Description of problem: After installing a Trust between Samba AD DC ( Fedora 32) and FreeIPA (Fedora 32) it is not possible, to log on a ipaclient with the Account of the AD Domain. Version-Release number of selected component (if applicable): Installed Packages in the Samba AD DC : [root@dc1 ~]# rpm -qa | grep samba samba-winbind-4.12.1-0.fc32.1.x86_64 python3-samba-4.12.1-0.fc32.1.x86_64 samba-common-libs-4.12.1-0.fc32.1.x86_64 samba-common-tools-4.12.1-0.fc32.1.x86_64 samba-dc-provision-4.12.1-0.fc32.1.noarch samba-common-4.12.1-0.fc32.1.noarch samba-dc-4.12.1-0.fc32.1.x86_64 samba-client-libs-4.12.1-0.fc32.1.x86_64 samba-libs-4.12.1-0.fc32.1.x86_64 samba-dc-libs-4.12.1-0.fc32.1.x86_64 python3-samba-dc-4.12.1-0.fc32.1.x86_64 samba-4.12.1-0.fc32.1.x86_64 samba-winbind-modules-4.12.1-0.fc32.1.x86_64 samba-dc-bind-dlz-4.12.1-0.fc32.1.x86_64 On the IPA Server: [root@ipareplica ~]# rpm -qa | grep freeipa* freeipa-common-4.8.6-1.fc32.noarch freeipa-client-4.8.6-1.fc32.x86_64 freeipa-healthcheck-0.5-3.fc32.noarch freeipa-client-common-4.8.6-1.fc32.noarch freeipa-server-dns-4.8.6-1.fc32.noarch freeipa-healthcheck-core-0.5-3.fc32.noarch freeipa-selinux-4.8.6-1.fc32.noarch freeipa-server-common-4.8.6-1.fc32.noarch freeipa-server-trust-ad-4.8.6-1.fc32.x86_64 freeipa-server-4.8.6-1.fc32.x86_64 How reproducible: Install the packages and after that install a trust between the IPA Domain and the Samba Domain. Steps to Reproduce: 1. Install all needed packages and open the ports of the Firewall or disable it 2. Install the Samba Domain with "samba-tool domain provision --use-rfc2307 --interactive" 3. Install the IPA Domian with "ipa-server-install --setup-dns --setup-adtrust" 4. IN /etc/named.conf disable the dnssec Section on the IPA Server and SAMBA Server. 5. in /etc/named.conf on the SAMBA DC at the End of the config complete with this: zone "xxx,xxx,xxx" { type forward; forwarders { 10.2.0.1; 10.2.0.2; }; }; 6. On IPA server create the DNS Forwarder for the AD Domain. 7. Create on IPA Server the Trust with: ipa-adtrust-install --netbios-name=XXX ipa trust-add --type=ad --two-way=true 8. Build the Trust on the AD DC when is needed, on my Setup this was create automatic. 9. Allow Access for users of the AD Domain 10.Make a HBAC Rule for a ipaclient to log in with AD credentials. Actual results: kinit administrator.xxx.xxx works fine, but su - administrator.xxx.xxx. does not work on a ipaclient. Expected results: To Log In with the AD Credentials on a ipaclient. Additional info: A Trust with a Windows Domain and a Heimdal Kerberos AD works without any Problems here.
Created attachment 1680743 [details] Error Message when i want to log in with a AD User
Hi, can you check if adding 'krb5_use_fast = never' to the [domain/...] section of sssd.conf helps? bye, Sumit
Hello Sumit, with 'krb5_use_fast = never' to the [domain/...] section of sssd.conf the log in works without any Problems :) So, is there a way to set this option on the Installation of the trust maybe like :" ipa trust-add --type=ad ad_domain --admin Administrator --password "--mitkerberos" " This would be very helpful. :) See you Dirk
No, instead of disabling FAST channel, we need to understand why it does not work here.
Could you please provide logs from both IPA and Samba AD KDCs for the time of access? Also, krb5_child.log from SSSD (enable debug_level=9 in sssd.conf).
Created attachment 1687026 [details] ipsamba with fast
Created attachment 1687027 [details] ipasamba without fast
Created attachment 1687028 [details] mit with fast
Created attachment 1687029 [details] mit without fast
After discussion on grooming, this was seems as sssd effort.
Hi, this is about making FAST work across domain/realm boundaries, closing as duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1749786. *** This bug has been marked as a duplicate of bug 1749786 ***