Freeipa Authentication Failure in AD Trust setup
Authentication fails for AD users on RHEL system in an Freeipa/AD trusted environment.
The following errors can be found in the logs:
Cannot find KDC for realm "EXAMPLE.COM"in
Backend is marked offline, retry later!in
pam_unix(sssd:auth): authentication failurein
Assumptions and context:
- AD domain: example.org
- Freeipa domain: linux.example.org
- AD User: test
- userPrincipalName (UPN) for "test": email@example.com <--- UPN domain example.com is different than example.org!!!
- Connection to RHEL client with: ssh firstname.lastname@example.org@server1.linux.example.org
- IDM clients (in linux.example.org) can't resolve the example.com UPN domain
In the context above, IDM clients will try to use the example.com (derived from the UPN) realm to authenticate into Linux machines.
The RHEL client will use example.com as realm and try to discover KDC for example.com through DNS requests, which will return "no such name" (can be seen in a tcpdump trace).
The solution is to "trick" Freeipa into using the domain passed at the SSH command line by the user (example.org derived from user fqdn email@example.com).
On all Freeipa servers, in
/etc/sssd/sssd.conf, add in the relevant domain section for the trust:
[domain/linux.example.org/example.org] subdomain_inherit = ldap_user_principal # <--- this option ldap_user_principal = nosuchattr # <--- this option
Clear the cache on IDM servers and IDM clients with:
systemctl stop sssd && rm -fr /var/lib/sssd/db/* && systemctl start sssd
systemctl restart ipa
Attempt a connection with:
The UPN domain is used first, but in this context the domain cannot be resolved. We have to force IDM clients to use the domain passed at the CLI and ignore the UPN.