When forest trust is established to AD forest with subdomains, using IPA services as a user from a subdomain does not work. IPA KDC reports an error when obtaining a ticket for IPA's service.
# klist Ticket cache: DIR::/run/user/0/krb5cc/tktJfmxNc Default principal: Administrator@SUBDOM.SUB Valid starting Expires Service principal 06.09.2013 16:45:17 07.09.2013 02:45:17 krbtgt/SUBDOM.SUB@SUBDOM.SUB renew until 07.09.2013 16:45:05 [root@vm-179 samba]# KRB5_TRACE=/dev/stderr kvno -S host `hostname -f` [2176] 1378478784.554082: Convert service host (service with host as instance) on host vm-179.idm.lab.eng.brq.redhat.com to principal [2176] 1378478784.554605: Remote host after forward canonicalization: vm-179.idm.lab.eng.brq.redhat.com [2176] 1378478784.554758: Remote host after reverse DNS processing: vm-179.idm.lab.eng.brq.redhat.com [2176] 1378478784.554860: Get host realm for vm-179.idm.lab.eng.brq.redhat.com [2176] 1378478784.554959: Use local host vm-179.idm.lab.eng.brq.redhat.com to get host realm [2176] 1378478784.555038: Look up vm-179.idm.lab.eng.brq.redhat.com in the domain_realm map [2176] 1378478784.555090: Look up .idm.lab.eng.brq.redhat.com in the domain_realm map [2176] 1378478784.555142: Temporary realm is IDM.LAB [2176] 1378478784.555193: Got realm IDM.LAB for host vm-179.idm.lab.eng.brq.redhat.com [2176] 1378478784.555255: Got service principal host/vm-179.idm.lab.eng.brq.redhat.com@IDM.LAB [2176] 1378478784.555320: Getting credentials Administrator@SUBDOM.SUB -> host/vm-179.idm.lab.eng.brq.redhat.com@IDM.LAB using ccache DIR::/run/user/0/krb5cc/tktJfmxNc [2176] 1378478784.555561: Retrieving Administrator@SUBDOM.SUB -> host/vm-179.idm.lab.eng.brq.redhat.com@IDM.LAB from DIR::/run/user/0/krb5cc/tktJfmxNc with result: -1765328243/Matching credential not found [2176] 1378478784.555721: Retrieving Administrator@SUBDOM.SUB -> krbtgt/IDM.LAB@SUBDOM.SUB from DIR::/run/user/0/krb5cc/tktJfmxNc with result: -1765328243/Matching credential not found [2176] 1378478784.555942: Retrieving Administrator@SUBDOM.SUB -> krbtgt/SUBDOM.SUB@SUBDOM.SUB from DIR::/run/user/0/krb5cc/tktJfmxNc with result: 0/Success [2176] 1378478784.556014: Starting with TGT for client realm: Administrator@SUBDOM.SUB -> krbtgt/SUBDOM.SUB@SUBDOM.SUB [2176] 1378478784.556158: Retrieving Administrator@SUBDOM.SUB -> krbtgt/IDM.LAB@SUBDOM.SUB from DIR::/run/user/0/krb5cc/tktJfmxNc with result: -1765328243/Matching credential not found [2176] 1378478784.556234: Requesting TGT krbtgt/IDM.LAB@SUBDOM.SUB using TGT krbtgt/SUBDOM.SUB@SUBDOM.SUB [2176] 1378478784.556329: Generated subkey for TGS request: aes256-cts/DD4E [2176] 1378478784.556471: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts [2176] 1378478784.556717: Encoding request body and padata into FAST request [2176] 1378478784.556853: Sending request (1684 bytes) to SUBDOM.SUB [2176] 1378478784.557812: Resolving hostname adsub2.subdom.sub. [2176] 1378478784.558407: Resolving hostname adsub2.subdom.sub. [2176] 1378478784.558990: Initiating TCP connection to stream 10.34.47.53:88 [2176] 1378478784.559508: Sending TCP request to stream 10.34.47.53:88 [2176] 1378478784.560972: Received answer from stream 10.34.47.53:88 [2176] 1378478784.561342: Response was not from master KDC [2176] 1378478784.561441: Decoding FAST response [2176] 1378478784.561587: TGS reply is for Administrator@SUBDOM.SUB -> krbtgt/DOM2.BAR@SUBDOM.SUB with session key rc4-hmac/1078 [2176] 1378478784.561699: TGS request result: 0/Success [2176] 1378478784.561763: Received TGT for offpath realm DOM2.BAR [2176] 1378478784.561816: Requesting TGT krbtgt/IDM.LAB@DOM2.BAR using TGT krbtgt/DOM2.BAR@SUBDOM.SUB [2176] 1378478784.561883: Generated subkey for TGS request: rc4-hmac/70BA [2176] 1378478784.561953: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts [2176] 1378478784.562056: Encoding request body and padata into FAST request [2176] 1378478784.562164: Sending request (1651 bytes) to DOM2.BAR [2176] 1378478784.562793: Resolving hostname ad2.dom2.bar. [2176] 1378478784.563501: Resolving hostname ad2.dom2.bar. [2176] 1378478784.564310: Initiating TCP connection to stream 10.34.47.47:88 [2176] 1378478784.564969: Sending TCP request to stream 10.34.47.47:88 [2176] 1378478784.566476: Received answer from stream 10.34.47.47:88 [2176] 1378478784.566927: Response was not from master KDC [2176] 1378478784.567057: Decoding FAST response [2176] 1378478784.567203: TGS reply is for Administrator@SUBDOM.SUB -> krbtgt/IDM.LAB@DOM2.BAR with session key aes256-cts/3735 [2176] 1378478784.567291: TGS request result: 0/Success [2176] 1378478784.567354: Received TGT for service realm: krbtgt/IDM.LAB@DOM2.BAR [2176] 1378478784.567409: Requesting tickets for host/vm-179.idm.lab.eng.brq.redhat.com@IDM.LAB, referrals on [2176] 1378478784.567479: Generated subkey for TGS request: aes256-cts/DC33 [2176] 1378478784.567580: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts [2176] 1378478784.567729: Encoding request body and padata into FAST request [2176] 1378478784.567854: Sending request (1717 bytes) to IDM.LAB [2176] 1378478784.568043: Initiating TCP connection to stream 10.34.47.179:88 [2176] 1378478784.568279: Sending TCP request to stream 10.34.47.179:88 [2176] 1378478784.571790: Received answer from stream 10.34.47.179:88 [2176] 1378478784.571922: Response was from master KDC [2176] 1378478784.572018: Decoding FAST response [2176] 1378478784.572161: TGS request result: -1765328324/KDC returned error string: HANDLE_AUTHDATA [2176] 1378478784.572283: Requesting tickets for host/vm-179.idm.lab.eng.brq.redhat.com@IDM.LAB, referrals off [2176] 1378478784.572418: Generated subkey for TGS request: aes256-cts/A69F [2176] 1378478784.572519: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts [2176] 1378478784.572658: Encoding request body and padata into FAST request [2176] 1378478784.572812: Sending request (1717 bytes) to IDM.LAB [2176] 1378478784.573003: Initiating TCP connection to stream 10.34.47.179:88 [2176] 1378478784.573144: Sending TCP request to stream 10.34.47.179:88 [2176] 1378478784.576257: Received answer from stream 10.34.47.179:88 [2176] 1378478784.576326: Response was from master KDC [2176] 1378478784.576348: Decoding FAST response [2176] 1378478784.576392: TGS request result: -1765328324/KDC returned error string: HANDLE_AUTHDATA kvno: KDC returned error string: HANDLE_AUTHDATA while getting credentials for host/vm-179.idm.lab.eng.brq.redhat.com@IDM.LAB
Here is krb5kdc.log excerpt:
Sep 06 16:46:24 vm-179.idm.lab.eng.brq.redhat.com krb5kdc[3876](info): authdata (kdb) handling failure: Invalid argument Sep 06 16:46:24 vm-179.idm.lab.eng.brq.redhat.com krb5kdc[3876](info): TGS_REQ : handle_authdata (22) Sep 06 16:46:24 vm-179.idm.lab.eng.brq.redhat.com krb5kdc[3876](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.34.47.179: HANDLE_AUTHDATA: authtime 1378478717, Administrator@SUBDOM.SUB for host/vm-179.idm.lab.eng.brq.redhat.com@IDM.LAB, Invalid argument Sep 06 16:46:24 vm-179.idm.lab.eng.brq.redhat.com krb5kdc[3876](info): closing down fd 13
The result is due to DAL driver not knowing SIDs and names of the subdomains.
attachment 0005-WIP-trusts-support-subdomains-in-a-forest.patch
Solved the issue by adding support for subdomains in IPA (ipa trust-domain-* commands). Preliminary patch is attached.
IPA will store subdomains under the trust DN (cn=TRUSTED.DOMAIN,cn=ad,cn=trusts,SUFFIX) using the same object class ipaNTTrustedDomain.
Patch posted for review: https://www.redhat.com/archives/freeipa-devel/2013-September/msg00300.html
AD subdomains fixes pushed:
master:[[BR]] 46b3588 Require new SSSD to pull required AD subdomain fixes[[BR]] d228b1b ipa-kdb: Handle parent-child relationship for subdomains[[BR]] 749111e KDC: implement transition check for trusted domains[[BR]] 0ab40cd ipasam: for subdomains pick up defaults for missing values[[BR]] f734988 trust: integrate subdomains support into trust-add[[BR]] a87813b ipaserver/dcerpc: remove use of trust account authentication[[BR]] 2d6c7e3 frontend: report arguments errors with better detail[[BR]] 0b29bfd trusts: support subdomains in a forest[[BR]] 0637f59 ipaserver/dcerpc.py: populate forest trust information using realmdomains[[BR]]
ipa-3-3:[[BR]] dd1ddf8 Require new SSSD to pull required AD subdomain fixes[[BR]] 8ede637 ipa-kdb: Handle parent-child relationship for subdomains[[BR]] 6224ce0 KDC: implement transition check for trusted domains[[BR]] 0cd7923 ipasam: for subdomains pick up defaults for missing values[[BR]] c6a6f97 trust: integrate subdomains support into trust-add[[BR]] 02158df ipaserver/dcerpc: remove use of trust account authentication[[BR]] 5fe7f7d frontend: report arguments errors with better detail[[BR]] 6f09063 trusts: support subdomains in a forest[[BR]] 45fc0b9 ipaserver/dcerpc.py: populate forest trust information using realmdomains[[BR]]
Metadata Update from @abbra: - Issue assigned to abbra - Issue set to the milestone: FreeIPA 3.3.x - 2013/09 (bug fixing)
Login to comment on this ticket.