On Wed, Jul 27, 2016 at 03:12:47PM +0000, Joakim Tjernlund wrote:
On Wed, 2016-07-27 at 16:16 +0200, Petr Spacek wrote:
> On 27.7.2016 15:55, Joakim Tjernlund wrote:
> > We are migrating to a new domain AD domain and I got cross domain trust
problems(there is a bidirectional
> > cross trust between the two ADs, how can I test this works from Linux?). All
users in domain A
> > has been copied to domain B(using the same UID/GID as in domain A).
> > I have managed to configure sssd for both domains(lets call the old domain A
and the new B),
> > joined to both domains and I can login using any of the 2 domains.
> > But here is the problem:
> > If I use the new domain(B) as default login domain, I cannot ssh to another
system still in domain A
> > password less(without entering my password again) or access files on NFS
mounted files exported from
> > domain A.
> > I know very little about cross trust etc. so I want to ask:
> > 1) Is this even possible?
> > 2) I have no idea where to start looking for what went wrong, need som
> > We are using sssd 1.13.4 on the new domain B machines while servers
> > in domain A uses an older sssd(1.12.5)
> The first step is to verify that system joined to domain B can get keys for
> domain A.
> Log in to a system joined to domain B as some user from domain B. Then run
> this command:
> $ kvno host/<hostname of a system joined to a system in domain A>
> It should print some number. If it prints an error use command
> $ KRB5_TRACE=/dev/stdout kvno host/<the same hostname>
> and see what went wrong. It would indicate a problem on Kerberos level.
This works for both myhost@A and myhost@B so I guess all is good.
> If this works, looks at the target system (joined to domain A) and see its logs.
> If you want to treat user1@domainA and user2@domainB as equal you might need
> to tweak Kerberos mapping from principals to local users, see
> and edit krb5.conf to suit your needs.
In server@A or newhost@B ?
One thing that works though is ssh from server@A to newhost@B (no passwd needed) but
ssh newhost@B to server@A fail(asks for passwd).
I guess this could be because newhost@B is joined to both domains and sssd is configured
I'm not great at debugging these failures either, but normally I start
by increasing the SSHD (not SSSD) debug level and looking at what
failures I get from SSHD.
Off-bat, I would also check if the domain-realm mappings in
/etc/krb5.conf look like, maybe the system has them configured only for
one domain since one domain works?