I have a very similar problem as described in this thread on CentOS 6.3 authenticating against a 2008R2 AD DC.
Here is my krb5.conf, I know for a fact that XXXXXXX.LOCAL is the true domain name:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = XXXXXXX.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
verify_ap_req_nofail = false
[realms]
XXXXXXX.LOCAL = {
kdc = ad1.XXXXXXX.local
kdc = ad2.XXXXXXX.local
admin_server = ad1.XXXXXXX.local
default_domain = XXXXXXX.LOCAL
}
[domain_realm]
.XXXXXXX.local = XXXXXXX.LOCAL
XXXXXXX.local = XXXXXXX.LOCAL
.XXXXXXX.com = XXXXXXX.LOCAL
XXXXXXX.com = XXXXXXX.LOCAL
When I do a:
kinit username@XXXXXXX.LOCAL
Everything works as intended, klist -e returns the details it should however when I try to:
su username
The sssd krb5_child.log shows the following:
[unpack_buffer] (0x0100): cmd [241] uid [10002] gid [10002] validate [false] offline [false] UPN [username@XXXXXXX.COM]
[unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_10002_XXXXXX] keytab: [/etc/krb5.keytab]
[krb5_child_setup] (0x0400): Will perform online auth
[krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
[krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
[krb5_set_canonicalize] (0x0100): SSSD_KRB5_CANONICALIZE is set to [false]
[krb5_child_setup] (0x0100): Not using FAST.
[get_and_save_tgt] (0x0400): Attempting kinit for realm [XXXXXXX.COM]
[get_and_save_tgt] (0x0020): 977: [-1765328230][Cannot find KDC for requested realm]
[kerr_handle_error] (0x0020): 1030: [-1765328230][Cannot find KDC for requested realm]
[prepare_response_message] (0x0400): Building response for result [-1765328230]
[main] (0x0400): krb5_child completed successfully
I also know that XXXXXXX.COM is an alias for XXXXXXX.LOCAL in the AD tree and that running:
kinit username@XXXXXXX.COM
produces exactly the same error as in the krb5_child.log
kinit: Cannot find KDC for requested realm while getting initial credentials
I've been banging my head against the wall for several days on this problem and would appreciate any pointers. 🙂
Best Answer
What you deal with is called enterprise principals. You have a single AD domain but users can have additional user principal names (UPN) associated, so in addition to XXXX.LOCAL they can have XXXX.COM and use user@XXXX.COM in place of user@XXXX.LOCAL.
SSSD does support enterprise principals starting with 1.10. There were few bugs in the implementation that affected 1.10 beta releases but they are solved prior to the final release which is available in Fedora 19+.
However, this change is not available in RHEL 6.x (or CentOS 6.x for that matter) since support for enterprise principals is relatively invasive and was not backported to 1.9.x.
You may be interested to look for details at https://bugzilla.redhat.com/show_bug.cgi?id=972357 and https://bugzilla.redhat.com/show_bug.cgi?id=924404