[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] AD trust users cannot login to Solaris



On 03/04/2015 08:55 PM, Nathan Peters wrote:
I am using FreeIPA 4.1.2 on CentOS 7.

Yes, AD users can login to all Linux / Centos machines.

Also, when I'm at a shell prompt on the FreeIPA DC, I can getent passwd <aduser> and I see their info properly.

The guide you linked below is the first thing I read while trying to troubleshoot this. It seems aimed toward older sssd clients < 1.9 and not Solaris clients.

I will try this again tomorrow and confirm that the request is being passed to the FreeIPA DC and rejected there. I was assuming that it was being rejected by the Solaris machine.

Good that everything else works. That narrows things down.
Let us see whether the auth request hits SSSD and what happens then.
May be it is on Solaris. The password line should in fact point to the compat tree as you noticed. But authentication should work.
May be it ts NS_LDAP_OBJECTCLASSMAP, the mention of shadow looks suspicious.
Also NS_LDAP_AUTH= none ... may be it should be some other value.

Also the configuration seems to be different from one described here: http://www.freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Configuring_Solaris_as_an_IPA_Client.html

or here

http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html

Those are old guides but still should be relevant to Solaris configuration.
Just use compat tree as recent docs prescribe.


-----Original Message----- From: Dmitri Pal
Sent: Wednesday, March 04, 2015 4:36 PM
To: freeipa-users redhat com
Subject: Re: [Freeipa-users] AD trust users cannot login to Solaris

On 03/04/2015 07:24 PM, nathan nathanpeters com wrote:
I have successfully setup a Solaris 10 client so that internal FreeIPA
users can login, get the correct shell, and can sudo to root using ldap.

The problem is that the AD trusted users cannot login.  I have read all
the freeIPA docs about enabling legacy clients, and they say to use the
compat tree.  I'm pretty sure I'm already doing this.  Here is the
contents of the ldap_client_file from my Solaris machine (which was
downloaded automatically when I did ldapclient init):

#
# Do not edit this file manually; your changes will be lost.Please use
ldapclient (1M) instead.
#
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= ipadc1.mydomain.net
NS_LDAP_SEARCH_BASEDN= dc=mydomain,dc=net
NS_LDAP_AUTH= none
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_TIME= 15
NS_LDAP_PROFILE= default
NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=mydomain,dc=net NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=mydomain,dc=net
NS_LDAP_BIND_TIME= 5
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount

I see that the users are coming from the accounts tree and the groups are
coming from the compat tree.  Is this right?  The trust was created with
--enable-compat so I'm surprised that only the groups are coming from the
compat tree.

Does FreeIPA serve up an improperly configured DefaultDUAProfile?

I couldn't login with this configuration, so I switched the passwd line to
cn=compat just to test, but that didn't seem to work.

Here is the result of getent passwd on solaris (last 2 lines):
admin:x:375200000:375200000:Administrator:/home/admin:/bin/bash
ipauser1:x:375200006:375200006:ipa user1:/home/ipauser1:/bin/bash

So once again, we can see FreeIPA users, but not AD users.

I don't think this is a Solaris problem because when I go onto my windows
desktop and load ldp.exe and view the ldap tree, I can view
cn=compat,dc=mydomain,dc=net

However, the compat tree has a users section that only includes my FreeIPA
internal users.  So my questions are :
1.)What is the point of a compat tree in FreeIPA if it doesn't list AD users?
2.)How do I get my compat tree to list my AD users?
3.)If there is something manual I have to do to make my compat tree show
AD users, why is this not done when enable the trust with --enable-compat.

>From what I can see, my compat tree basically contains the exact same
users and groups as my regular tree, so it will never allow a client using
ldap only auth to see the AD users?


What version of IPA are you using?
Have you verified that trust actually works by looking up or
authenticating with the AD users on the SSSD client or on the server itself?

The compat tree fills the data dynamically as you need it. When an AD
user accesses Solaris box Solaris would authenticate against the compat
tree. Compat tree will use SSSD on the server to authenticate against
the AD. It seems that this part is failing. SSSD logs from the IPA
server with high debug level would be helpful.

More info is here:
http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf




--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]