IPA Client AD Trust logins fail with Cannot find KDC for realm "AD.REALM" while getting initial credentials

Environment

• Red Hat Enterprise Linux
• Red Hat Identity Management

Issue

• Unable to login with AD Trust users on IPA clients
• Succesfully able to resolve SSSD users with id command but login fails during PAM authentication. SSSD krb5_child logs errors out with

Cannot find KDC for realm "AD.REALM" while getting initial credentials

• The same error can be reproduced with

# kinit aduser@AD.REALM

Resolution

• Validate that dns_lookup_kdc = True and dns_lookup_realm = True is set in /etc/krb5.conf

Root Cause

• When ipa-client-install is run with the --server argument to explicitly define an IPA server, libkrb5 DNS discovery is disabled which is intended for the IPA realm but this will cause problems with finding a KDC in the AD realm.

• Authentication for an AD Trust user requires either dns_lookup_kdc = True or explicitly defined AD KDC's added to /etc/krb5.conf to avoid KRB5_REALM_UNKNOWN being returned to the caller.

Diagnostic Steps

• Test with the kinit command manually to ensure a kerberos ticket can be retrieved from an AD KDC.

# KRB5_TRACE=/dev/stdout kinit -C aduser@domain_name

• Check the UPN of the AD user.
• Check if UPN suffix is available in ipa trust-show comamnd.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.