Hi!
I am experiencing strange behaviour with a host which is added to an IPA instance. The IPA instance is working as it should and I can't see any problems there. There is a Trust established to an AD domain.
The AD domain is in the form of example.com whereas the IPA domain is ipa.example.com domain. However the domain names of the hosts are host-ipa.example.com and client-ipa.example.com (and not host-ipa.ipa.example.com). As already said this works fine for the IPA server itself but for the client I am experiencing weird behaviour.
I can add the client to the IPA domain by joining via ipaclient-install script and log on is working during the first minutes, but after some time a login via ssh public key is not possible anymore. When I look into the log files I can see that a connection to the directory server fails with the error message "Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/EXAMPLE.COM@IPA.EXAMPLE.COM not found in Kerberos database)]" which seems to be the root cause for my problem as it should be krbtgt/IPA.EXAMPLE.COM@IPA.EXAMPLE.COM to my knowledge.
I already tried a hint from this thread https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost... which tells to check the domain_realm mapping in /etc/krb5.conf (due to includes the [domain_realm] resides in /var/lib/sss/pubconf/krb5.include.d/domain_realm_ipa_example_com and indeed the mapping looks wrong to me:
[domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [capaths] EXAMPLE.COM = { IPA.EXAMPLE.COM = EXAMPLE.COM } IPA.EXAMPLE.COM = { EXAMPLE.COM = EXAMPLE.COM }
I believe this should look like:
[domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [capaths] EXAMPLE.COM = { IPA.EXAMPLE.COM = IPA.EXAMPLE.COM } IPA.EXAMPLE.COM = { EXAMPLE.COM = EXAMPLE.COM }
But changing the file does not help as after restarting sssd the file is overwritten again with the former version.
Any hints are greatly appreciated!
(the domain names are redacted to protect the innocent ;-) )
Best regards,
Thomas
On ke, 15 maalis 2023, None via FreeIPA-users wrote:
Hi!
I am experiencing strange behaviour with a host which is added to an IPA instance. The IPA instance is working as it should and I can't see any problems there. There is a Trust established to an AD domain.
The AD domain is in the form of example.com whereas the IPA domain is ipa.example.com domain. However the domain names of the hosts are host-ipa.example.com and client-ipa.example.com (and not host-ipa.ipa.example.com). As already said this works fine for the IPA server itself but for the client I am experiencing weird behaviour.
This is not supported and will never be supported. Please understand that this breaks fundamental requirements Active Directory-compatible implementations have with regards to Kerberos setup with dynamic DNS discovery.
I can add the client to the IPA domain by joining via ipaclient-install script and log on is working during the first minutes, but after some time a login via ssh public key is not possible anymore. When I look into the log files I can see that a connection to the directory server fails with the error message "Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/EXAMPLE.COM@IPA.EXAMPLE.COM not found in Kerberos database)]" which seems to be the root cause for my problem as it should be krbtgt/IPA.EXAMPLE.COM@IPA.EXAMPLE.COM to my knowledge.
Yep. Do not run IPA servers as a part of example.com DNS domain.
I already tried a hint from this thread https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost... which tells to check the domain_realm mapping in /etc/krb5.conf (due to includes the [domain_realm] resides in /var/lib/sss/pubconf/krb5.include.d/domain_realm_ipa_example_com and indeed the mapping looks wrong to me:
[domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [capaths] EXAMPLE.COM = { IPA.EXAMPLE.COM = EXAMPLE.COM } IPA.EXAMPLE.COM = { EXAMPLE.COM = EXAMPLE.COM }
I believe this should look like:
[domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [capaths] EXAMPLE.COM = { IPA.EXAMPLE.COM = IPA.EXAMPLE.COM } IPA.EXAMPLE.COM = { EXAMPLE.COM = EXAMPLE.COM }
But changing the file does not help as after restarting sssd the file is overwritten again with the former version.
Any hints are greatly appreciated!
https://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain describes all the technical details.
Move IPA servers out of example.com DNS domain into their own ipa.example.com DNS domain, then use suggested configuration from the page to configure your clients. The rest is not supported.
(the domain names are redacted to protect the innocent ;-) )
Best regards,
Thomas
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Dear Alexander,
thank you for your speedy reply and for clarifying this !
Best regards,
Thomas
freeipa-users@lists.fedorahosted.org