From nobody Wed Dec 07 16:37:36 2022 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NS2y8617nz4kDxq for ; Wed, 7 Dec 2022 16:37:36 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NS2y84kL3z4713 for ; Wed, 7 Dec 2022 16:37:36 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1670431056; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=415VyxIt77mvjCjNFr1+Wv2dUdajrVcvxro9UCQmqEc=; b=GVSyyR12lOHZb/CgBTTswnl+NM5fmit0m50Rd8HctC6oyZ/FJYN+eTtZ8bLuRsxjGcuZXW vJcHzGg5ZeOKBQGsCl7gO2PMe86spuefzMLBfgHZczlT2hQg+PpdtabCv+/DX8iIDQYPQr F03pHNaeD+J461vEyysCKZuxEbWb9ND3UIOcJK/F1Axdg+YY6UbAw5HoZcIEr2uOe8ONW4 KTKgz9kHd8Gk9ik3RXVdjYOwp0BSXKCfBL8vRDU7hUx7jL2bQKac7j+h7m6bPqx1Yze60m lVIWQq/kCOd/vk7HPQ1Kg0IqcP6GxQ4aDU2nadFUm1FGbBRVqmat+Ljzid6Q4g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1670431056; a=rsa-sha256; cv=none; b=ouQkcZ9iGe+kyLZdlMoWZxEOwuHmEcTWqD0prjFK7WHEaD6T4qFKyj4nFO/MZOKtJ2DyjZ +AgSglY9tjUxBHLUGTPniKaAq/esFR8sIIQNY22EP8xziuL9xufRjc2UF/+Julyl4e73Sq fypZxiZuZgfVmuGwnf9VHt+eV3DukSWwGPF6jZQO0p1ndJ+UzlitAWugpoNgvCU7nqS4Cz ODhiKxd+r0lWtFp+nh7uQaQEKUSvkZpeLe7a3mGrtps8Mzsg/G9vMKDtgRjilSen3umAIR PSLwriEUc8NjcYiuFt64/cZnS7unoWo1S/azOd8xOOoXCODqqRIqEqeSqM9aRQ== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4NS2y83pDTzP8X for ; Wed, 7 Dec 2022 16:37:36 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 2B7GbawG006817 for ; Wed, 7 Dec 2022 16:37:36 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 2B7GbaH9006816 for bugs@FreeBSD.org; Wed, 7 Dec 2022 16:37:36 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC Date: Wed, 07 Dec 2022 16:37:36 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: Unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: cy@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268186 --- Comment #13 from Cy Schubert --- (In reply to Michael Osipov from comment #12) He didn't elaborate. Though in the discussion after the session he did say = they wanted to UID-like field in the database (he was probably referring to the = SID at the time). At $JOB we've had a lot of problem with translation SID to UID. We've been using winbind (which stores the ticket in memory instead of /tmp) and are converting to sssd. One of my former clients (another guy on the team is working with them now) uses sssd. There have been many issues with logins through ssh. None of whi= ch we can fix, all of which are on their side. They're mirroring their A/D usi= ng openldap running on Linux. Their sssd uses the openldap servers as their Li= nux source of truth. This is why their sssd configuration has been so much trou= ble. Personally, I'm not sure if sssd will work better than winbind. I doubt it = but our vendor recommends it, so we will do it. Winbind has been pretty stable = now. Having said this, in order to support Linux/Solaris/UNIX clients with A/D o= ne must add some fields to support UNIX UID and GID to A/D. Our main client has refused to do so resulting in a lot of issues at first resulting in many problems 15 years ago. That client had replaced four MIT KRB5 realms (runni= ng in a cross realm configuration) with A/D at the time. Also replacing a hierarchical (DNS) namespace with a flat (A/D) namespace (with DNS provided= by A/D). We're hoping that sssd may better support A/D that has not been updated to include the recommended fields to support UNIX clients. I'm thinking it won= 't. --=20 You are receiving this mail because: You are the assignee for the bug.=