kerberos libdefaults settings are preventing AD domain user login

[RobVerduijn]

Currently the ipaclient role sets the kerberos libdefaults in /etc/krb5.conf as: dns_lookup_realm = false dns_lookup_kdc = false

and the realms section specifies the kdc/master_kdc/admin_server/default_domain/kpasswd_server for each ipa server.

When using a trust from ipa to an active directory this prevents user using ad accounts to login to ipa clients, because the ipa-client is unable to locate the active directory kdc.

The latest ipa-client-install does this differently the ipa-client install command sets the options in krb5.conf as: in the libdefaults section: dns_lookup_realm = true dns_lookup_kdc = true

The realms section also no longer needs the entries for the kdc/master_kdc/admin_server/default_domain/kpasswd_server only the pkinit_anchors and pkinit pool are needed.

Rob

[RobVerduijn]

big edit because I accidently hit commit a bit early

[RobVerduijn]

this is also causing problems when trying to create trusts

[t-woerner]

Please update to the latest version. There have been lots of rework also in the ipaclient role. I am only getting dns_lookup_realm and dns_lookup_kdc set to false if the server is set using ipaclient_servers for the client deployment.

[RobVerduijn]

Hello, I double checked, after a recent git pull (this morning) the dns_lookup_realm is still false and ipaclient_servers was not set

[t-woerner]

What is the setting of dnsok and kdc in the ipaclient_test output?

[RobVerduijn]

here is the log: ok: [rhel8.example.com] => { "basedn": "dc=example,dc=com", "changed": false, "client_already_configured": false, "client_domain": "example.com", "dnsok": false, "domain": "example.com", "hostname": "rhel8.example.com", "invocation": { "module_args": { "all_ip_addresses": false, "ca_cert_files": null, "configure_firefox": false, "domain": "example.com", "enable_dns_updates": false, "firefox_dir": null, "force_ntpd": false, "hostname": "rhel8.example.com", "ip_addresses": null, "kinit_attempts": 5, "nisdomain": null, "no_nisdomain": false, "no_ntp": true, "ntp_pool": null, "ntp_servers": null, "on_master": false, "realm": "EXAMPLE.COM", "servers": [ "ipa02.example.com", "ipa01.example.com" ] } }, "ipa_python_version": 40701, "kdc": "ipa02.example.com, ipa01.example.com", "ntp_pool": null, "ntp_servers": null, "realm": "EXAMPLE.COM", "servers": [ "ipa02.example.com", "ipa01.example.com" ], "sssd": true }

[t-woerner]

There are servers defined:

"servers": [
"ipa02.example.com",
"ipa01.example.com"
],

That results in "dnsok": false, and also turned off dns lookup for kerberos.

Are you defining ipaservers group or ipaclient_servers?

[RobVerduijn]

I have a group ipaservers I did not set the variable ipaclient_servers

Rob

[t-woerner]

You have defined the ipaservers group, the entries in this group are used as servers for the client deployment. That explains why there is no dns lookup.

[RVerduijn]

is there a way to override this ?

[t-woerner]

Why are you setting the ipaservers group - it is used automatically by the ipaclient role. We might be able to add ipaclient_no_dns_lookup | bool and also to https://github.com/freeipa/ansible-freeipa/blob/master/roles/ipaclient/tasks/install.yml#L16

[RobVerduijn]

I use the ipaservers group because I want to issue tasks to ipa servers. The same inventory is being used by ipaclient configurations.

the bool ipaclient_nodns_lookup seems like a good option to deal with this

[t-woerner]

There is the ipaclient_no_dns_lookup option, it should already do what you need. It is explained in the client README.

[t-woerner]

Was ipaclient_no_dns_lookup working for you?

[RobVerduijn]

Hello,

It's been a long time I can't remember if it did the trick. I'm no longer using the ipaclient_servers variable, so I'm no longer bothered by this.

Rob

[RobVerduijn]

I've tested this again and it works for the ipa client.

For the ipa server however, dns_lookup_realm remains false.

Rpb