On 2022-12-14 14:48, Alexander Bokovoy via FreeIPA-users wrote:
On ke, 14 joulu 2022, Carlos Mogas da Silva wrote:
> # egrep -v "^\s*#|^$" /var/lib/sss/pubconf/krb5.include.d/*
> /var/lib/sss/pubconf/krb5.include.d/domain_realm_int_r3pek_org:[domain_realm]
> /var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults:[libdefaults]
> /var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults: canonicalize =
> true
> /var/lib/sss/pubconf/krb5.include.d/localauth_plugin:[plugins]
> /var/lib/sss/pubconf/krb5.include.d/localauth_plugin: localauth = {
> /var/lib/sss/pubconf/krb5.include.d/localauth_plugin: module =
> sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
> /var/lib/sss/pubconf/krb5.include.d/localauth_plugin: }
>
>
> While also testing some stuff out, if I force the IP address of the
>
mail01.r3pek.org server to be the internal one, the auth works. Am I
> missing something or is the normal?
You have canonicalization set to true, this is default configuration in
IPA, so krb5 will do 'mail01.int.r3pek.org' -> IP address -> hostname
transformation. This means whatever hostname is obtained afterwards is
used then. If it is
mail01.r3pek.org, then Kerberos realm of
r3pek.org
domain would be used. Is it
R3PEK.ORG or INT.R3PEK.ORG? It can be
changed via _kerberos TXT record.
Well, the external domain is
mail01.r3pek.org, which has the public IPs.
The REALM and the internal domains are
INT.R3PEK.ORG. Email domains are
@r3pek.org