You are welcome, perhaps this is something that we need to make easier
to discover with a tool or something.
We can't necessarily automaticaly add random domains, but definitely
make it easy for the admin to find out via some diagnostics.
One thing came to mind after we solved this. You may be able to solve
this alternatively by adding _kerberos TXT entries to each subdomain
pointing to
IPA.EXAMPLE.COM ...
Simo.
On Fri, 2017-05-26 at 12:41 -0400, Jake wrote:
> Thank you very much for taking the time on IRC to learn me. Part of
> the issue is I did not include all the necessary information to
> diagnose the issue.
>
> I have multiple subdomains that are joined to
ipa.example.com, which
> are under
example.com (ad realm)
>
> This requires me to add a custom routes file for subdomain handling
> (I've already done this on the AD Servers with the trusts)
>
> created a file called
> /var/lib/sss/pubconf/krb5.include.d/custom_ipa_example_com
>
> and added each domain that is part of the
IPA.EXAMPLE.COM realm.
>
> this included
>
> [domain_realm]
>
sub1.example.com =
IPA.EXAMPLE.COM
> .sub1.example.com =
IPA.EXAMPLE.COM
>
sub2.example.com =
IPA.EXAMPLE.COM
> .sub2.example.com =
IPA.EXAMPLE.COM
>
sub3.example.com =
IPA.EXAMPLE.COM
> .sub3.example.com =
IPA.EXAMPLE.COM
>
sub4.example.com =
IPA.EXAMPLE.COM
> .sub4.example.com =
IPA.EXAMPLE.COM
>
> the reason this was working for systems in the same subdomain is the
> /etc/krb5.conf config is modified with the (2) domains
>
> [domain_realm]
>
ipa.example.com =
IPA.EXAMPLE.COM
> .ipa.example.com =
IPA.EXAMPLE.COM
>
sub1.example.com =
IPA.EXAMPLE.COM
> .sub1.example.com =
IPA.EXAMPLE.COM
>
> kerberos ticket requests for sub1 from sub2 would go to the
>
example.com AD realm, and not the IPA realm.
>
> Thanks again!
> - Jake
>
> ----- Original Message -----
> From: "Simo Sorce" <simo(a)redhat.com>
> To: "Jake" <email(a)ml.jacobdevans.com>, "freeipa-users"
<freeipa-users
> @lists.fedorahosted.org>
> Sent: Friday, May 26, 2017 11:45:38 AM
> Subject: Re: [Freeipa-users] Illegal cross-realm ticket
>
> On Thu, 2017-05-25 at 16:55 -0400, Jake via FreeIPA-users wrote:
> > Hey Guys,
> >
> > Centos7.3
> > FreeIPA 4.4.0
> >
> >
> > I'm having a strange issue with cross-realm tickets that I'm having
> > a
> > hard time troubleshooting. it looks similar to an issue posted
> > back
> > in
2014. https://www.redhat.com/archives/freeipa-users/2014-October
> > /m
> > sg00207.html but this routes file seems to exist.
> >
> > My Setup.
> >
> >
example.org = legacy (all users exist here) (transitive trust with
> >
example.com)
> >
example.com = forest root (transitive trust with
example.com)
> >
ipa.example.com = ipa domain (one-way trust with
example.com &
> >
example.org) with route filters.
> >
ad.example.com = domain in forest for servers/users
> >
> > If I get a kerberos ticket on a non-ipa joined client with kinit
> > as
> > a user @ legacy, I can use kerberos to authenticate.
> >
> > If I log into an ipa-joined server on
ipa.example.com as a user @
> > legacy and attempt to use kerberos auth to another server, I
> > received
> > this error:
> >
> > debug3: authmethod_lookup gssapi-keyex
> > debug3: remaining preferred: gssapi-with-mic,keyboard-interactive
> > debug3: authmethod_is_enabled gssapi-keyex
> > debug1: Next authentication method: gssapi-keyex
> > debug1: No valid Key exchange context
> > debug2: we did not send a packet, disable method
> > debug3: authmethod_lookup gssapi-with-mic
> > debug3: remaining preferred: keyboard-interactive
> > debug3: authmethod_is_enabled gssapi-with-mic
> > debug1: Next authentication method: gssapi-with-mic
> > debug2: we sent a gssapi-with-mic packet, wait for reply
> > debug1: Delegating credentials
> > debug1: Delegating credentials
> > debug1: Unspecified GSS failure. Minor code may provide more
> > information
> > Illegal cross-realm ticket
> >
> >
> > Any help would be apprecaited, I checked capaths and it looks
> > correct.
>
> In which domain are the services you want to get tickets for ?
>
> > cat
> > /var/lib/sss/pubconf/krb5.include.d/domain_realm_ipa_example_com
> > [domain_realm]
> > .EXAMPLE.COM =
EXAMPLE.COM
> >
EXAMPLE.COM =
EXAMPLE.COM
> > .AD.EXAMPLE.COM =
AD.EXAMPLE.COM
> >
AD.EXAMPLE.COM =
AD.EXAMPLE.COM
> > .EXAMPLE.ORG =
EXAMPLE.ORG
> >
EXAMPLE.ORG =
EXAMPLE.ORG
> > [capaths]
> >
EXAMPLE.COM = {
> >
IPA.EXAMPLE.COM =
EXAMPLE.COM
> > }
> >
AD.EXAMPLE.COM = {
> >
IPA.EXAMPLE.COM =
EXAMPLE.COM
> > }
> >
EXAMPLE.ORG = {
> >
IPA.EXAMPLE.COM =
EXAMPLE.ORG
> > }
> >
IPA.EXAMPLE.COM = {
> >
EXAMPLE.COM =
EXAMPLE.COM
> >
AD.EXAMPLE.COM =
EXAMPLE.COM
> >
EXAMPLE.ORG =
EXAMPLE.ORG
> > }
>
> Aren't you missing
EXAMPLE.ORG ->
EXAMPLE.COM here ?