On 2022-12-14 14:34, Alexander Bokovoy via FreeIPA-users wrote:
Thanks. I also asked for krb5 configuration: /etc/krb5.conf and
files
included from it, I think they are in /etc/krb5.conf.d and
/var/lib/sss/pubconf/krb5.include.d
You can see a full list of the directories with
grep includedir /etc/krb5.conf
# egrep -v "^\s*#|^$" /etc/krb5.conf.d/*
/etc/krb5.conf.d/crypto-policies:[libdefaults]
/etc/krb5.conf.d/crypto-policies:permitted_enctypes =
aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192
aes128-cts-hmac-sha256-128 aes128-cts-hmac-sha1-96
/etc/krb5.conf.d/enable_sssd_conf_dir:includedir
/var/lib/sss/pubconf/krb5.include.d/
/etc/krb5.conf.d/freeipa:[libdefaults]
/etc/krb5.conf.d/freeipa: spake_preauth_groups = edwards25519
/etc/krb5.conf.d/kcm_default_ccache:[libdefaults]
/etc/krb5.conf.d/kcm_default_ccache: default_ccache_name = KCM:
/etc/krb5.conf.d/sssd_enable_idp:[plugins]
/etc/krb5.conf.d/sssd_enable_idp: clpreauth = {
/etc/krb5.conf.d/sssd_enable_idp: module =
idp:/usr/lib64/sssd/modules/sssd_krb5_idp_plugin.so
/etc/krb5.conf.d/sssd_enable_idp: }
/etc/krb5.conf.d/sssd_enable_idp: kdcpreauth = {
/etc/krb5.conf.d/sssd_enable_idp: module =
idp:/usr/lib64/sssd/modules/sssd_krb5_idp_plugin.so
/etc/krb5.conf.d/sssd_enable_idp: }
# egrep -v "^\s*#|^$" /var/lib/sss/pubconf/krb5.include.d/*
/var/lib/sss/pubconf/krb5.include.d/domain_realm_int_r3pek_org:[domain_realm]
/var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults:[libdefaults]
/var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults: canonicalize =
true
/var/lib/sss/pubconf/krb5.include.d/localauth_plugin:[plugins]
/var/lib/sss/pubconf/krb5.include.d/localauth_plugin: localauth = {
/var/lib/sss/pubconf/krb5.include.d/localauth_plugin: module =
sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
/var/lib/sss/pubconf/krb5.include.d/localauth_plugin: }
While also testing some stuff out, if I force the IP address of the
mail01.r3pek.org server to be the internal one, the auth works. Am I
missing something or is the normal?