Hello,
On Tue, Feb 5, 2019 at 10:29 AM Jakub Hrozek <jhrozek(a)redhat.com> wrote:
> Now, everything is OK with the main domain, AFAIK, I can login, sudo
> based on groups, etc. But for the child domain, most work, I can id a
> user@child (that resolves the user and the groups associated), I can
> "su - user@child" from root, BUT I can not login with that user@child.
> Sanitized logs follow :
>
It's hard to say from the trimmed log, but I assume this happens during
the TGT validation phase? If yes, then you could work around that
temporarily by setting:
krb5_validate = false
in the domain section, but please read the sssd-krb5 manual page to see
what security implications this have
I have tried that, and yes, it works. Though because of the security
implications I would rather set it up without it...
Does it work to request this principal from the command line?
kinit user(a)EXAMPLE.COM
I have tried that with my AD user, and yes I receive no
error and
return code is 0
kvno RestrictedKrbHost/ubuntu(a)EXAMPLE.COM
kvno: Server not
found in Kerberos database while getting credentials
for RestrictedKrbHost/UBUNTU(a)EXAMPLE.COM
Is the principal really lower-case and shortname? I would have expected
either lower-case FQDN or an upper-case shortname..
root@ubuntu:~# kvno ubuntu
ubuntu(a)EXAMPLE.COM: kvno = 2
I am not sure precisely what to look for principals...
root@ubuntu:~# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 UBUNTU$(a)EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 UBUNTU$(a)EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 UBUNTU$(a)EXAMPLE.COM (des3-cbc-sha1)
2 UBUNTU$(a)EXAMPLE.COM (arcfour-hmac)
2 UBUNTU$(a)EXAMPLE.COM (des-cbc-md5)
2 UBUNTU$(a)EXAMPLE.COM (des-cbc-crc)
2 host/UBUNTU(a)EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 host/UBUNTU(a)EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 host/UBUNTU(a)EXAMPLE.COM (des3-cbc-sha1)
2 host/UBUNTU(a)EXAMPLE.COM (arcfour-hmac)
2 host/UBUNTU(a)EXAMPLE.COM (des-cbc-md5)
2 host/UBUNTU(a)EXAMPLE.COM (des-cbc-crc)
2 host/ubuntu(a)EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 host/ubuntu(a)EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 host/ubuntu(a)EXAMPLE.COM (des3-cbc-sha1)
2 host/ubuntu(a)EXAMPLE.COM (arcfour-hmac)
2 host/ubuntu(a)EXAMPLE.COM (des-cbc-md5)
2 host/ubuntu(a)EXAMPLE.COM (des-cbc-crc)
2 RestrictedKrbHost/UBUNTU(a)EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 RestrictedKrbHost/UBUNTU(a)EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 RestrictedKrbHost/UBUNTU(a)EXAMPLE.COM (des3-cbc-sha1)
2 RestrictedKrbHost/UBUNTU(a)EXAMPLE.COM (arcfour-hmac)
2 RestrictedKrbHost/UBUNTU(a)EXAMPLE.COM (des-cbc-md5)
2 RestrictedKrbHost/UBUNTU(a)EXAMPLE.COM (des-cbc-crc)
2 RestrictedKrbHost/ubuntu(a)EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 RestrictedKrbHost/ubuntu(a)EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 RestrictedKrbHost/ubuntu(a)EXAMPLE.COM (des3-cbc-sha1)
2 RestrictedKrbHost/ubuntu(a)EXAMPLE.COM (arcfour-hmac)
2 RestrictedKrbHost/ubuntu(a)EXAMPLE.COM (des-cbc-md5)
2 RestrictedKrbHost/ubuntu(a)EXAMPLE.COM (des-cbc-crc)
None of these are ok with kvno except 'UBUNTU$(a)EXAMPLE.COM'
root@ubuntu:~# kvno ubuntu
ubuntu(a)EXAMPLE.COM: kvno = 2
root@ubuntu:~# kvno ubuntu(a)EXAMPLE.COM
ubuntu(a)EXAMPLE.COM: kvno = 2
root@ubuntu:~# kvno UBUNTU
UBUNTU(a)EXAMPLE.COM: kvno = 2
root@ubuntu:~# kvno UBUNTU(a)EXAMPLE.COM
UBUNTU(a)EXAMPLE.COM: kvno = 2
root@ubuntu:~# kvno UBUNTU(a)example.com
kvno: KDC reply did not match expectations while getting credentials
for UBUNTU(a)example.com
What is in the file
/var/lib/sss/pubconf/krb5.include.d/domain_realm_$domain?
[domain_realm]
.child.example.com =
CHILD.EXAMPLE.COM
child.example.com =
CHILD.EXAMPLE.COM
[capaths]
CHILD.EXAMPLE.COM = {
EXAMPLE.COM =
EXAMPLE.COM
}
EXAMPLE.COM = {
CHILD.EXAMPLE.COM =
EXAMPLE.COM
}
Thanks for youe time !
Jeremy