9:56 a.m.
Hello all,
sorry if this question was already several times discussed, nevertheless, i am stuck with
setting up a trust between FreeIPA and AD.
To be more precise, the one way Trus is setup and i can log in into Freeipa server with AD
credentials.
I have also a bunch of servers with ipa-client configured and i am able to login to them
with Freeipa accounts, but not ADs.
1) Did i understood correctly, that clients should "somehow" authenticate to AD
via Freeipa? Or do they need to contact directly AD?
2) If the clients should be configured to talk to AD, which configurations are needed?
3) The way i am trying to login is as follows:
ssh -v -l ad_user@ad_domain hostname
4) In logs i have such errors during authentication:
sshd[11294]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=10.45.33.1 user=ad_user@ad_domain
sshd[11294]: pam_sss(sshd:auth): received for user ad_user@ad_domain: 6 (Permission
denied)
sshd[11290]: error: PAM: Authentication failure for ad_user@ad_domain from 10.45.33.1
sshd[11290]: Connection closed by authenticating user user_ad@ad_domain 10.45.33.1 port
40108 [preauth]
Thanks in advance!
10:34 a.m.
On Tue, Nov 10, 2020 at 03:56:48PM -0000, kotelnikova9314--- via FreeIPA-users wrote:
Hello all,
sorry if this question was already several times discussed, nevertheless, i am stuck with
setting up a trust between FreeIPA and AD.
To be more precise, the one way Trus is setup and i can log in into Freeipa server with
AD credentials.
I have also a bunch of servers with ipa-client configured and i am able to login to them
with Freeipa accounts, but not ADs.
1) Did i understood correctly, that clients should "somehow" authenticate to AD
via Freeipa? Or do they need to contact directly AD?
The client will get user and group information from the FreeIPA server
but for authentication (Kerberos) they will talk with AD DCs directly.
2) If the clients should be configured to talk to AD, which configurations are needed?
For a start no specific configuration is needed, ipa-client-install
should set all needed options.
3) The way i am trying to login is as follows:
> ssh -v -l ad_user@ad_domain hostname
4) In logs i have such errors during authentication:
sshd[11294]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=10.45.33.1 user=ad_user@ad_domain
sshd[11294]: pam_sss(sshd:auth): received for user ad_user@ad_domain: 6 (Permission
denied)
sshd[11290]: error: PAM: Authentication failure for ad_user@ad_domain from 10.45.33.1
sshd[11290]: Connection closed by authenticating user user_ad@ad_domain 10.45.33.1 port
40108 [preauth]
Please add 'debug_level = 9' to the [pam] and [domain/...] section in
sssd.conf, restart SSSD, try to authenticate again and send the logs.
bye,
Sumit
Thanks in advance!
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
7:01 a.m.
Hi Sumit,
thank you for the comprehensive answer.
On Tue, Nov 10, 2020 at 03:56:48PM -0000, kotelnikova9314--- via
FreeIPA-users wrote:
The client will get user and group information from the FreeIPA server
but for authentication (Kerberos) they will talk with AD DCs directly.
Ok, i see, thank you for the explanation.
For a start no specific configuration is needed, ipa-client-install
should set all needed options.
Found my mistake. My clients were configured without trust, thus the krb5.conf had such
configurations in [realm] section.
kdc = ipaserver.ipadomain.com:88
master_kdc = ipaserver.ipadomain.com:88
admin_server = ipaserver.ipadomain.com:749
kpasswd_server = ipaserver.ipadomain.com:464
default_domain = ipadomain.com
After re-installing clients with ipa-client-install, when the trust was established, these
lines were removed and authentication for AD users succeeded.
Without reinstalling, the definition of AD trust domain in [realm] sections also helped:
AD.DOMAIN = {
kdc = ad-controlled.ad.domain:88
}
Please add 'debug_level = 9' to the [pam] and [domain/...]
section in
sssd.conf, restart SSSD, try to authenticate again and send the logs.
No need, i found already, that the problem was in SSSD cache, i had to wait a bit or
remove the cache in order to the updated HBAC rules were applied.
> bye,
> Sumit
7:18 a.m.
On Thu, Nov 19, 2020 at 01:01:41PM -0000, kotelnikova9314--- via FreeIPA-users wrote:
Hi Sumit,
thank you for the comprehensive answer.
Hi,
thanks for the feedback. I guess before running 'ipa-client-install' the
option 'dns_lookup_kdc = True' was not set in krb5.conf. With this
option libkrb5 would use DNS lookups to find suitable AD DCs.
bye,
Sumit
> On Tue, Nov 10, 2020 at 03:56:48PM -0000, kotelnikova9314--- via FreeIPA-users
wrote:
>
> The client will get user and group information from the FreeIPA server
> but for authentication (Kerberos) they will talk with AD DCs directly.
Ok, i see, thank you for the explanation.
> For a start no specific configuration is needed, ipa-client-install
> should set all needed options.
Found my mistake. My clients were configured without trust, thus the krb5.conf had such
configurations in [realm] section.
kdc = ipaserver.ipadomain.com:88
master_kdc = ipaserver.ipadomain.com:88
admin_server = ipaserver.ipadomain.com:749
kpasswd_server = ipaserver.ipadomain.com:464
default_domain = ipadomain.com
After re-installing clients with ipa-client-install, when the trust was established,
these lines were removed and authentication for AD users succeeded.
Without reinstalling, the definition of AD trust domain in [realm] sections also helped:
AD.DOMAIN = {
kdc = ad-controlled.ad.domain:88
}
> Please add 'debug_level = 9' to the [pam] and [domain/...] section in
> sssd.conf, restart SSSD, try to authenticate again and send the logs.
No need, i found already, that the problem was in SSSD cache, i had to wait a bit or
remove the cache in order to the updated HBAC rules were applied.
> bye,
> Sumit
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
7:32 a.m.
Hi Sumit,
i stacked also with authentication of AD users against IPA replica. The configuration in
krb5.conf is as follow:
```
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = IPA.DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
[realms]
IPA.DOMAIN.COM = {
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.ipa.domain.com = IPA.DOMAIN.COM
ipa.domain.com = IPA.DOMAIN.COM
host-1.ipa.domain.com = IPA.DOMAIN.COM
```
1. So in case if the Freeipa server is unavailable it should fallback to another server,
which is in _kerberos._tcp.ipa.domain.com record. The authentication against local domain
via IPA replica with such configuration is successful. But the AD users can not be
authenticated.
The errors in journalctl:
```
pam_sss(sshd:auth): received for user user(a)ad.domain.com: 6 (Permission denied)
error: PAM: Authentication failure for user(a)ad.domain.com from 10.10.10.1
```
2. In /var/log/krb5kdc.log on IPA replica, there are no records regarding this
connection.
3. When i disable dns_lookup_kdc = false and explicitly set the configuration of both
domains in krb5.conf, the authentication is succeeded.
4. AD, IPA and IPA replica all have needed SRV records, but they all have the same weight
and priority, could it be problem in that?
5. Both IPA and IPA Replica are Trusted controllers and Trusted agents
Should krb5.conf or sssd.conf have any specific options in order to authenticate AD users
via IPA replica in case when IPA server is unavailible?
P.S. Should i open another thread for this question or we can discuss it here?
With best regards,
Nadiia
1254
days inactive
1264
days old
freeipa-users@lists.fedorahosted.org
5 comments
3 participants
participants (3)
-
kotelnikova9314@gmail.com -
Panna Cotta
-
Sumit Bose