Hello all, sorry if this question was already several times discussed, nevertheless, i am stuck with setting up a trust between FreeIPA and AD. To be more precise, the one way Trus is setup and i can log in into Freeipa server with AD credentials. I have also a bunch of servers with ipa-client configured and i am able to login to them with Freeipa accounts, but not ADs.
1) Did i understood correctly, that clients should "somehow" authenticate to AD via Freeipa? Or do they need to contact directly AD?
2) If the clients should be configured to talk to AD, which configurations are needed?
3) The way i am trying to login is as follows:
ssh -v -l ad_user@ad_domain hostname
4) In logs i have such errors during authentication: sshd[11294]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.45.33.1 user=ad_user@ad_domain sshd[11294]: pam_sss(sshd:auth): received for user ad_user@ad_domain: 6 (Permission denied) sshd[11290]: error: PAM: Authentication failure for ad_user@ad_domain from 10.45.33.1 sshd[11290]: Connection closed by authenticating user user_ad@ad_domain 10.45.33.1 port 40108 [preauth]
Thanks in advance!
On Tue, Nov 10, 2020 at 03:56:48PM -0000, kotelnikova9314--- via FreeIPA-users wrote:
Hello all, sorry if this question was already several times discussed, nevertheless, i am stuck with setting up a trust between FreeIPA and AD. To be more precise, the one way Trus is setup and i can log in into Freeipa server with AD credentials. I have also a bunch of servers with ipa-client configured and i am able to login to them with Freeipa accounts, but not ADs.
- Did i understood correctly, that clients should "somehow" authenticate to AD via Freeipa? Or do they need to contact directly AD?
The client will get user and group information from the FreeIPA server but for authentication (Kerberos) they will talk with AD DCs directly.
- If the clients should be configured to talk to AD, which configurations are needed?
For a start no specific configuration is needed, ipa-client-install should set all needed options.
- The way i am trying to login is as follows:
ssh -v -l ad_user@ad_domain hostname
- In logs i have such errors during authentication:
sshd[11294]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.45.33.1 user=ad_user@ad_domain sshd[11294]: pam_sss(sshd:auth): received for user ad_user@ad_domain: 6 (Permission denied) sshd[11290]: error: PAM: Authentication failure for ad_user@ad_domain from 10.45.33.1 sshd[11290]: Connection closed by authenticating user user_ad@ad_domain 10.45.33.1 port 40108 [preauth]
Please add 'debug_level = 9' to the [pam] and [domain/...] section in sssd.conf, restart SSSD, try to authenticate again and send the logs.
bye, Sumit
Thanks in advance! _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi Sumit,
thank you for the comprehensive answer.
On Tue, Nov 10, 2020 at 03:56:48PM -0000, kotelnikova9314--- via FreeIPA-users wrote:
The client will get user and group information from the FreeIPA server but for authentication (Kerberos) they will talk with AD DCs directly.
Ok, i see, thank you for the explanation.
For a start no specific configuration is needed, ipa-client-install should set all needed options.
Found my mistake. My clients were configured without trust, thus the krb5.conf had such configurations in [realm] section. kdc = ipaserver.ipadomain.com:88 master_kdc = ipaserver.ipadomain.com:88 admin_server = ipaserver.ipadomain.com:749 kpasswd_server = ipaserver.ipadomain.com:464 default_domain = ipadomain.com
After re-installing clients with ipa-client-install, when the trust was established, these lines were removed and authentication for AD users succeeded.
Without reinstalling, the definition of AD trust domain in [realm] sections also helped: AD.DOMAIN = { kdc = ad-controlled.ad.domain:88 }
Please add 'debug_level = 9' to the [pam] and [domain/...] section in sssd.conf, restart SSSD, try to authenticate again and send the logs.
No need, i found already, that the problem was in SSSD cache, i had to wait a bit or remove the cache in order to the updated HBAC rules were applied.
bye, Sumit
On Thu, Nov 19, 2020 at 01:01:41PM -0000, kotelnikova9314--- via FreeIPA-users wrote:
Hi Sumit,
thank you for the comprehensive answer.
Hi,
thanks for the feedback. I guess before running 'ipa-client-install' the option 'dns_lookup_kdc = True' was not set in krb5.conf. With this option libkrb5 would use DNS lookups to find suitable AD DCs.
bye, Sumit
On Tue, Nov 10, 2020 at 03:56:48PM -0000, kotelnikova9314--- via FreeIPA-users wrote:
The client will get user and group information from the FreeIPA server but for authentication (Kerberos) they will talk with AD DCs directly.
Ok, i see, thank you for the explanation.
For a start no specific configuration is needed, ipa-client-install should set all needed options.
Found my mistake. My clients were configured without trust, thus the krb5.conf had such configurations in [realm] section. kdc = ipaserver.ipadomain.com:88 master_kdc = ipaserver.ipadomain.com:88 admin_server = ipaserver.ipadomain.com:749 kpasswd_server = ipaserver.ipadomain.com:464 default_domain = ipadomain.com
After re-installing clients with ipa-client-install, when the trust was established, these lines were removed and authentication for AD users succeeded.
Without reinstalling, the definition of AD trust domain in [realm] sections also helped: AD.DOMAIN = { kdc = ad-controlled.ad.domain:88 }
Please add 'debug_level = 9' to the [pam] and [domain/...] section in sssd.conf, restart SSSD, try to authenticate again and send the logs.
No need, i found already, that the problem was in SSSD cache, i had to wait a bit or remove the cache in order to the updated HBAC rules were applied.
bye, Sumit
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi Sumit,
no, option 'dns_lookup_kdc = True' was set to True.
Best regards, Nadiia
Hi Sumit,
i stacked also with authentication of AD users against IPA replica. The configuration in krb5.conf is as follow: ``` includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = IPA.DOMAIN.COM dns_lookup_realm = true dns_lookup_kdc = true rdns = false dns_canonicalize_hostname = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 [realms] IPA.DOMAIN.COM = { pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .ipa.domain.com = IPA.DOMAIN.COM ipa.domain.com = IPA.DOMAIN.COM host-1.ipa.domain.com = IPA.DOMAIN.COM ```
1. So in case if the Freeipa server is unavailable it should fallback to another server, which is in _kerberos._tcp.ipa.domain.com record. The authentication against local domain via IPA replica with such configuration is successful. But the AD users can not be authenticated.
The errors in journalctl: ``` pam_sss(sshd:auth): received for user user@ad.domain.com: 6 (Permission denied) error: PAM: Authentication failure for user@ad.domain.com from 10.10.10.1 ``` 2. In /var/log/krb5kdc.log on IPA replica, there are no records regarding this connection.
3. When i disable dns_lookup_kdc = false and explicitly set the configuration of both domains in krb5.conf, the authentication is succeeded.
4. AD, IPA and IPA replica all have needed SRV records, but they all have the same weight and priority, could it be problem in that?
5. Both IPA and IPA Replica are Trusted controllers and Trusted agents
Should krb5.conf or sssd.conf have any specific options in order to authenticate AD users via IPA replica in case when IPA server is unavailible?
P.S. Should i open another thread for this question or we can discuss it here?
With best regards, Nadiia
freeipa-users@lists.fedorahosted.org
-
kotelnikova9314@gmail.com -
Panna Cotta
-
Sumit Bose