Red Hat Bugzilla – Bug 679087
SSSD IPA provider should honor the krb5_realm option
Last modified: 2015-01-04 18:46:36 EST
there is a problem is with the ipa-client https://fedorahosted.org/freeipa/ticket/1100 This fix is not included in RHEL 5.7 ipa-client, therefore it is not possible to verify this bug.
Same result with RHEL 5 ipa-client scratch build: ipa-client-install --domain=testrelm --realm=QWQW -p mysecret -w mysecret -U --server=ipaserver.testrelm DNS domain 'qwqw' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Realm: QWQW DNS Domain: testrelm IPA Server: ipaserver.testrelm BaseDN: dc=qwqw kinit(v5): Cannot contact any KDC for realm 'QWQW' while getting initial credentials # rpm -q ipa-client ipa-client-2.0-15.el5
ipa-server: RHEL 6.1 ipa-server-2.0.0-23.el6.x86_64 ipa-client: RHEL 5.7 sssd-1.5.1-36.el5 ipa-client-2.0-15.el5 # ipa-client-install --domain=testrelm --realm=QWQW -p admin -w mysecret -U --server=ipaserver.testrelm DNS domain 'qwqw' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Realm: QWQW DNS Domain: testrelm IPA Server: ipaserver.testrelm BaseDN: dc=qwqw Enrolled in IPA realm QWQW Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm QWQW Warning: Hostname (client.testrelm) not found in DNS Failed to update DNS A record. (Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status -6) Failed to stop the NSCD daemon SSSD enabled Kerberos 5 enabled NTP enabled Client configuration complete. # kinit jennyg Password for jennyg@QWQW: Password expired. You must change it now. Enter new password: Enter it again: # cat /etc/ipa/default.conf #File modified by ipa-client-install [global] basedn = dc=qwqw realm = QWQW domain = testrelm server = ipaserver.testrelm xmlrpc_uri = https://ipaserver.testrelm/ipa/xml enable_ra = True # cat /etc/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = testrelm [nss] [pam] [domain/testrelm] cache_credentials = True krb5_realm = QWQW ipa_domain = testrelm id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = _srv_, ipaserver.testrelm # cat /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = QWQW dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes [realms] QWQW = { kdc = ipaserver.testrelm:88 admin_server = ipaserver.testrelm:749 default_domain = testrelm pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .testrelm = QWQW testrelm = QWQW [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2011-0975.html