I created a trust relationship between my IPA server, and an Active Directory. From any machine connected to freeIPA, I can : - sudo su - ADuser@ad.example.com - id ADuser@ad.example.com ( I get things like uid=167644279(ADuser@ad.example.com) gid=167644279(ADuser@ad.example.com) groups=167644279(ADuser@ad.example.com),167616854(groupXXX@ad.example.com), .................... - getent passwd ADuser@ad.example.com ADuser@ad.example.com:*:167644279:167644279:ADuser:/home/example.com/ADuser
The connection between IPA and AD looks fine.
Then I created : - An external group, with my ADuser@ad.example.com user (external) - An POSIX group, with my external group as a user group member
- A HBAC rule to allow the POSIX group to connect to a server
However, I can't ssh this server with my AD account, I get this :
Sep 01 15:15:18 myServer.example.com systemd[1]: Starting SSSD Kerberos Cache Manager... Sep 01 15:15:18 myServer.example.com systemd[1]: Started SSSD Kerberos Cache Manager. Sep 01 15:15:18 myServer.example.com sssd[kcm][1730]: Starting up Sep 01 15:15:18 myServer.example.com [sssd[krb5_child[1727]]][1727]: Cannot find KDC for realm "EXAMPLE.COM" Sep 01 15:15:18 myServer.example.com [sssd[krb5_child[1727]]][1727]: Cannot find KDC for realm "EXAMPLE.COM" Sep 01 15:15:18 myServer.example.com [sssd[krb5_child[1731]]][1731]: Cannot find KDC for realm "EXAMPLE.COM" Sep 01 15:15:18 myServer.example.com [sssd[krb5_child[1731]]][1731]: Cannot find KDC for realm "EXAMPLE.COM" Sep 01 15:15:18 myServer.example.com sshd[1723]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.X.X.X user=ADuser@EXAMPLE.COM Sep 01 15:15:18 myServer.example.com sshd[1723]: pam_sss(sshd:auth): received for user ADuser@EXAMPLE.COM: 6 (Permission denied) Sep 01 15:15:20 myServer.example.com sshd[1723]: Failed password for ADuser@EXAMPLE.COM from X.X.X.X port 57320 ssh2
On Tue, Sep 01, 2020 at 01:17:43PM -0000, Christophe BERGER via FreeIPA-users wrote:
I created a trust relationship between my IPA server, and an Active Directory. From any machine connected to freeIPA, I can :
- sudo su - ADuser@ad.example.com
- id ADuser@ad.example.com ( I get things like uid=167644279(ADuser@ad.example.com) gid=167644279(ADuser@ad.example.com) groups=167644279(ADuser@ad.example.com),167616854(groupXXX@ad.example.com), ....................
- getent passwd ADuser@ad.example.com
ADuser@ad.example.com:*:167644279:167644279:ADuser:/home/example.com/ADuser
The connection between IPA and AD looks fine.
Then I created :
An external group, with my ADuser@ad.example.com user (external)
An POSIX group, with my external group as a user group member
A HBAC rule to allow the POSIX group to connect to a server
However, I can't ssh this server with my AD account, I get this :
Sep 01 15:15:18 myServer.example.com systemd[1]: Starting SSSD Kerberos Cache Manager... Sep 01 15:15:18 myServer.example.com systemd[1]: Started SSSD Kerberos Cache Manager. Sep 01 15:15:18 myServer.example.com sssd[kcm][1730]: Starting up Sep 01 15:15:18 myServer.example.com [sssd[krb5_child[1727]]][1727]: Cannot find KDC for realm "EXAMPLE.COM" Sep 01 15:15:18 myServer.example.com [sssd[krb5_child[1727]]][1727]: Cannot find KDC for realm "EXAMPLE.COM" Sep 01 15:15:18 myServer.example.com [sssd[krb5_child[1731]]][1731]: Cannot find KDC for realm "EXAMPLE.COM" Sep 01 15:15:18 myServer.example.com [sssd[krb5_child[1731]]][1731]: Cannot find KDC for realm "EXAMPLE.COM" Sep 01 15:15:18 myServer.example.com sshd[1723]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.X.X.X user=ADuser@EXAMPLE.COM Sep 01 15:15:18 myServer.example.com sshd[1723]: pam_sss(sshd:auth): received for user ADuser@EXAMPLE.COM: 6 (Permission denied) Sep 01 15:15:20 myServer.example.com sshd[1723]: Failed password for ADuser@EXAMPLE.COM from X.X.X.X port 57320 ssh2
Hi,
you most probably have and additional domain suffix 'EXAMPLE.COM' defined in AD and use it with the User Principal Name of the AD users.
Does
ipa trust-find
show 'EXAMPLE.COM' in the 'UPN suffixes' line? If yes, then the automatic detection on the IPA clients might not work as expected. You can help the client by setting
krb5_use_enterprise_principal = True
manually in the [domain/...] section of sssd.conf on the client.
If 'EXAMPLE.COM' is not listed it would be good to know first which version of IPA you are using on the server.
bye, Sumit
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org
-
Christophe BERGER -
Sumit Bose