Hi!
I am experiencing strange behaviour with a host which is added to an IPA instance. The IPA instance is working as it should and I can't see any problems there. There is a Trust established to an AD domain.
The AD domain is in the form of example.com whereas the IPA domain is ipa.example.com domain. However the domain names of the hosts are host-ipa.example.com and client-ipa.example.com (and not host-ipa.ipa.example.com). As already said this works fine for the IPA server itself but for the client I am experiencing weird behaviour.
I can add the client to the IPA domain by joining via ipaclient-install script and log on is working during the first minutes, but after some time a login via ssh public key is not possible anymore. When I look into the log files I can see that a connection to the directory server fails with the error message "Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/EXAMPLE.COM@IPA.EXAMPLE.COM not found in Kerberos database)]" which seems to be the root cause for my problem as it should be krbtgt/IPA.EXAMPLE.COM@IPA.EXAMPLE.COM to my knowledge.
I already tried a hint from this thread https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost... which tells to check the domain_realm mapping in /etc/krb5.conf (due to includes the [domain_realm] resides in /var/lib/sss/pubconf/krb5.include.d/domain_realm_ipa_example_com and indeed the mapping looks wrong to me:
[domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [capaths] EXAMPLE.COM = { IPA.EXAMPLE.COM = EXAMPLE.COM } IPA.EXAMPLE.COM = { EXAMPLE.COM = EXAMPLE.COM }
I believe this should look like:
[domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [capaths] EXAMPLE.COM = { IPA.EXAMPLE.COM = IPA.EXAMPLE.COM } IPA.EXAMPLE.COM = { EXAMPLE.COM = EXAMPLE.COM }
But changing the file does not help as after restarting sssd the file is overwritten again with the former version.
Any hints are greatly appreciated!
(the domain names are redacted to protect the innocent ;-) )
Best regards,
Thomas