[root@dhcp207-218 ipa-idrange-cli]# echo Secret123 | ipa trust-add --type=ad adtest.qe --admin administrator --password -------------------------------------------------- Added Active Directory trust for realm "adtest.qe" -------------------------------------------------- Realm name: adtest.qe Domain NetBIOS name: ADTEST Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879 SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified [root@dhcp207-218 ipa-idrange-cli]# ipa trustdomain-find adtest.qe Domain name: adtest.qe Domain NetBIOS name: ADTEST Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879 Domain enabled: True Domain name: pune.adtest.qe Domain NetBIOS name: PUNE Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112 Domain enabled: True ---------------------------- Number of entries returned 2 ---------------------------- [root@dhcp207-218 ipa-idrange-cli]# getent passwd testu1@pune.adtest.qe testu1@pune.adtest.qe:*:839001108:839001108:testu1 user:/home/pune.adtest.qe/testu1: [root@dhcp207-218 ipa-idrange-cli]# ssh -o StrictHostKeyChecking=no -l testu1@pune.adtest.qe `hostname` echo 'login successful' testu1@pune.adtest.qe@dhcp207-218.testrelm.test's password: Permission denied, please try again. testu1@pune.adtest.qe@dhcp207-218.testrelm.test's password: [root@dhcp207-218 ipa-idrange-cli]# ipa trustdomain-disable adtest.qe pune.adtest.qe ; sleep 120; ssh -o StrictHostKeyChecking=no -l testu1@pune.adtest.qe `hostname` echo 'login successful' -------------------------------------- Disabled trust domain "pune.adtest.qe" -------------------------------------- testu1@pune.adtest.qe@dhcp207-218.testrelm.test's password: login successful [root@dhcp207-218 ipa-idrange-cli]# ipa trustdomain-enable adtest.qe pune.adtest.qe ; sleep 120 ;ssh -o StrictHostKeyChecking=no -l testu1@pune.adtest.qe `hostname` echo 'login successful' ------------------------------------- Enabled trust domain "pune.adtest.qe" ------------------------------------- testu1@pune.adtest.qe@dhcp207-218.testrelm.test's password: login successful [root@dhcp207-218 ~]# tail -f /var/log/krb5kdc.log -------------------------------------------- Feb 27 19:28:10 dhcp207-218.testrelm.test krb5kdc[3508](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393508786, etypes {rep=18 tkt=18 ses=18}, HTTP/dhcp207-218.testrelm.test@TESTRELM.TEST for ldap/dhcp207-218.testrelm.test@TESTRELM.TEST Feb 27 19:28:10 dhcp207-218.testrelm.test krb5kdc[3508](info): ... CONSTRAINED-DELEGATION s4u-client=admin@TESTRELM.TEST Feb 27 19:28:10 dhcp207-218.testrelm.test krb5kdc[3508](info): closing down fd 12 Feb 27 19:28:32 dhcp207-218.testrelm.test krb5kdc[3508](info): bad realm transit path from 'testu1@PUNE.ADTEST.QE' to 'host/dhcp207-218.testrelm.test@TESTRELM.TEST' via 'ADTEST.QE' Feb 27 19:28:32 dhcp207-218.testrelm.test krb5kdc[3508](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: BAD_TRANSIT: authtime 1393509513, testu1@PUNE.ADTEST.QE for host/dhcp207-218.testrelm.test@TESTRELM.TEST, KDC policy rejects request Feb 27 19:28:32 dhcp207-218.testrelm.test krb5kdc[3508](info): closing down fd 12 Feb 27 19:28:32 dhcp207-218.testrelm.test krb5kdc[3508](info): bad realm transit path from 'testu1@PUNE.ADTEST.QE' to 'host/dhcp207-218.testrelm.test@TESTRELM.TEST' via 'ADTEST.QE' Feb 27 19:28:32 dhcp207-218.testrelm.test krb5kdc[3508](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: BAD_TRANSIT: authtime 1393509513, testu1@PUNE.ADTEST.QE for host/dhcp207-218.testrelm.test@TESTRELM.TEST, KDC policy rejects request Feb 27 19:28:32 dhcp207-218.testrelm.test krb5kdc[3508](info): closing down fd 12 -------------------------------------------- Feb 27 19:29:10 dhcp207-218.testrelm.test krb5kdc[3508](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393508786, etypes {rep=18 tkt=18 ses=18}, HTTP/dhcp207-218.testrelm.test@TESTRELM.TEST for ldap/dhcp207-218.testrelm.test@TESTRELM.TEST Feb 27 19:29:10 dhcp207-218.testrelm.test krb5kdc[3508](info): ... CONSTRAINED-DELEGATION s4u-client=admin@TESTRELM.TEST Feb 27 19:29:10 dhcp207-218.testrelm.test krb5kdc[3508](info): closing down fd 12 Feb 27 19:29:10 dhcp207-218.testrelm.test krb5kdc[3508](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: NEEDED_PREAUTH: HTTP/dhcp207-218.testrelm.test@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST, Additional pre-authentication required Feb 27 19:29:10 dhcp207-218.testrelm.test krb5kdc[3508](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393509550, etypes {rep=18 tkt=18 ses=18}, HTTP/dhcp207-218.testrelm.test@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST Feb 27 19:31:11 dhcp207-218.testrelm.test krb5kdc[3508](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: NEEDED_PREAUTH: host/dhcp207-218.testrelm.test@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST, Additional pre-authentication required Feb 27 19:31:11 dhcp207-218.testrelm.test krb5kdc[3508](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393509671, etypes {rep=18 tkt=18 ses=18}, host/dhcp207-218.testrelm.test@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST Feb 27 19:31:11 dhcp207-218.testrelm.test krb5kdc[3508](info): TGS_REQ: issuing TGT krbtgt/ADTEST.QE@TESTRELM.TEST Feb 27 19:31:11 dhcp207-218.testrelm.test krb5kdc[3508](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393509671, etypes {rep=18 tkt=18 ses=18}, host/dhcp207-218.testrelm.test@TESTRELM.TEST for krbtgt/ADTEST.QE@TESTRELM.TEST Feb 27 19:31:11 dhcp207-218.testrelm.test krb5kdc[3508](info): closing down fd 12 Feb 27 19:31:15 dhcp207-218.testrelm.test krb5kdc[3508](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393509676, etypes {rep=18 tkt=18 ses=18}, testu1@PUNE.ADTEST.QE for host/dhcp207-218.testrelm.test@TESTRELM.TEST Feb 27 19:31:15 dhcp207-218.testrelm.test krb5kdc[3508](info): closing down fd 12 Feb 27 19:31:17 dhcp207-218.testrelm.test krb5kdc[3508](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: NEEDED_PREAUTH: host/dhcp207-218.testrelm.test@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST, Additional pre-authentication required Feb 27 19:31:17 dhcp207-218.testrelm.test krb5kdc[3508](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393509677, etypes {rep=18 tkt=18 ses=18}, host/dhcp207-218.testrelm.test@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST Feb 27 19:31:17 dhcp207-218.testrelm.test krb5kdc[3508](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393509677, etypes {rep=18 tkt=18 ses=18}, host/dhcp207-218.testrelm.test@TESTRELM.TEST for krbtgt/ADTEST.QE@TESTRELM.TEST Feb 27 19:31:17 dhcp207-218.testrelm.test krb5kdc[3508](info): closing down fd 12 -------------------------------------- Feb 27 19:31:45 dhcp207-218.testrelm.test krb5kdc[3508](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393508786, etypes {rep=18 tkt=18 ses=18}, HTTP/dhcp207-218.testrelm.test@TESTRELM.TEST for ldap/dhcp207-218.testrelm.test@TESTRELM.TEST Feb 27 19:31:45 dhcp207-218.testrelm.test krb5kdc[3508](info): ... CONSTRAINED-DELEGATION s4u-client=admin@TESTRELM.TEST Feb 27 19:31:45 dhcp207-218.testrelm.test krb5kdc[3508](info): closing down fd 12 Feb 27 19:31:45 dhcp207-218.testrelm.test krb5kdc[3508](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: NEEDED_PREAUTH: HTTP/dhcp207-218.testrelm.test@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST, Additional pre-authentication required Feb 27 19:31:45 dhcp207-218.testrelm.test krb5kdc[3508](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393509705, etypes {rep=18 tkt=18 ses=18}, HTTP/dhcp207-218.testrelm.test@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST Feb 27 19:33:58 dhcp207-218.testrelm.test krb5kdc[3508](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393509838, etypes {rep=18 tkt=18 ses=18}, testu1@PUNE.ADTEST.QE for host/dhcp207-218.testrelm.test@TESTRELM.TEST Feb 27 19:33:58 dhcp207-218.testrelm.test krb5kdc[3508](info): closing down fd 12
Sumit is looking into it. This is a must for 3.3.x series.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1070924
attachment 0009-WIP-fix-filtering-of-subdomain-based-trust-users.patch
attachment <img alt="subdomains-disable-kdb-1.png" src="/freeipa/freeipa/issue/raw/files/d33cec1793042237ff66471247014148715e16ba68e53b2331a8317a98b6b934-subdomains-disable-kdb-1.png" />
Attached current patch which was testeed by Scott and Sumit. Also attached a screenshot showing correct behavior with the patch.
master:
ipa-3-3:
Metadata Update from @steeve: - Issue assigned to abbra - Issue set to the milestone: FreeIPA 3.3.5 (bug fixing)
Login to comment on this ticket.