Environment:
Single Site
Two FreeIPA Idm Servers (1 Trust-Controller 1 Trust-Agent)
We ran into an issue were our Trust-Controller was offline and Kerberos authentication
began failing for AD users. We do not allow interactive password auth. via sshd_config on
IPA clients, only Pubkey or GSSAPI. From the clients we could resolve AD users without
issue but AD user Kerberos authentication was failing with error regarding KDC not
reachable.
Once we got the Trust-Controller back online, all was well and working again. Clearly our
Trust-Controller was handling the KDC role in this use-case.
Example of klist output after Trust-Controller was back online. Hostnames/Users changed to
protect the innocent of course.
Client: aduser @
AD-DOMAIN.COM
Server:
host/ipaclient.freeipadomain.com @
FREEIPADOMAIN.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a90000 -> forwardable renewable pre_authent name_canonicalize 0x80000
Start Time: 4/29/2019 6:35:26 (local)
End Time: 4/29/2019 16:06:39 (local)
Renew Time: 5/6/2019 6:06:39 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:
freeipa-trust-controller.freeipadomain.com
My question is this; since we are only doing Kerberos auth for AD users, is it necessary
we add the Trust-Agent to some/all MSDCS SRV records within FreeIPA DNS for this to work,
in the event Trust-Controller is offline? It's been awhile since needing to dig into
FreeIPA, so perhaps I am missing something.
Thanks
-Dave