
>>>>>> host/myhost.example.com(a)EXAMPLE.COM
>>>>>> [1995] 1502719219.622871: Storing aduser(a)AD.EXAMPLE.COM ->
>>>>>> host/myhost.example.com(a)EXAMPLE.COM in
>>>>>> KEYRING:persistent:1000:1000host/myhost.example.com@EXAMPLE.COM:
kvno
>>>>>> = 7
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>
>>>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>>>>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedo
>>>>>>
rahosted.org
>>>>>>
>>>>>>
>>>>>>
>>>>> --
>>>>> / Alexander Bokovoy
>>>>>
>>>>>
>>>>> --
>>> / Alexander Bokovoy
>>>
>>>
> --
> / Alexander Bokovoy
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org