Hi All,
I am setting up a one-way trust from FreeIPA server to AD domain with a pre-shared key.
It seems that it was set up successfully but I cannot verify the Kerberos configuration
when I follow the steps described here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/....
Although I successfuly kinit with a username from AD domain and obtain a ticket:
klist
Ticket cache: KEYRING:persistent:0:0
Default principal: testuser(a)DOMAIN.COM
Valid starting Expires Service principal
08/22/2017 09:47:41 08/22/2017 19:47:41 krbtgt/DOMAIN.COM(a)DOMAIN.COM
renew until 08/23/2017 09:47:34
I am not able to request service tickets for a service within IdM domain:
[root@idm1 ~]# KRB5_TRACE=/dev/stdout kvno -S host
idm1.ipa.domain.com
[16119] 1503409696.153004: Getting credentials testuser(a)DOMAIN.COM ->
host/idm1.ipa.domain.com(a)IPA.DOMAIN.COM using ccache KEYRING:persistent:0:0
[16119] 1503409696.153288: Retrieving testuser(a)DOMAIN.COM ->
host/idm1.ipa.domain.com(a)IPA.DOMAIN.COM from KEYRING:persistent:0:0 with result:
-1765328243/Matching credential not found
[16119] 1503409696.153422: Retrieving testuser(a)DOMAIN.COM ->
krbtgt/IPA.DOMAIN.COM(a)IPA.DOMAIN.COM from KEYRING:persistent:0:0 with result:
-1765328243/Matching credential not found
[16119] 1503409696.153520: Retrieving testuser(a)DOMAIN.COM ->
krbtgt/DOMAIN.COM(a)DOMAIN.COM from KEYRING:persistent:0:0 with result: 0/Success
[16119] 1503409696.153536: Starting with TGT for client realm: testuser(a)DOMAIN.COM ->
krbtgt/DOMAIN.COM(a)DOMAIN.COM
[16119] 1503409696.153600: Retrieving testuser(a)DOMAIN.COM ->
krbtgt/IPA.DOMAIN.COM(a)IPA.DOMAIN.COM from KEYRING:persistent:0:0 with result:
-1765328243/Matching credential not found
[16119] 1503409696.153609: Requesting TGT krbtgt/IPA.DOMAIN.COM(a)DOMAIN.COM using TGT
krbtgt/DOMAIN.COM(a)DOMAIN.COM
[16119] 1503409696.153663: Generated subkey for TGS request: aes256-cts/A13D
[16119] 1503409696.153718: etypes requested in TGS request: aes256-cts, aes128-cts,
des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4
[16119] 1503409696.153875: Encoding request body and padata into FAST request
[16119] 1503409696.153942: Sending request (1851 bytes) to
DOMAIN.COM
[16119] 1503409696.154236: Resolving hostname
domain.com
[16119] 1503409696.290796: Initiating TCP connection to stream 10.10.10.10:88
[16119] 1503409696.398086: Sending TCP request to stream 10.10.10.10:88
[16119] 1503409696.836098: Received answer (1551 bytes) from stream 10.10.10.10:88
[16119] 1503409696.836121: Terminating TCP connection to stream 10.10.10.10:88
[16119] 1503409696.836212: Response was from master KDC
[16119] 1503409696.836258: Decoding FAST response
[16119] 1503409696.836423: TGS reply is for testuser(a)DOMAIN.COM ->
krbtgt/ipa.domain.com(a)DOMAIN.COM with session key aes256-cts/C0B1
[16119] 1503409696.836454: TGS request result: 0/Success
[16119] 1503409696.836461: Received TGT for offpath realm
ipa.domain.com
[16119] 1503409696.836468: Requesting TGT krbtgt/IPA.DOMAIN.COM(a)ipa.domain.com using TGT
krbtgt/ipa.domain.com(a)DOMAIN.COM
[16119] 1503409696.836486: Generated subkey for TGS request: aes256-cts/743D
[16119] 1503409696.836523: etypes requested in TGS request: aes256-cts, aes128-cts,
des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4
[16119] 1503409696.836579: Encoding request body and padata into FAST request
[16119] 1503409696.836648: Sending request (1854 bytes) to
ipa.domain.com
[16119] 1503409696.904352: Resolving hostname
idm1.ipa.domain.com.
[16119] 1503409696.938147: Sending initial UDP request to dgram 10.10.10.11:88
[16119] 1503409696.943465: Received answer (146 bytes) from dgram 10.10.10.11:88
[16119] 1503409696.977047: Response was from master KDC
[16119] 1503409696.977102: TGS request result: -1765328353/Decrypt integrity check failed
kvno: Decrypt integrity check failed while getting credentials for
host/idm1.ipa.domain.com(a)IPA.DOMAIN.COM
Can you please advise me on how to resolve this issue?
Bart