On 21/06/2019 09:23, Sumit Bose via FreeIPA-users wrote:
On Thu, Jun 20, 2019 at 04:50:48PM +0100, lejeczek via FreeIPA-users
wrote:
> On 20/06/2019 14:40, Sumit Bose wrote:
>>> Ok, the maybe to make it more bizzare, I've had it:
>>>
>>> includedir /etc/krb5.conf.d/
>>> includedir /var/lib/sss/pubconf/krb5.include.d/
>>>
>>> [libdefaults]
>>> default_realm = MINE.PRIVATE
>>> dns_lookup_realm = true
>>> dns_lookup_kdc = true
>>> rdns = false
>>> dns_canonicalize_hostname = false
>>> ticket_lifetime = 24h
>>> forwardable = true
>>> udp_preference_limit = 0
>>> default_ccache_name = KEYRING:persistent:%{uid}
>>>
>>>
>>> [realms]
>>> MINE.PRIVATE= {
>> Is this ^^^ the realm that is mentioned in the 'Cannot find KDC for
>> realm ...' error message in krb5_child.log?
> no, it is for:
>
> (Thu Jun 20 12:16:13 2019) [[sssd[krb5_child[956]]]] [map_krb5_error]
> (0x0020): 1808: [-1765328230][Cannot find KDC for realm "PRIVATE"]
>
> it's AD's realm
>
>> Can you try if kinit from the command line works for the principal shown
>> in the 'Getting initial credentials for ...' debug message in
>> krb5_child.log?
> but this is a machine:
>
> Thu Jun 20 09:21:28 2019) [[sssd[ldap_child[515]]]]
> [sss_child_krb5_trace_cb] (0x4000): [515] 1561022488.21748: Getting
> initial credentials for host/halfspeed-r.mine.private(a)MINE.PRIVATE
You are looking at ldap_child.log, I meant krb5_child.log.
> How can I kinit a host/machine?
You did this below with 'kinit -k ...'.
Is it not just a bug I've stumbled upon? And not just in configuration?
My setup would be easy to replicate: Centos 7.6 IPA <= Win2016 ,
incoming to IPA one-way trust, regarding DNS: ipa is IPA.AD.DOM and win
is
AD.COM.
Everything seems to work very well but those IPA's clients for AD users
with passwords.
>> Additionally does 'kinit -k' work from the command
line with the
>> principal from the 'Fast principal is set to ...' debug message?
> That is the same machine/host:
>
> (Thu Jun 20 12:16:13 2019) [[sssd[krb5_child[956]]]] [k5c_setup_fast]
> (0x0100): Fast principal is set to
> [host/halfspeed-r.mine.private(a)MINE.PRIVATE]
>
> $ kinit -k host/halfspeed-r.mine.private(a)MINE.PRIVAT && echo Y
>
> $ Y
>
> many thanks, L.
>
>> bye,
>> Sumit
>>
> pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17]
> 93059F241EEEE1D0769A85F455918ABF21224EBA
> uid lejeczek <peljasz(a)yahoo.co.uk>
> sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17]
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...