Hello all,
In a IdM + AD trust setup; has anyone ever had the need to restrict IPA client logins to a specific Active Directory server when using their AD credentials?
The problem I am having is that the one of my clients has a AD cluster and some of the kdc servers in that cluster have clocks that are not synchronized. Whenever someone tries to log in using their AD account, if they hit a un-synchronized server then they get hit with the "kinit: clock skew too great ..." error.
Since we don't control the AD server and since they refused to fix their time sync issues, I have been trying to restrict AD logins to a specific kdc server, but have been unable to do it. I have tried to edit the sssd.conf and krb5.conf configuration files, but nothing seems to work.
Any suggestions?
Thanks Jean Figarella
Jean Figarella via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Hello all,
In a IdM + AD trust setup; has anyone ever had the need to restrict IPA client logins to a specific Active Directory server when using their AD credentials?
The problem I am having is that the one of my clients has a AD cluster and some of the kdc servers in that cluster have clocks that are not synchronized. Whenever someone tries to log in using their AD account, if they hit a un-synchronized server then they get hit with the "kinit: clock skew too great ..." error.
Since we don't control the AD server and since they refused to fix their time sync issues, I have been trying to restrict AD logins to a specific kdc server, but have been unable to do it. I have tried to edit the sssd.conf and krb5.conf configuration files, but nothing seems to work.
What do the Windows-AD users do? Same problem?
One possibility might be to edit the `clockskew` variable in libdefaults of krb5.conf. I usually recommend against this because it makes things more confusing, but it may help.
In this case, I believe SSSD is providing the AD addresses, which will be used in preference to any `kdc = ...` lines in krb5.conf. Perhaps one of the SSSD folk can comment on the problem you're having?
Thanks, --Robbie
On ti, 02 heinä 2019, Robbie Harwood via FreeIPA-users wrote:
Jean Figarella via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Hello all,
In a IdM + AD trust setup; has anyone ever had the need to restrict IPA client logins to a specific Active Directory server when using their AD credentials?
The problem I am having is that the one of my clients has a AD cluster and some of the kdc servers in that cluster have clocks that are not synchronized. Whenever someone tries to log in using their AD account, if they hit a un-synchronized server then they get hit with the "kinit: clock skew too great ..." error.
Since we don't control the AD server and since they refused to fix their time sync issues, I have been trying to restrict AD logins to a specific kdc server, but have been unable to do it. I have tried to edit the sssd.conf and krb5.conf configuration files, but nothing seems to work.
What do the Windows-AD users do? Same problem?
One possibility might be to edit the `clockskew` variable in libdefaults of krb5.conf. I usually recommend against this because it makes things more confusing, but it may help.
In this case, I believe SSSD is providing the AD addresses, which will be used in preference to any `kdc = ...` lines in krb5.conf. Perhaps one of the SSSD folk can comment on the problem you're having?
Site/server pinning can be used for this purpose. See https://docs.pagure.org/SSSD.sssd/design_pages/subdomain_configuration.html for more details. The drawback is that these settings have to be done at every client because authentication happens directly to AD DCs.
An alternative would be to change configuration on the clients so that AD realm is overridden in krb5.conf to point to a KDCProxy running on IPA masters and then use a special configuration on IPA masters for AD realm to only talk to KDCs that you trust.
freeipa-users@lists.fedorahosted.org