On ke, 15 maalis 2023, None via FreeIPA-users wrote:
Hi!
I am experiencing strange behaviour with a host which is added to an
IPA instance. The IPA instance is working as it should and I can't see
any problems there. There is a Trust established to an AD domain.
The AD domain is in the form of
example.com whereas the IPA domain is
ipa.example.com domain. However the domain names of the hosts are
host-ipa.example.com and
client-ipa.example.com (and not
host-ipa.ipa.example.com). As already said this works fine for the IPA
server itself but for the client I am experiencing weird behaviour.
This is not supported and will never be supported. Please understand
that this breaks fundamental requirements Active Directory-compatible
implementations have with regards to Kerberos setup with dynamic DNS
discovery.
I can add the client to the IPA domain by joining via ipaclient-install
script and log on is working during the first minutes, but after some
time a login via ssh public key is not possible anymore. When I look
into the log files I can see that a connection to the directory server
fails with the error message "Extended failure message: [SASL(-1):
generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (Server krbtgt/EXAMPLE.COM(a)IPA.EXAMPLE.COM not
found in Kerberos database)]" which seems to be the root cause for my
problem as it should be krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM to my
knowledge.
Yep. Do not run IPA servers as a part of
example.com DNS domain.
I already tried a hint from this thread
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
which tells to check the domain_realm mapping in /etc/krb5.conf (due to
includes the [domain_realm] resides in
/var/lib/sss/pubconf/krb5.include.d/domain_realm_ipa_example_com and
indeed the mapping looks wrong to me:
[domain_realm]
.example.com =
EXAMPLE.COM
example.com =
EXAMPLE.COM
[capaths]
EXAMPLE.COM = {
IPA.EXAMPLE.COM =
EXAMPLE.COM
}
IPA.EXAMPLE.COM = {
EXAMPLE.COM =
EXAMPLE.COM
}
I believe this should look like:
[domain_realm]
.example.com =
EXAMPLE.COM
example.com =
EXAMPLE.COM
[capaths]
EXAMPLE.COM = {
IPA.EXAMPLE.COM =
IPA.EXAMPLE.COM
}
IPA.EXAMPLE.COM = {
EXAMPLE.COM =
EXAMPLE.COM
}
But changing the file does not help as after restarting sssd the file
is overwritten again with the former version.
Any hints are greatly appreciated!
https://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain
describes all the technical details.
Move IPA servers out of
example.com DNS domain into their own
ipa.example.com DNS domain, then use suggested configuration from the
page to configure your clients. The rest is not supported.
(the domain names are redacted to protect the innocent ;-) )
Best regards,
Thomas
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland