No, the IPA and AD domains are separate, but do have a cross-trust.
We are running IPA 4.4. This all works fine on Fedora 25 systems.
On Mon, Aug 14, 2017 at 12:14 PM, Alexander Bokovoy <abokovoy(a)redhat.com>
wrote:
On ma, 14 elo 2017, Steve Weeks via FreeIPA-users wrote:
> I'm having trouble logging in via the gui console to an Ubuntu 16 Desktop
> host that is affiliated with a FreeIPA server, which in turn is affiliated
> with an Active Directory server.
>
> When I try to log in with debugging turned up on the SSSD I see an
> underlying error in the krb5_child log file: Cannot find KDC for realm "
> EXAMPLE.COM" while getting credentials for host/
> myhost.example.com(a)EXAMPLE.COM
>
> Following an example from the freeipa-users mailing list, I am just
> working
> with kinit and kvno to identify the underlying problem. I get the same
> error, which I suppose is good. But I don't know how to resolve it from
> here. The transcript is below. On the first try at kvno, I get the same
> error. On the second try, it works. Any idea why? I suspect the failure on
> the first try is the real problem with authentication from the console.
>
> Any hints what to try next?
>
Do you really have AD as a subdomain of IPA?
I suspect you hit
https://bugzilla.redhat.com/show_bug.cgi?id=1421869
There is no currently resolution for this. If you'd use different
domain trees (
example.com v
example.org) it would work. It would work
also for AD owning
example.com and IPA being in
ipa.example.com.
> Thanks
>
> ----- /etc/krb5.conf -----
> #File modified by ipa-client-install
>
> includedir */var/lib/sss/pubconf/krb5.include.d/*
>
>
> [libdefaults]
> default_realm =
EXAMPLE.COM
> dns_lookup_realm = true
> dns_lookup_kdc = true
> rdns = false
> ticket_lifetime = 24h
> forwardable = true
> udp_preference_limit = 0
> default_ccache_name = KEYRING:persistent:%{uid}
>
>
> [realms]
>
EXAMPLE.COM = {
> pkinit_anchors = FILE:/etc/ipa/ca.crt
>
> }
>
>
> [domain_realm]
> .example.com =
EXAMPLE.COM
>
example.com =
EXAMPLE.COM
>
>
>
> ----- Transcript -----
>
>
> $ kdestroy -A
>
>
> $ kinit aduser(a)AD.EXAMPLE.COM
> Password for aduser(a)AD.EXAMPLE.COM:
>
>
> $ klist
> Ticket cache: KEYRING:persistent:1000:1000
> Default principal: aduser(a)AD.EXAMPLE.COM
>
> Valid starting Expires Service principal
> 08/14/2017 09:59:22 08/14/2017 19:59:22 krbtgt/AD.EXAMPLE.COM(a)AD.EXAMP
>
LE.COM
> renew until 08/15/2017 09:59:17
>
>
> $ KRB5_TRACE=/dev/stdout kvno host/myhost.example.com(a)EXAMPLE.COM
> [1994] 1502719211.714019: Getting credentials aduser(a)AD.EXAMPLE.COM ->
> host/myhost.example.com(a)EXAMPLE.COM using ccache
> KEYRING:persistent:1000:1000
> [1994] 1502719211.714237: Retrieving aduser(a)AD.EXAMPLE.COM ->
> host/myhost.example.com(a)EXAMPLE.COM from KEYRING:persistent:1000:1000
> with result: -1765328243/Matching credential not found
> [1994] 1502719211.714318: Retrieving aduser(a)AD.EXAMPLE.COM ->
> krbtgt/EXAMPLE.COM(a)EXAMPLE.COM from KEYRING:persistent:1000:1000 with
> result: -1765328243/Matching credential not found
> [1994] 1502719211.714376: Retrieving aduser(a)AD.EXAMPLE.COM ->
> krbtgt/AD.EXAMPLE.COM(a)AD.EXAMPLE.COM from KEYRING:persistent:1000:1000
> with result: 0/Success
> [1994] 1502719211.714395: Starting with TGT for client realm:
> aduser(a)AD.EXAMPLE.COM -> krbtgt/AD.EXAMPLE.COM(a)AD.EXAMPLE.COM
> [1994] 1502719211.714439: Retrieving aduser(a)AD.EXAMPLE.COM ->
> krbtgt/EXAMPLE.COM(a)EXAMPLE.COM from KEYRING:persistent:1000:1000 with
> result: -1765328243/Matching credential not found
> [1994] 1502719211.714456: Requesting TGT
> krbtgt/EXAMPLE.COM(a)AD.EXAMPLE.COM using TGT
> krbtgt/AD.EXAMPLE.COM(a)AD.EXAMPLE.COM
> [1994] 1502719211.714486: Generated subkey for TGS request:
> aes256-cts/020C
> [1994] 1502719211.714525: etypes requested in TGS request: aes256-cts,
> aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
> [1994] 1502719211.714605: Encoding request body and padata into FAST
> request
> [1994] 1502719211.714662: Sending request (1686 bytes) to
AD.EXAMPLE.COM
> [1994] 1502719211.717532: Resolving hostname
ad-host.ad.example.com.
> [1994] 1502719211.719053: Sending initial UDP request to dgram
> 192.168.1.2:88
> [1994] 1502719211.742171: Received answer (309 bytes) from dgram
> 192.168.1.2:88
> [1994] 1502719211.743066: Response was not from master KDC
> [1994] 1502719211.743082: Decoding FAST response
> [1994] 1502719211.743109: Request or response is too big for UDP;
> retrying with TCP
> [1994] 1502719211.743113: Sending request (1686 bytes) to
>
AD.EXAMPLE.COM (tcp only)
> [1994] 1502719211.743971: Resolving hostname
ad-host.ad.example.com.
> [1994] 1502719211.744908: Initiating TCP connection to stream
> 192.168.1.2:88
> [1994] 1502719211.764062: Sending TCP request to stream 192.168.1.2:88
> [1994] 1502719211.805666: Received answer (1643 bytes) from stream
> 192.168.1.2:88
> [1994] 1502719211.805678: Terminating TCP connection to stream
> 192.168.1.2:88
> [1994] 1502719211.806709: Response was not from master KDC
> [1994] 1502719211.806735: Decoding FAST response
> [1994] 1502719211.806789: FAST reply key: aes256-cts/820C
> [1994] 1502719211.806808: TGS reply is for aduser(a)AD.EXAMPLE.COM ->
> krbtgt/EXAMPLE.COM(a)AD.EXAMPLE.COM with session key aes256-cts/B56C
> [1994] 1502719211.806822: TGS request result: 0/Success
> [1994] 1502719211.806826: Storing aduser(a)AD.EXAMPLE.COM ->
> krbtgt/EXAMPLE.COM(a)AD.EXAMPLE.COM in KEYRING:persistent:1000:1000
> [1994] 1502719211.806912: Received TGT for service realm:
> krbtgt/EXAMPLE.COM(a)AD.EXAMPLE.COM
> [1994] 1502719211.806915: Requesting tickets for
> host/myhost.example.com(a)EXAMPLE.COM, referrals on
> [1994] 1502719211.806924: Generated subkey for TGS request:
> aes256-cts/D365
> [1994] 1502719211.806940: etypes requested in TGS request: aes256-cts,
> aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
> [1994] 1502719211.806968: Encoding request body and padata into FAST
> request
> [1994] 1502719211.806994: Sending request (1676 bytes) to
EXAMPLE.COM
> (tcp only)
> kvno: Cannot find KDC for realm "EXAMPLE.COM" while getting
> credentials for host/myhost.example.com(a)EXAMPLE.COM
>
>
> $ KRB5_TRACE=/dev/stdout kvno host/myhost.example.com(a)EXAMPLE.COM
> [1995] 1502719219.601419: Getting credentials aduser(a)AD.EXAMPLE.COM ->
> host/myhost.example.com(a)EXAMPLE.COM using ccache
> KEYRING:persistent:1000:1000
> [1995] 1502719219.601516: Retrieving aduser(a)AD.EXAMPLE.COM ->
> host/myhost.example.com(a)EXAMPLE.COM from KEYRING:persistent:1000:1000
> with result: -1765328243/Matching credential not found
> [1995] 1502719219.601556: Retrieving aduser(a)AD.EXAMPLE.COM ->
> krbtgt/EXAMPLE.COM(a)EXAMPLE.COM from KEYRING:persistent:1000:1000 with
> result: 0/Success
> [1995] 1502719219.601559: Found cached TGT for service realm:
> aduser(a)AD.EXAMPLE.COM -> krbtgt/EXAMPLE.COM(a)AD.EXAMPLE.COM
> [1995] 1502719219.601561: Requesting tickets for
> host/myhost.example.com(a)EXAMPLE.COM, referrals on
> [1995] 1502719219.601573: Generated subkey for TGS request:
> aes256-cts/5EC1
> [1995] 1502719219.601592: etypes requested in TGS request: aes256-cts,
> aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
> [1995] 1502719219.601639: Encoding request body and padata into FAST
> request
> [1995] 1502719219.601666: Sending request (1676 bytes) to
EXAMPLE.COM
> [1995] 1502719219.603587: Resolving hostname
idsg-test16.example.com.
> [1995] 1502719219.604856: Sending initial UDP request to dgram
> 192.168.1.1:88
> [1995] 1502719219.621855: Received answer (1680 bytes) from dgram
> 192.168.1.1:88
> [1995] 1502719219.622767: Response was not from master KDC
> [1995] 1502719219.622783: Decoding FAST response
> [1995] 1502719219.622834: FAST reply key: aes256-cts/14A3
> [1995] 1502719219.622852: TGS reply is for aduser(a)AD.EXAMPLE.COM ->
> host/myhost.example.com(a)EXAMPLE.COM with session key aes256-cts/B41C
> [1995] 1502719219.622866: TGS request result: 0/Success
> [1995] 1502719219.622868: Received creds for desired service
> host/myhost.example.com(a)EXAMPLE.COM
> [1995] 1502719219.622871: Storing aduser(a)AD.EXAMPLE.COM ->
> host/myhost.example.com(a)EXAMPLE.COM in
> KEYRING:persistent:1000:1000host/myhost.example.com@EXAMPLE.COM: kvno
> = 7
>
_______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedo
>
rahosted.org
>
--
/ Alexander Bokovoy