[Freeipa-users] Issues creating trust with AD.
Genadi Postrilko
genadipost at gmail.com
Mon Feb 17 23:11:38 UTC 2014
Thank you for the help!
I have preformed downgrade:
yum downgrade samba4*
[root at ipaserver1 ~]# rpm -qa | grep samb
samba4-python-4.0.0-58.el6.rc4.x86_64
samba4-winbind-4.0.0-58.el6.rc4.x86_64
samba4-common-4.0.0-58.el6.rc4.x86_64
samba4-winbind-clients-4.0.0-58.el6.rc4.x86_64
samba4-libs-4.0.0-58.el6.rc4.x86_64
samba4-client-4.0.0-58.el6.rc4.x86_64
samba4-4.0.0-58.el6.rc4.x86_64
And it worked !
*I am now able to perform login via "ssh" and su on to the ipaserver with
AD users:*
[root at ipaserver1 ~]# su Genadi at ADEXAMPLE.COM
sh-4.1$
*and wbinfo and getent return values:*
[root at ipaserver1 ~]# wbinfo -u
ADEXAMPLE\administrator
ADEXAMPLE\guest
ADEXAMPLE\genadi
ADEXAMPLE\krbtgt
ADEXAMPLE\linux$
ADEXAMPLE\daniel
[root at ipaserver1 ~]# wbinfo -g
admins
editors
default smb group
ad_users
ADEXAMPLE\domain computers
ADEXAMPLE\domain controllers
ADEXAMPLE\schema admins
ADEXAMPLE\enterprise admins
ADEXAMPLE\domain admins
ADEXAMPLE\domain users
ADEXAMPLE\domain guests
ADEXAMPLE\group policy creator owners
ADEXAMPLE\read-only domain controllers
ADEXAMPLE\enterprise read-only domain controllers
ADEXAMPLE\dnsupdateproxy
[root at ipaserver1 ~]# getent passwd Genadi at ADEXAMPLE.COM
genadi at adexample.com:*:699001000:699001000::/home/adexample.com/genadi:
*After this success, i have tried to execute a login on client machine
(using AD user), but it did not work:*
[root at ipaclient1 ~]# su Genadi at ADEXAMPLE.COM
su: user Genadi at ADEXAMPLE.COM does not exist
*Also wbinfo and getent do not return value:*
[root at ipaclient1 ~]# wbinfo -u
[root at ipaclient1 ~]# wbinfo -g
[root at ipaclient1 ~]# getent passwd Genadi at ADEXAMPLE.COM
*Therefore i have preformed downgrade:*
yum downgrade samba4*
[root at ipaclient1 ~]# rpm -qa | grep samb
samba-winbind-clients-3.6.9-167.el6_5.x86_64
samba-common-3.6.9-167.el6_5.x86_64
samba-winbind-3.6.9-167.el6_5.x86_64
samba4-libs-4.0.0-58.el6.rc4.x86_64
*After the downgrade the login attempt still failed:*
[root at ipaclient1 ~]# su Genadi at ADEXAMPLE.COM
su: user Genadi at ADEXAMPLE.COM does not exist
*I wonder if the fact that ipa-windbind-client is 3.6.9, is the cause.*
*Also here are the client configuration file:*
*sssd*
[root at ipaclient1 ~]# cat /etc/sssd/sssd.conf
[domain/linux.adexample.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = linux.adexample.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipaclient1.linux.adexample.com
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, ipaserver1.linux.adexample.com
ldap_tls_cacert = /etc/ipa/ca.crt
subdomains_provider = ipa
[sssd]
services = nss, pam, ssh, pac
config_file_version = 2
domains = linux.adexample.com
[nss]
[pam]
[sudo]
[autofs]
[ssh]
[pac]
*krb5*
[root at ipaclient1 ~]# cat /etc/krb5.conf
#File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = LINUX.ADEXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
LINUX.ADEXAMPLE.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
auth_to_local = RULE:[1:$1@$0](^.*@ADEXAMPLE.COM$)s/@
ADEXAMPLE.COM/@adexample.com/
auth_to_local = DEFAULT
}
[domain_realm]
.linux.adexample.com = LINUX.ADEXAMPLE.COM
linux.adexample.com = LINUX.ADEXAMPLE.COM
*And again - Thanks you. I was stuck on it for log time.*
2014-02-17 10:34 GMT+02:00 Sumit Bose <sbose at redhat.com>:
> On Sat, Feb 15, 2014 at 12:14:58AM +0200, Genadi Postrilko wrote:
> > I have seen threads where opened on trust issues:
> > "AD - Freeipa trust confusion"
> > "Cross domain trust"
> > "Cannot loging via SSH with AD user TO IPA Domain" - which I opened.
> >
> > It looks like after creation of trust, TGT ticket can be issued from AD,
> > but "su" and "ssh" do not allow a log in with AD user.
> > I'm not sure if a conclusion has been reached on this subject.
> >
> > I gave it a try again and attempted to create a trust with IPA as a DNS
> > subdomain of AD.
> > I followed :
> >
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ipa-subdomain.html
> >
> > AD domain: ADEXAMPLE.COM
> > IPA subdoamin: LINUX.ADEXAMPLE.COM
> >
> > When i finished the necessary steps i attempted to retrieve a TGT from AD
> > (while logged in to IPA server):
> >
> > [root at ipaserver1 sbin]# kinit Administrator at ADEXAMPLE.COM
> > Password for Administrator at ADEXAMPLE.COM:
> > [root at ipaserver1 sbin]# klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: Administrator at ADEXAMPLE.COM
> >
> > Valid starting Expires Service principal
> > 02/14/14 07:50:21 02/14/14 17:50:20 krbtgt/ADEXAMPLE.COM at ADEXAMPLE.COM
> > renew until 02/15/14 07:50:21
> >
> > But logging in by "ssh" and "su" ended in failure:
> >
> > login as: Administrator at ADEXAMPLE.COM
> > Administrator at ADDC.COM@192.168.227.201's password:
> > Access denied
> >
> > After reading
> >
> http://www.freeipa.org/page/IPAv3_testing_AD_trust#Create_a_trust_to_an_AD_domaini
> > did the following on the AD server:
> >
> > Administrative Tools -> Active Directory Domains and Trust ->
> > adexample.com(right click) -> Properties -> Trust -> Domain Trusted by
> > this domain
> > (outgoing trust) -> Properties -> General -> Validate
> >
> > *After doing this i was able to login via "ssh" and "su" with
> > "Administrator" **user :*
> >
> > login as: Administrator at ADEXAMPLE.COM
> > Administrator at ADEXAMPLE.COM@192.168.227.201's password:
> > Last login: Wed Feb 12 14:39:49 2014 from 192.168.227.1
> > Could not chdir to home directory /home/adexample.com/administrator: No
> > such file or directory
> > /usr/bin/xauth: error in locking authority file /home/
> > adexample.com/administrator/.Xauthority
> > -sh-4.1$
> >
> > *But still not able to login with other AD accounts:*
> >
> > [root at ipaserver1 sbin]# su Genadi at ADEXAMPLE.COM
> > su: user Genadi at ADEXAMPLE.COM does not exist
> >
> > After reading the other threads, ill try and provide as much information
> as
> > i can:
> >
> > *wbinfo -u does not return values.*
> > [root at ipaserver1 sbin]# wbinfo -u
> > [root at ipaserver1 sbin]#
> >
> > *wbinfo -u output:*
> > [root at ipaserver1 sbin]# wbinfo -g
> > admins
> > editors
> > default smb group
> > ad_users
> >
> > *wbinfo --online-status shows ADEXAMPLE is offline*
> > [root at ipaserver1 ~]# wbinfo --online-status
> > BUILTIN : online
> > LINUX : online
> > ADEXAMPLE : offline
> >
> > *getent for Administrator does return value.*
> > [root at ipaserver1 sbin]# getent passwd Administrator at ADEXAMPLE.COM
> > administrator at adexample.com:*:699000500:699000500::/home/
> > adexample.com/administrator:
> >
> > *getent for other AD users does not return value.*
> > [root at ipaserver1 sbin]# getent passwd Genadi at ADEXAMPLE.COM
> > [root at ipaserver1 sbin]#
> >
> >
> > *System info/configurations:*
> >
> > [root at ipaserver1 ~]# cat /etc/redhat-release
> > Red Hat Enterprise Linux Server release 6.2 Beta (Santiago)
> >
> > [root at ipaserver1 sbin]# rpm -qa | grep ipa
> > ipa-python-3.0.0-37.el6.x86_64
> > ipa-client-3.0.0-37.el6.x86_64
> > libipa_hbac-python-1.9.2-129.el6.x86_64
> > ipa-pki-common-theme-9.0.3-7.el6.noarch
> > ipa-server-trust-ad-3.0.0-37.el6.x86_64
> > libipa_hbac-1.9.2-129.el6.x86_64
> > ipa-admintools-3.0.0-37.el6.x86_64
> > ipa-server-selinux-3.0.0-37.el6.x86_64
> > ipa-pki-ca-theme-9.0.3-7.el6.noarch
> > ipa-server-3.0.0-37.el6.x86_64
> > python-iniparse-0.3.1-2.1.el6.noarch
> >
> > [root at ipaserver1 ~]# rpm -qa | grep sssd
> > sssd-1.9.2-129.el6.x86_64
> > sssd-client-1.9.2-129.el6.x86_64
> >
> > [root at ipaserver1 sbin]# rpm -qa | grep samb
> > samba4-common-4.0.0-60.el6_5.rc4.x86_64
> > samba4-winbind-clients-4.0.0-60.el6_5.rc4.x86_64
> > samba4-libs-4.0.0-60.el6_5.rc4.x86_64
> > samba4-python-4.0.0-60.el6_5.rc4.x86_64
> > samba4-4.0.0-60.el6_5.rc4.x86_64
> > samba4-client-4.0.0-60.el6_5.rc4.x86_64
> > samba4-winbind-4.0.0-60.el6_5.rc4.x86_64
>
> Thank you very much for the detailed report. Looks like you are hit by
> the 'NT_STATUS_INVALID_PARAMETER_MIX' issue (see log.wb-ADEXAMPLE). We
> are currently investigating this issue.
>
> I you would like to help it would be nice if you can try to downgrade
> the samba4 packages to the -58 release and see if this works any better
> for you.
>
> Currently I'll try tor reproduce this issue locally and will give you an
> update as soon as I find anything which might help to get around this
> issue.
>
> bye,
> Sumit
>
> >
> > *SSSD*
> >
> > [root at ipaserver1 ~]# cat /etc/sssd/sssd.conf
> > [domain/linux.adexample.com]
> >
> > cache_credentials = True
> > krb5_store_password_if_offline = True
> > ipa_domain = linux.adexample.com
> > id_provider = ipa
> > auth_provider = ipa
> > access_provider = ipa
> > ipa_hostname = ipaserver1.linux.adexample.com
> > chpass_provider = ipa
> > ipa_server = ipaserver1.linux.adexample.com
> > ldap_tls_cacert = /etc/ipa/ca.crt
> > subdomains_provider = ipa
> > debug_level = 6
> > [sssd]
> > services = nss, pam, ssh, pac
> > config_file_version = 2
> >
> > domains = linux.adexample.com
> > debug_level = 6
> > [nss]
> > debug_level = 6
> > [pam]
> > debug_level = 6
> > [sudo]
> > debug_level = 6
> > [autofs]
> > debug_level = 6
> > [ssh]
> > debug_level = 6
> > [pac]
> > debug_level = 6
> >
> > *KRB5*
> >
> > [root at ipaserver1 ~]# cat /etc/krb5.conf
> > includedir /var/lib/sss/pubconf/krb5.include.d/
> >
> > [logging]
> > default = FILE:/var/log/krb5libs.log
> > kdc = FILE:/var/log/krb5kdc.log
> > admin_server = FILE:/var/log/kadmind.log
> >
> > [libdefaults]
> > default_realm = LINUX.ADEXAMPLE.COM
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> > rdns = false
> > ticket_lifetime = 24h
> > forwardable = yes
> >
> > [realms]
> > LINUX.ADEXAMPLE.COM = {
> > kdc = ipaserver1.linux.adexample.com:88
> > master_kdc = ipaserver1.linux.adexample.com:88
> > admin_server = ipaserver1.linux.adexample.com:749
> > default_domain = linux.adexample.com
> > pkinit_anchors = FILE:/etc/ipa/ca.crt
> > auth_to_local = RULE:[1:$1@$0](^.*@ADEXAMPLE.COM$)s/@
> > ADEXAMPLE.COM/@adexample.com/
> > auth_to_local = DEFAULT
> > }
> >
> > [domain_realm]
> > .linux.adexample.com = LINUX.ADEXAMPLE.COM
> > linux.adexample.com = LINUX.ADEXAMPLE.COM
> >
> > [dbmodules]
> > LINUX.ADEXAMPLE.COM = {
> > db_library = ipadb.so
> > }
> >
> > I have increased the debug level of the IPA components.
> > Here are the logs (*krb5_child.log, **ldap_child.log, **log.smbd,
> > **log.wb-ADEXAMPLE,
> > **log.wb-LINUX, **log.winbindd, **log.winbindd-dc-connect,
> > log.winbindd-idmap*, *sssd.log*,
> *sssd_linux.adexample.com.log*,*sssd_nss.log,
> > **sssd_pac.log*, *sssd_pam.log, *
> >
> >
> >
> > *sssd_ssh.log, /var/log/secure):
> https://gist.github.com/anonymous/9006532
> > <https://gist.github.com/anonymous/9006532>*
> > Any insights on why only Administrator is recognized by the Trust? And
> why
> > extra step on AD was needed?
>
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140218/de8069db/attachment.htm>
More information about the Freeipa-users
mailing list