[Freeipa-users] Forest trust and AD child domain
Manuel Lopes
manuel.lopes72 at gmail.com
Wed Dec 17 08:51:26 UTC 2014
Thanks Sumit
This is indeed a bug. We encounter this issue when we try to add the group
"domain users" or "domain admin" but it's working fine with a group that
we have created as "users group".
And only on the acme.windows.com child domain and not the windows.com domain
Regards
2014-12-15 21:35 GMT+01:00 Manuel Lopes <manuel.lopes72 at gmail.com>:
>
> Hi,
>
> Attached, the good log.
>
> We are running sssd-1.11.2-68.el7_0.6 on RHEL 7.
> ipa-server-3.3.3-28.el7_0.3
>
> Regards
>
> 2014-12-15 18:34 GMT+01:00 Sumit Bose <sbose at redhat.com>:
>>
>> On Mon, Dec 15, 2014 at 05:38:05PM +0100, Manuel Lopes wrote:
>> > Attached the sssd_linux.com.log file
>> >
>> > Regards
>>
>> Thank you, there is no request logged in the logs, did you run ipa
>> group-add-member after restarting SSSD? Nevertheless I think I know what
>> is happening, you hit an issue which should be fixed in SSSD 1.12.2,
>> which version of SSSD are you running on which platform?
>>
>> bye,
>> Sumit
>>
>> >
>> > 2014-12-15 17:03 GMT+01:00 Sumit Bose <sbose at redhat.com>:
>> > >
>> > > On Mon, Dec 15, 2014 at 04:39:29PM +0100, Manuel Lopes wrote:
>> > > > The file sssd_linux.com.log is empty.
>> > >
>> > > please add
>> > >
>> > > debug_level = 10
>> > >
>> > > to the [domain/...] section in sssd.conf to enable logging for this
>> part
>> > > of SSSD.
>> > >
>> > > bye,
>> > > Sumit
>> > > >
>> > > >
>> > > >
>> > > > 2014-12-15 15:42 GMT+01:00 Sumit Bose <sbose at redhat.com>:
>> > > > >
>> > > > > On Sat, Dec 13, 2014 at 02:13:30PM +0100, Manuel Lopes wrote:
>> > > > > > Hi,
>> > > > > >
>> > > > > > As explained in the previous email, the getent is successful.
>> > > > > >
>> > > > > >
>> > > > > > *[root at support1 ~]# getent group 'ACME\Domain Users' domain
>> > > > > > users at acme.windows.com:*:**
>> 365600513:administrator at acme.windows.com
>> > > > > > <365600513%3Aadministrator at acme.windows.com>*
>> > > > > >
>> > > > > >
>> > > > > >
>> > > > > > In fact, our real problem is not the “wbinfo –n” but the
>> following
>> > > > > command:
>> > > > > >
>> > > > > > *[root at support1 sssd]# ipa group-add-member ad_users_external
>> > > --external
>> > > > > > "ACME\Domain Users"*
>> > > > > >
>> > > > > > *[member user]:*
>> > > > > >
>> > > > > > *[member group]:*
>> > > > > >
>> > > > > > * Group name: ad_users_external*
>> > > > > >
>> > > > > > * Description: AD users external map*
>> > > > > >
>> > > > > > * External member: *
>> > > > > >
>> > > > > > * Member of groups: ad_users*
>> > > > > >
>> > > > > > * Failed members:*
>> > > > > >
>> > > > > > * member user:*
>> > > > > >
>> > > > > > * member group: ACME\Domain Users: Cannot find specified
>> domain or
>> > > > > > server name*
>> > > > > >
>> > > > > > *-------------------------*
>> > > > > >
>> > > > > > *Number of members added 0*
>> > > > > >
>> > > > > > *-------------------------*
>> > > > > >
>> > > > > >
>> > > > > >
>> > > > > > We cannot add ACME’s domain users in the ad_users_external.
>> > > > > >
>> > > > > >
>> > > > > >
>> > > > > > I attached the sssd logs.
>> > > > >
>> > > > > Can you send the corresponding domain log file as well, it should
>> be
>> > > > > called sssd_linux.com.log or similar.
>> > > > >
>> > > > > bye,
>> > > > > Sumit
>> > > > >
>> > > > > >
>> > > > > >
>> > > > > >
>> > > > > > Regards
>> > > > > >
>> > > > > > 2014-12-12 21:51 GMT+01:00 Manuel Lopes <
>> manuel.lopes72 at gmail.com>:
>> > > > > > >
>> > > > > > > OK.
>> > > > > > >
>> > > > > > > Command successful
>> > > > > > > [root at support1 ~]# getent group 'ACME\Domain Users'
>> > > > > > > domain users at acme.windows.com:*:
>> > > > > 365600513:administrator at acme.windows.com
>> > > > > > >
>> > > > > > > Log files attached
>> > > > > > >
>> > > > > > > Thanks
>> > > > > > >
>> > > > > > > 2014-12-12 21:32 GMT+01:00 Sumit Bose <sbose at redhat.com>:
>> > > > > > >>
>> > > > > > >> On Fri, Dec 12, 2014 at 08:41:27PM +0100, Manuel Lopes wrote:
>> > > > > > >> > [root at support1 ~]# ipa idrange-find
>> > > > > > >> > ----------------
>> > > > > > >> > 3 ranges matched
>> > > > > > >> > ----------------
>> > > > > > >> > Range name: LINUX.COM_id_range
>> > > > > > >> > First Posix ID of the range: 1066000000
>> > > > > > >> > Number of IDs in the range: 200000
>> > > > > > >> > First RID of the corresponding RID range: 1000
>> > > > > > >> > First RID of the secondary RID range: 100000000
>> > > > > > >> > Range type: local domain range
>> > > > > > >> >
>> > > > > > >> > Range name: WINDOWS.COM_id_range
>> > > > > > >> > First Posix ID of the range: 730200000
>> > > > > > >> > Number of IDs in the range: 200000
>> > > > > > >> > First RID of the corresponding RID range: 0
>> > > > > > >> > Domain SID of the trusted domain:
>> > > > > > >> S-1-5-21-1701591335-3855227394-3044674468
>> > > > > > >> > Range type: Active Directory domain range
>> > > > > > >> >
>> > > > > > >> > Range name: ACME.WINDOWS.COM_id_range
>> > > > > > >> > First Posix ID of the range: 365600000
>> > > > > > >> > Number of IDs in the range: 200000
>> > > > > > >> > First RID of the corresponding RID range: 0
>> > > > > > >> > Domain SID of the trusted domain:
>> > > > > > >> S-1-5-21-1215373191-1991333051-3772904882
>> > > > > > >> > Range type: Active Directory domain range
>> > > > > > >> > ----------------------------
>> > > > > > >> > Number of entries returned 3
>> > > > > > >> > ----------------------------
>> > > > > > >> >
>> > > > > > >> >
>> > > > > > >> > As we can see in the ouput of the command, the range type
>> is "ad
>> > > > > POSIX
>> > > > > > >> > attributes".
>> > > > > > >>
>> > > > > > >> no, it's only 'Active Directory domain range', this is good
>> > > because
>> > > > > with
>> > > > > > >> this type we generate the UIDs and GIDs algorithmically.
>> > > > > > >>
>> > > > > > >> > In our case, the gidNumber is not set in the "ACME\Domain
>> > > Users" AD
>> > > > > > >> group,
>> > > > > > >> > nor in the " WINDOWS\Domain Users".
>> > > > > > >> > With a gidNumber attribute value, the 'wbinfo -n
>> "ACME\Domain
>> > > > > Users"'
>> > > > > > >> still
>> > > > > > >> > command fails.
>> > > > > > >>
>> > > > > > >> no need to set the ID attributes in AD. But I should have
>> > > mentioned
>> > > > > > >> that wbinfo is quite useless nowadays with FreeIPA because
>> > > winbind is
>> > > > > > >> only used to assure some types of communication with AD. All
>> user
>> > > and
>> > > > > > >> group lookups and IP-mapping is done by SSSD. Please try
>> > > > > > >>
>> > > > > > >> getent group 'ACME\Domain Users'
>> > > > > > >>
>> > > > > > >>
>> > > > > > >> and send the sssd_nss.log and sssd_example.com.log files.
>> > > > > > >>
>> > > > > > >> bye,
>> > > > > > >> Sumit
>> > > > > > >>
>> > > > > > >> >
>> > > > > > >> > Thanks
>> > > > > > >> >
>> > > > > > >> > 2014-12-12 19:51 GMT+01:00 Manuel Lopes <
>> > > manuel.lopes72 at gmail.com>:
>> > > > > > >> > >
>> > > > > > >> > > [root at support1 ~]# ipa idrange-find
>> > > > > > >> > > ----------------
>> > > > > > >> > > 3 ranges matched
>> > > > > > >> > > ----------------
>> > > > > > >> > > Range name: LINUX.COM_id_range
>> > > > > > >> > > First Posix ID of the range: 1066000000
>> > > > > > >> > > Number of IDs in the range: 200000
>> > > > > > >> > > First RID of the corresponding RID range: 1000
>> > > > > > >> > > First RID of the secondary RID range: 100000000
>> > > > > > >> > > Range type: local domain range
>> > > > > > >> > >
>> > > > > > >> > > Range name: WINDOWS.COM_id_range
>> > > > > > >> > > First Posix ID of the range: 730200000
>> > > > > > >> > > Number of IDs in the range: 200000
>> > > > > > >> > > First RID of the corresponding RID range: 0
>> > > > > > >> > > Domain SID of the trusted domain:
>> > > > > > >> > > S-1-5-21-1701591335-3855227394-3044674468
>> > > > > > >> > > Range type: Active Directory domain range
>> > > > > > >> > >
>> > > > > > >> > > Range name: ACME.WINDOWS.COM_id_range
>> > > > > > >> > > First Posix ID of the range: 365600000
>> > > > > > >> > > Number of IDs in the range: 200000
>> > > > > > >> > > First RID of the corresponding RID range: 0
>> > > > > > >> > > Domain SID of the trusted domain:
>> > > > > > >> > > S-1-5-21-1215373191-1991333051-3772904882
>> > > > > > >> > > Range type: Active Directory domain range
>> > > > > > >> > > ----------------------------
>> > > > > > >> > > Number of entries returned 3
>> > > > > > >> > > ----------------------------
>> > > > > > >> > >
>> > > > > > >> > >
>> > > > > > >> > > As we can see in the ouput of the command, the range
>> type is
>> > > "ad
>> > > > > POSIX
>> > > > > > >> > > attributes".
>> > > > > > >> > > In our case, the gidNumber is not set in the "ACME\Domain
>> > > Users"
>> > > > > AD
>> > > > > > >> group,
>> > > > > > >> > > nor in the " WINDOWS\Domain Users".
>> > > > > > >> > > With a gidNumber attribute value, the 'wbinfo -n
>> "ACME\Domain
>> > > > > Users"'
>> > > > > > >> > > still command fails.
>> > > > > > >> > >
>> > > > > > >> > > Thanks
>> > > > > > >> > >
>> > > > > > >> > >
>> > > > > > >> > > 2014-12-12 10:33 GMT+01:00 Sumit Bose <sbose at redhat.com
>> >:
>> > > > > > >> > >>
>> > > > > > >> > >> On Fri, Dec 12, 2014 at 02:06:05AM +0100, Manuel Lopes
>> wrote:
>> > > > > > >> > >> > Hi Sumit,
>> > > > > > >> > >> >
>> > > > > > >> > >> > Thank you very much for the prompt reply
>> > > > > > >> > >> >
>> > > > > > >> > >> > [root at support1 ~]# ipa trustdomain-find windows.com
>> > > > > > >> > >> > Domain name: windows.com
>> > > > > > >> > >> > Domain NetBIOS name: WINDOWS
>> > > > > > >> > >> > Domain Security Identifier:
>> > > > > > >> S-1-5-21-1701591335-3855227394-3044674468
>> > > > > > >> > >> > Domain enabled: True
>> > > > > > >> > >> >
>> > > > > > >> > >> > Domain name: acme.windows.com
>> > > > > > >> > >> > Domain NetBIOS name: ACME
>> > > > > > >> > >> > Domain Security Identifier:
>> > > > > > >> S-1-5-21-1215373191-1991333051-3772904882
>> > > > > > >> > >> > Domain enabled: True
>> > > > > > >> > >> > ----------------------------
>> > > > > > >> > >> > Number of entries returned 2
>> > > > > > >> > >> > ----------------------------
>> > > > > > >> > >>
>> > > > > > >> > >> ok, so ACME was discovered successful, can you check
>> next the
>> > > > > output
>> > > > > > >> of
>> > > > > > >> > >>
>> > > > > > >> > >> ipa idrange-find
>> > > > > > >> > >>
>> > > > > > >> > >> The important attribute is the 'Range type' for the AD
>> > > domains.
>> > > > > If
>> > > > > > >> it is
>> > > > > > >> > >> 'Active Directory trust range with POSIX attributes' it
>> is
>> > > > > expected
>> > > > > > >> that
>> > > > > > >> > >> users and groups in the AD forest have the POSIX UID
>> and GID
>> > > > > > >> attributes
>> > > > > > >> > >> set and only those users and groups will be available
>> in the
>> > > IPA
>> > > > > > >> domain.
>> > > > > > >> > >> In this case please check if 'ACME\Domain Users' have
>> the GID
>> > > > > > >> attribute
>> > > > > > >> > >> set.
>> > > > > > >> > >>
>> > > > > > >> > >> If this does not help (please mind the negative cache of
>> > > SSSD)
>> > > > > please
>> > > > > > >> > >> send the SSSD logs in /var/log/sssd on the IPA server.
>> You
>> > > might
>> > > > > > >> need to
>> > > > > > >> > >> enable logging in sssd.conf by setting 'debug_level =
>> 10' in
>> > > the
>> > > > > > >> > >> [domain/..] and [nss] section of sssd.conf.
>> > > > > > >> > >>
>> > > > > > >> > >> bye,
>> > > > > > >> > >> Sumit
>> > > > > > >> > >>
>> > > > > > >> > >> >
>> > > > > > >> > >> > [root at support1 ~]# ipa trust-fetch-domains
>> windows.com
>> > > > > > >> > >> > -------------------------------
>> > > > > > >> > >> > No new trust domains were found
>> > > > > > >> > >> > -------------------------------
>> > > > > > >> > >> > ----------------------------
>> > > > > > >> > >> > Number of entries returned 0
>> > > > > > >> > >> > ----------------------------
>> > > > > > >> > >> >
>> > > > > > >> > >> > Regards
>> > > > > > >> > >> > Le 11 déc. 2014 20:08, "Sumit Bose" <sbose at redhat.com
>> > > > > > >> > >> > <javascript:_e(%7B%7D,'cvml','sbose at redhat.com');>> a
>> > > écrit :
>> > > > > > >> > >> >
>> > > > > > >> > >> > > On Thu, Dec 11, 2014 at 06:45:49PM +0100, Manuel
>> Lopes
>> > > wrote:
>> > > > > > >> > >> > > > Hello,
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > > We have been following the AD integration guide
>> for
>> > > IPAv3:
>> > > > > > >> > >> > > >
>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > > Our setup is:
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > > • 2 domain controllers with Windows 2008 R2 AD DC
>> ->
>> > > > > > >> windows.com
>> > > > > > >> > >> > > > <http://example.com/> as Forest Root Domain and
>> > > > > > >> acme.windows.com
>> > > > > > >> > >> > > > <http://acme.example.com/> as transitive child
>> domain
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > > • RHEL7 as IPA server with domain: linux.com
>> > > > > > >> > >> > > > <http://linux.acme.example.com/>
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > > We have established a forest trust between
>> windows.com
>> > > and
>> > > > > > >> > >> linux.com and
>> > > > > > >> > >> > > > everything seems OK from an IPA perspective.
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > > We can work with Kerberos tickets without any
>> issue
>> > > from
>> > > > > > >> “windows”
>> > > > > > >> > >> domain
>> > > > > > >> > >> > > > or his child domain “acme”. (kinit, kvno…)
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > > When we use samba tools, the following command is
>> > > working
>> > > > > fine.
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > > *[root at support1 ]# wbinfo -n 'WINDOWS\Domain
>> Admins'*
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > > *S-1-5-21-1701591335-3855227394-3044674468-512
>> > > > > SID_DOM_GROUP
>> > > > > > >> (2)*
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > > But, the same command against the acme domain
>> returns
>> > > an
>> > > > > error.
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > > *[root at support1 ]# wbinfo -n 'ACME\Domain
>> Admins'*
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > > *failed to call wbcLookupName:
>> > > WBC_ERR_DOMAIN_NOT_FOUND*
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > > *Could not lookup name ACME\Domain Admins*
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > > Same problem with the following command:
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > > *[root at support1]# ipa group-add-member
>> > > ad_users_external
>> > > > > > >> --external
>> > > > > > >> > >> > > > "ACME\Domain Users"*
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > > *[member user]:*
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > > *[member group]:*
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > > * Group name: ad_users_external*
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > > * Description: AD users external map*
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > > * External member: *
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > > * Member of groups: ad_users*
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > > * Failed members:*
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > > * member user:*
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > > * member group: ACME\Domain Users: Cannot find
>> > > specified
>> > > > > > >> domain
>> > > > > > >> > >> or
>> > > > > > >> > >> > > > server name*
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > > *-------------------------*
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > > *Number of members added 0*
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > > Any help would be appreciated
>> > > > > > >> > >> > >
>> > > > > > >> > >> > > Does
>> > > > > > >> > >> > >
>> > > > > > >> > >> > > ipa trustdomain-find windows.com
>> > > > > > >> > >> > >
>> > > > > > >> > >> > > show acme.windows.com as well ?
>> > > > > > >> > >> > >
>> > > > > > >> > >> > > Does
>> > > > > > >> > >> > >
>> > > > > > >> > >> > > ipa trust-fetch-domains ad.devel
>> > > > > > >> > >> > >
>> > > > > > >> > >> > > help to retrieve the child domain?
>> > > > > > >> > >> > >
>> > > > > > >> > >> > > Please note that if acme.windows.com now shows up
>> you
>> > > might
>> > > > > > >> have to
>> > > > > > >> > >> wait
>> > > > > > >> > >> > > 1-2 minutes until SSSD's negative caches are
>> flushed and
>> > > the
>> > > > > new
>> > > > > > >> > >> domains
>> > > > > > >> > >> > > is discovered by SSSD, as an alternative you can
>> just
>> > > restart
>> > > > > > >> SSSD.
>> > > > > > >> > >> > >
>> > > > > > >> > >> > > HTH
>> > > > > > >> > >> > >
>> > > > > > >> > >> > > bye,
>> > > > > > >> > >> > > Sumit
>> > > > > > >> > >> > >
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > >
>> > > > > > >> > >> > > > Regards
>> > > > > > >> > >> > >
>> > > > > > >> > >> > > > --
>> > > > > > >> > >> > > > Manage your subscription for the Freeipa-users
>> mailing
>> > > > > list:
>> > > > > > >> > >> > > >
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> > > > > > >> > >> > > > Go To http://freeipa.org for more info on the
>> project
>> > > > > > >> > >> > >
>> > > > > > >> > >> > > --
>> > > > > > >> > >> > > Manage your subscription for the Freeipa-users
>> mailing
>> > > list:
>> > > > > > >> > >> > >
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> > > > > > >> > >> > > Go To http://freeipa.org for more info on the
>> project
>> > > > > > >> > >>
>> > > > > > >> > >> > --
>> > > > > > >> > >> > Manage your subscription for the Freeipa-users mailing
>> > > list:
>> > > > > > >> > >> > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > > > > > >> > >> > Go To http://freeipa.org for more info on the project
>> > > > > > >> > >>
>> > > > > > >> > >> --
>> > > > > > >> > >> Manage your subscription for the Freeipa-users mailing
>> list:
>> > > > > > >> > >> https://www.redhat.com/mailman/listinfo/freeipa-users
>> > > > > > >> > >> Go To http://freeipa.org for more info on the project
>> > > > > > >> > >>
>> > > > > > >> > >
>> > > > > > >>
>> > > > > > >>
>> > > > > > >>
>> > > > > > >>
>> > > > >
>> > > > >
>> > > > >
>> > > > >
>> > >
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141217/270074e0/attachment.htm>
More information about the Freeipa-users
mailing list