On Fri, Jul 12, 2019 at 12:03:42PM +0100, lejeczek via FreeIPA-users wrote:
On 11/07/2019 14:03, Simo Sorce wrote:
> On Thu, 2019-07-11 at 12:09 +0100, lejeczek via FreeIPA-users wrote:
>> hi guys
>>
>> I've been having my IPA deployment trusting AD for a while now and it's
>> been behaving pretty good I must say, except for one thing - kerberos,
>> in some places at least.
>>
>> What I've needed really, or mainly that trust for, was ssh with gssapi
>> and that is what I'd like to ask about - interaction between IPA and AD
>> when it comes to kerberos - my AD win-clients sometimes would have
>> tickets and be able to ssh with gssapi, some other time it would not
>> work and ssh would ask for passwords.
>>
>> I cannot really spot any pattern there and I hope some expert could
>> decipher this for me and help to understand what and why that happens.
>>
>> many thanks, L.
> Generally there are two main cases:
>
> 1) your IPA host lives in a domain that is actually owned by AD, AD
> will never return a cross-realm ticket and direct their clients to the
> IPA KDC for domains it owns, so the clients will get back an error when
> trying to obtain a ticket for those hosts and fall back to password
> authntication.
>
> 2) You are using a non-qualified hostname or an alias (CNAME) that is
> not registered in the IPA KDC as an alias for the host you want to
> reach. This causes the client to be unable to obtain a ticket for the
> target machine falling back to password authentication.
>
> Additional DNS resolution failure may cause these issues too.
>
> Simo.
>
In my setup it's: ipa.ad.domain.local <= one way trust <- ad.domain.local
but hostnames not as depicted above, are FQDN.
And I had gssapi working, very fine without problems but after a couple
of weeks and few reboots no gssapi anymore for putty. Nothing has
changed that I'm aware of, dns lookups/digs still resolve usual stuff -
is there anything kerberos-specific that I should dns-dig?
Only thing that changed was network configuration, slightly. Both IPA &
AD nodes had ifaces which connected to two subnets, where each subnet
was meant to be dedicated to one domain but still ifaces to both subnets
existed on involved nodes. Now AD & IPA are on separate subnets and
communicate via a gateway/router.
Hi,
is there a firewall? If yes, are all relevant ports (LDAP, Kerberos,
DNS, AD services like ports 137, 138, 139, 445, ...) open in both
directions for UDP and TCP?
Please check with 'klist.exe' on the Windows client after trying to log
in with putty and GSSAPI what tickets you got besides your TGT. If there
a ticket for the IPA host? Is there a cross-realm ticket from the AD to
the IPA realm?
bye,
Sumit
many thanks, L
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...