On 2022-12-14 14:48, Alexander Bokovoy via FreeIPA-users wrote:
>On ke, 14 joulu 2022, Carlos Mogas da Silva wrote:
>># egrep -v "^\s*#|^$" /var/lib/sss/pubconf/krb5.include.d/*
>>/var/lib/sss/pubconf/krb5.include.d/domain_realm_int_r3pek_org:[domain_realm]
>>/var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults:[libdefaults]
>>/var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults: canonicalize
>>= true
>>/var/lib/sss/pubconf/krb5.include.d/localauth_plugin:[plugins]
>>/var/lib/sss/pubconf/krb5.include.d/localauth_plugin: localauth = {
>>/var/lib/sss/pubconf/krb5.include.d/localauth_plugin: module =
>>sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
>>/var/lib/sss/pubconf/krb5.include.d/localauth_plugin: }
>>
>>
>>While also testing some stuff out, if I force the IP address of
>>the
mail01.r3pek.org server to be the internal one, the auth
>>works. Am I missing something or is the normal?
>
>You have canonicalization set to true, this is default configuration in
>IPA, so krb5 will do 'mail01.int.r3pek.org' -> IP address -> hostname
>transformation. This means whatever hostname is obtained afterwards is
>used then. If it is
mail01.r3pek.org, then Kerberos realm of
r3pek.org
>domain would be used. Is it
R3PEK.ORG or INT.R3PEK.ORG? It can be
>changed via _kerberos TXT record.
Well, the external domain is
mail01.r3pek.org, which has the public
IPs. The REALM and the internal domains are
INT.R3PEK.ORG. Email
domains are @r3pek.org
, you mean. Just add
TXT "INT.R3PEK.ORG"
TXT record to your public domain. You also would need to add
{smtp,imap}/mail01.r3pek.org as a principal alias to
{smtp,imap}/mail01.int.r3pek.org to make it using the same Kerberos
principal entry.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland