On Fri, Jun 28, 2019 at 11:07:00AM +0200, Natxo Asenjo via FreeIPA-users wrote:
hi,
I have successfully establised a one way cross realm trust between AD and
IDM realms.
I can get info from AD users in the IDM hosts, and I created an external
group and added it to a posix group as indicated in the documentation of
the Windows integration guide.
So when I run this command I get users from AD resolved from the linux
joined to IDM:
$ getent group posixgroupname
posixgroupname:*:1111111111111:user1@ad.local,user2@ad.local,user3@ad.local
,user4(a)ad.local
And I can reolve the AD users as well:
$ getent passwd user1(a)ad.local
user1@ad.local:*:333333333:33333333:User Name:/home/ad.local/user1:
So it seems like it's working. Now I added a rbac rule to allow the members
of that external group to login using ssh to a couple of hosts:
$ ipa hbacrule-show "bastion ssh hosts"
Rule name: bastion ssh hosts
Enabled: TRUE
User Groups: posixgroupname
Host Groups: bastionssh
Services: sshd
But when I try to log on it does not work
$ ssh user1@ad.local(a)bastion1.sub.domain.tld
Password:
Password:
Password:
Jun 28 10:42:06 bastion1 [sssd[krb5_child[20000]]]: Cannot find KDC for
realm "AD.LOCAL"
Jun 28 10:42:06 bastion1 [sssd[krb5_child[20001]]]: Cannot find KDC for
realm "AD.LOCAL"
I am checking the firewall logs but cannot see any denied packets coming
from this host.
I can successfully find the kds using a dns query:
$ dig -t srv _kerberos._udp.ad.local +short
0 100 88 dc01.ad.local.
0 100 88 dc02.ad.local.
So I am a bit at a loss right now what is going wrong.
Hi,
how does /etc/krb5.conf looks like? Especially 'dns_lookup_kdc' ?
bye,
Sumit
Is it only supposed to work if you have a working ticket from AD.LOCAL or
can you try to log on interactively? I do not have a connection to the
AD.LOCAL from my laptop or the bastion1 hosts but the kdcs with the trust
do.
How can I debug in sssd this, I tried in the sssd.conf in the bastion host
[domain/idm] section a debug = 9 but I could not spot the error in there.
Thanks in advance!
--
regards,
natxo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...