[Freeipa-users] Issues creating trust with AD.

Genadi Postrilko genadipost at gmail.com
Mon Feb 17 23:11:38 UTC 2014 

Thank you for the help!
I have preformed downgrade:

yum downgrade samba4*

[root at ipaserver1 ~]# rpm -qa | grep samb
samba4-python-4.0.0-58.el6.rc4.x86_64
samba4-winbind-4.0.0-58.el6.rc4.x86_64
samba4-common-4.0.0-58.el6.rc4.x86_64
samba4-winbind-clients-4.0.0-58.el6.rc4.x86_64
samba4-libs-4.0.0-58.el6.rc4.x86_64
samba4-client-4.0.0-58.el6.rc4.x86_64
samba4-4.0.0-58.el6.rc4.x86_64

And it worked !

*I am now able to perform login via "ssh" and su on to the ipaserver with
AD users:*

[root at ipaserver1 ~]# su Genadi at ADEXAMPLE.COM
sh-4.1$

*and wbinfo and getent return values:*

[root at ipaserver1 ~]# wbinfo -u
ADEXAMPLE\administrator
ADEXAMPLE\guest
ADEXAMPLE\genadi
ADEXAMPLE\krbtgt
ADEXAMPLE\linux$
ADEXAMPLE\daniel

[root at ipaserver1 ~]# wbinfo -g
admins
editors
default smb group
ad_users
ADEXAMPLE\domain computers
ADEXAMPLE\domain controllers
ADEXAMPLE\schema admins
ADEXAMPLE\enterprise admins
ADEXAMPLE\domain admins
ADEXAMPLE\domain users
ADEXAMPLE\domain guests
ADEXAMPLE\group policy creator owners
ADEXAMPLE\read-only domain controllers
ADEXAMPLE\enterprise read-only domain controllers
ADEXAMPLE\dnsupdateproxy

[root at ipaserver1 ~]# getent passwd Genadi at ADEXAMPLE.COM
genadi at adexample.com:*:699001000:699001000::/home/adexample.com/genadi:

*After this success, i have tried to execute a login on client machine
(using AD user), but it did not work:*

[root at ipaclient1 ~]# su Genadi at ADEXAMPLE.COM
su: user Genadi at ADEXAMPLE.COM does not exist

*Also wbinfo and getent do not return value:*

[root at ipaclient1 ~]# wbinfo -u
[root at ipaclient1 ~]# wbinfo -g
[root at ipaclient1 ~]# getent passwd Genadi at ADEXAMPLE.COM

*Therefore i have preformed downgrade:*

yum downgrade samba4*

[root at ipaclient1 ~]# rpm -qa | grep samb
samba-winbind-clients-3.6.9-167.el6_5.x86_64
samba-common-3.6.9-167.el6_5.x86_64
samba-winbind-3.6.9-167.el6_5.x86_64
samba4-libs-4.0.0-58.el6.rc4.x86_64


*After the downgrade the login attempt still failed:*
[root at ipaclient1 ~]# su Genadi at ADEXAMPLE.COM
su: user Genadi at ADEXAMPLE.COM does not exist

*I wonder if the fact that ipa-windbind-client is 3.6.9, is the cause.*

*Also here are the client configuration file:*



*sssd*
[root at ipaclient1 ~]# cat /etc/sssd/sssd.conf
[domain/linux.adexample.com]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = linux.adexample.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipaclient1.linux.adexample.com
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, ipaserver1.linux.adexample.com
ldap_tls_cacert = /etc/ipa/ca.crt
subdomains_provider = ipa
[sssd]
services = nss, pam, ssh, pac
config_file_version = 2

domains = linux.adexample.com
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]


*krb5*

[root at ipaclient1 ~]# cat /etc/krb5.conf
#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = LINUX.ADEXAMPLE.COM
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  LINUX.ADEXAMPLE.COM = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt
    auth_to_local = RULE:[1:$1@$0](^.*@ADEXAMPLE.COM$)s/@
ADEXAMPLE.COM/@adexample.com/
    auth_to_local = DEFAULT
  }

[domain_realm]
  .linux.adexample.com = LINUX.ADEXAMPLE.COM
  linux.adexample.com = LINUX.ADEXAMPLE.COM


*And again - Thanks you. I was stuck on it for log time.*



2014-02-17 10:34 GMT+02:00 Sumit Bose <sbose at redhat.com>:

> On Sat, Feb 15, 2014 at 12:14:58AM +0200, Genadi Postrilko wrote:
> > I have seen threads where opened on trust issues:
> > "AD - Freeipa trust confusion"
> > "Cross domain trust"
> > "Cannot loging via SSH with AD user TO IPA Domain" - which I opened.
> >
> > It looks like after creation of trust, TGT ticket can be issued from AD,
> > but "su" and "ssh" do not allow a log in with AD user.
> > I'm not sure if a conclusion has been reached on this subject.
> >
> > I gave it a try again and attempted to create a trust with IPA as a DNS
> > subdomain of AD.
> > I followed :
> >
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ipa-subdomain.html
> >
> > AD domain: ADEXAMPLE.COM
> > IPA subdoamin: LINUX.ADEXAMPLE.COM
> >
> > When i finished the necessary steps i attempted to retrieve a TGT from AD
> > (while logged in to IPA server):
> >
> > [root at ipaserver1 sbin]# kinit Administrator at ADEXAMPLE.COM
> > Password for Administrator at ADEXAMPLE.COM:
> > [root at ipaserver1 sbin]# klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: Administrator at ADEXAMPLE.COM
> >
> > Valid starting     Expires            Service principal
> > 02/14/14 07:50:21  02/14/14 17:50:20  krbtgt/ADEXAMPLE.COM at ADEXAMPLE.COM
> >         renew until 02/15/14 07:50:21
> >
> > But logging in by "ssh" and "su" ended in failure:
> >
> > login as: Administrator at ADEXAMPLE.COM
> > Administrator at ADDC.COM@192.168.227.201's password:
> > Access denied
> >
> > After reading
> >
> http://www.freeipa.org/page/IPAv3_testing_AD_trust#Create_a_trust_to_an_AD_domaini
> > did the following on the AD server:
> >
> > Administrative Tools -> Active Directory Domains and Trust ->
> > adexample.com(right click) -> Properties -> Trust -> Domain Trusted by
> > this domain
> > (outgoing trust) -> Properties -> General -> Validate
> >
> > *After doing this i was able to login via "ssh" and "su" with
> > "Administrator" **user :*
> >
> > login as: Administrator at ADEXAMPLE.COM
> > Administrator at ADEXAMPLE.COM@192.168.227.201's password:
> > Last login: Wed Feb 12 14:39:49 2014 from 192.168.227.1
> > Could not chdir to home directory /home/adexample.com/administrator: No
> > such file or directory
> > /usr/bin/xauth:  error in locking authority file /home/
> > adexample.com/administrator/.Xauthority
> > -sh-4.1$
> >
> > *But still not able to login with other AD accounts:*
> >
> > [root at ipaserver1 sbin]# su Genadi at ADEXAMPLE.COM
> > su: user Genadi at ADEXAMPLE.COM does not exist
> >
> > After reading the other threads, ill try and provide as much information
> as
> > i can:
> >
> > *wbinfo -u does not return values.*
> > [root at ipaserver1 sbin]# wbinfo -u
> > [root at ipaserver1 sbin]#
> >
> > *wbinfo -u output:*
> > [root at ipaserver1 sbin]# wbinfo -g
> > admins
> > editors
> > default smb group
> > ad_users
> >
> > *wbinfo --online-status shows ADEXAMPLE is offline*
> > [root at ipaserver1 ~]# wbinfo --online-status
> > BUILTIN : online
> > LINUX : online
> > ADEXAMPLE : offline
> >
> > *getent for Administrator does return value.*
> > [root at ipaserver1 sbin]# getent passwd Administrator at ADEXAMPLE.COM
> > administrator at adexample.com:*:699000500:699000500::/home/
> > adexample.com/administrator:
> >
> > *getent for other AD users does not return value.*
> > [root at ipaserver1 sbin]# getent passwd Genadi at ADEXAMPLE.COM
> > [root at ipaserver1 sbin]#
> >
> >
> > *System info/configurations:*
> >
> > [root at ipaserver1 ~]# cat /etc/redhat-release
> > Red Hat Enterprise Linux Server release 6.2 Beta (Santiago)
> >
> > [root at ipaserver1 sbin]# rpm -qa | grep ipa
> > ipa-python-3.0.0-37.el6.x86_64
> > ipa-client-3.0.0-37.el6.x86_64
> > libipa_hbac-python-1.9.2-129.el6.x86_64
> > ipa-pki-common-theme-9.0.3-7.el6.noarch
> > ipa-server-trust-ad-3.0.0-37.el6.x86_64
> > libipa_hbac-1.9.2-129.el6.x86_64
> > ipa-admintools-3.0.0-37.el6.x86_64
> > ipa-server-selinux-3.0.0-37.el6.x86_64
> > ipa-pki-ca-theme-9.0.3-7.el6.noarch
> > ipa-server-3.0.0-37.el6.x86_64
> > python-iniparse-0.3.1-2.1.el6.noarch
> >
> > [root at ipaserver1 ~]# rpm -qa | grep sssd
> > sssd-1.9.2-129.el6.x86_64
> > sssd-client-1.9.2-129.el6.x86_64
> >
> > [root at ipaserver1 sbin]# rpm -qa | grep samb
> > samba4-common-4.0.0-60.el6_5.rc4.x86_64
> > samba4-winbind-clients-4.0.0-60.el6_5.rc4.x86_64
> > samba4-libs-4.0.0-60.el6_5.rc4.x86_64
> > samba4-python-4.0.0-60.el6_5.rc4.x86_64
> > samba4-4.0.0-60.el6_5.rc4.x86_64
> > samba4-client-4.0.0-60.el6_5.rc4.x86_64
> > samba4-winbind-4.0.0-60.el6_5.rc4.x86_64
>
> Thank you very much for the detailed report. Looks like  you are hit by
> the 'NT_STATUS_INVALID_PARAMETER_MIX' issue (see log.wb-ADEXAMPLE). We
> are currently investigating this issue.
>
> I you would like to help it would be nice if you can try to downgrade
> the samba4 packages to the -58 release and see if this works any better
> for you.
>
> Currently I'll try tor reproduce this issue locally and will give you an
> update as soon as I find anything which might help to get around this
> issue.
>
> bye,
> Sumit
>
> >
> > *SSSD*
> >
> > [root at ipaserver1 ~]# cat /etc/sssd/sssd.conf
> > [domain/linux.adexample.com]
> >
> > cache_credentials = True
> > krb5_store_password_if_offline = True
> > ipa_domain = linux.adexample.com
> > id_provider = ipa
> > auth_provider = ipa
> > access_provider = ipa
> > ipa_hostname = ipaserver1.linux.adexample.com
> > chpass_provider = ipa
> > ipa_server = ipaserver1.linux.adexample.com
> > ldap_tls_cacert = /etc/ipa/ca.crt
> > subdomains_provider = ipa
> > debug_level = 6
> > [sssd]
> > services = nss, pam, ssh, pac
> > config_file_version = 2
> >
> > domains = linux.adexample.com
> > debug_level = 6
> > [nss]
> > debug_level = 6
> > [pam]
> > debug_level = 6
> > [sudo]
> > debug_level = 6
> > [autofs]
> > debug_level = 6
> > [ssh]
> > debug_level = 6
> > [pac]
> > debug_level = 6
> >
> > *KRB5*
> >
> > [root at ipaserver1 ~]# cat /etc/krb5.conf
> > includedir /var/lib/sss/pubconf/krb5.include.d/
> >
> > [logging]
> >  default = FILE:/var/log/krb5libs.log
> >  kdc = FILE:/var/log/krb5kdc.log
> >  admin_server = FILE:/var/log/kadmind.log
> >
> > [libdefaults]
> >  default_realm = LINUX.ADEXAMPLE.COM
> >  dns_lookup_realm = false
> >  dns_lookup_kdc = true
> >  rdns = false
> >  ticket_lifetime = 24h
> >  forwardable = yes
> >
> > [realms]
> >  LINUX.ADEXAMPLE.COM = {
> >   kdc = ipaserver1.linux.adexample.com:88
> >   master_kdc = ipaserver1.linux.adexample.com:88
> >   admin_server = ipaserver1.linux.adexample.com:749
> >   default_domain = linux.adexample.com
> >   pkinit_anchors = FILE:/etc/ipa/ca.crt
> >   auth_to_local = RULE:[1:$1@$0](^.*@ADEXAMPLE.COM$)s/@
> > ADEXAMPLE.COM/@adexample.com/
> >   auth_to_local = DEFAULT
> > }
> >
> > [domain_realm]
> >  .linux.adexample.com = LINUX.ADEXAMPLE.COM
> >  linux.adexample.com = LINUX.ADEXAMPLE.COM
> >
> > [dbmodules]
> >   LINUX.ADEXAMPLE.COM = {
> >     db_library = ipadb.so
> >   }
> >
> > I have increased the debug level of the IPA components.
> > Here are the logs (*krb5_child.log, **ldap_child.log, **log.smbd,
> > **log.wb-ADEXAMPLE,
> > **log.wb-LINUX, **log.winbindd, **log.winbindd-dc-connect,
> > log.winbindd-idmap*, *sssd.log*,
> *sssd_linux.adexample.com.log*,*sssd_nss.log,
> > **sssd_pac.log*, *sssd_pam.log, *
> >
> >
> >
> > *sssd_ssh.log, /var/log/secure):
> https://gist.github.com/anonymous/9006532
> > <https://gist.github.com/anonymous/9006532>*
> > Any insights on why only Administrator is recognized by the Trust? And
> why
> > extra step on AD was needed?
>
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140218/de8069db/attachment.htm>

More information about the Freeipa-users mailing list