Am Thu, Jun 08, 2023 at 03:37:12PM -0000 schrieb James Osbourn via FreeIPA-users:
Thanks I will take a look at the link.
The krb5.conf file looks as follows includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = IPA.AD1.COM dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid}
[realms] IPA.AD1.COM = { kdc = ipa-3.ipa.ad1.com:88 master_kdc = ipa-3.ipa.ad1.com:88 kpasswd_server = ipa-3.ipa.ad1.com:464 admin_server = ipa-3.ipa.ad1.com:749 default_domain = ipa.ad1.com pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem }
[domain_realm] .ipa.ad1.com = IPA.AD1.COM ipa.ad1.com = IPA.AD1.COM ipa-3.ipa.ad1.com = IPA.AD1.COM
Hi,
assuming that auth.ssdis.loc is the domain with issues can you try if adding
.auth.ssdis.loc = AUTH.SSDIS.LOC auth.ssdis.loc = AUTH.SSDIS.LOC
to the [domain_realm] of /etc/krb5.conf makes is more reliable?
bye, Sumit
[dbmodules] IPA.AD1.COM = { db_library = ipadb.so }
[plugins] certauth = { module = ipakdb:kdb/ipadb.so enable_only = ipakdb }
Under the /var/lib/sss/pubconf/krb5.include.d/ directory the files and contents are as follows :::::::::::::: /var/lib/sss/pubconf/krb5.include.d/domain_realm_auth_ssdis_loc :::::::::::::: [domain_realm] .ssdis.loc = SSDIS.LOC ssdis.loc = SSDIS.LOC .ROOT.TES = ROOT.TES ROOT.TES = ROOT.TES .INTERNAL.ROOT.TES = INTERNAL.ROOT.TES INTERNAL.ROOT.TES = INTERNAL.ROOT.TES [capaths] SSDIS.LOC = { AUTH.SSDIS.LOC = SSDIS.LOC } ROOT.TES = { AUTH.SSDIS.LOC = ROOT.TES } INTERNAL.ROOT.TES = { AUTH.SSDIS.LOC = ROOT.TES } AUTH.SSDIS.LOC = { SSDIS.LOC = SSDIS.LOC ROOT.TES = ROOT.TES INTERNAL.ROOT.TES = ROOT.TES } :::::::::::::: /var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults :::::::::::::: [libdefaults] canonicalize = true :::::::::::::: /var/lib/sss/pubconf/krb5.include.d/localauth_plugin :::::::::::::: [plugins] localauth = { module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so }
I am still looking into my problem, a reboot of an IPA server seems to allow authentication and AD group authorisation to work for a period of time and then it stops. Authentication will continue to work if the user is cached in the SSSD cache, but trying to use sudo fails as it can no longer get the membership details. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue