[Freeipa-users] AD trust users cannot login to Solaris

Dmitri Pal dpal at redhat.com
Thu Mar 5 03:34:20 UTC 2015 

On 03/04/2015 08:55 PM, Nathan Peters wrote:
> I am using FreeIPA 4.1.2 on CentOS 7.
>
> Yes, AD users can login to all Linux / Centos machines.
>
> Also, when I'm at a shell prompt on the FreeIPA DC, I can getent 
> passwd <aduser> and I see their info properly.
>
> The guide you linked below is the first thing I read while trying to 
> troubleshoot this.  It seems aimed toward older sssd clients < 1.9 and 
> not Solaris clients.
>
> I will try this again tomorrow and confirm that the request is being 
> passed to the FreeIPA DC and rejected there.  I was assuming that it 
> was being rejected by the Solaris machine.

Good that everything else works. That narrows things down.
Let us see whether the auth request hits SSSD and what happens then.
May be it is on Solaris. The password line should in fact point to the 
compat tree as you noticed. But authentication should work.
May be it ts NS_LDAP_OBJECTCLASSMAP, the mention of shadow looks suspicious.
Also NS_LDAP_AUTH= none ... may be it should be some other value.

Also the configuration seems to be different from one described here: 
http://www.freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Configuring_Solaris_as_an_IPA_Client.html

or here

http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html

Those are old guides but still should be relevant to Solaris configuration.
Just use compat tree as recent docs prescribe.

>
> -----Original Message----- From: Dmitri Pal
> Sent: Wednesday, March 04, 2015 4:36 PM
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] AD trust users cannot login to Solaris
>
> On 03/04/2015 07:24 PM, nathan at nathanpeters.com wrote:
>> I have successfully setup a Solaris 10 client so that internal FreeIPA
>> users can login, get the correct shell, and can sudo to root using ldap.
>>
>> The problem is that the AD trusted users cannot login.  I have read all
>> the freeIPA docs about enabling legacy clients, and they say to use the
>> compat tree.  I'm pretty sure I'm already doing this.  Here is the
>> contents of the ldap_client_file from my Solaris machine (which was
>> downloaded automatically when I did ldapclient init):
>>
>> #
>> # Do not edit this file manually; your changes will be lost.Please use
>> ldapclient (1M) instead.
>> #
>> NS_LDAP_FILE_VERSION= 2.0
>> NS_LDAP_SERVERS= ipadc1.mydomain.net
>> NS_LDAP_SEARCH_BASEDN= dc=mydomain,dc=net
>> NS_LDAP_AUTH= none
>> NS_LDAP_SEARCH_REF= TRUE
>> NS_LDAP_SEARCH_TIME= 15
>> NS_LDAP_PROFILE= default
>> NS_LDAP_SERVICE_SEARCH_DESC= 
>> group:cn=groups,cn=compat,dc=mydomain,dc=net
>> NS_LDAP_SERVICE_SEARCH_DESC= 
>> passwd:cn=users,cn=accounts,dc=mydomain,dc=net
>> NS_LDAP_BIND_TIME= 5
>> NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount
>>
>> I see that the users are coming from the accounts tree and the groups 
>> are
>> coming from the compat tree.  Is this right?  The trust was created with
>> --enable-compat so I'm surprised that only the groups are coming from 
>> the
>> compat tree.
>>
>> Does FreeIPA serve up an improperly configured DefaultDUAProfile?
>>
>> I couldn't login with this configuration, so I switched the passwd 
>> line to
>> cn=compat just to test, but that didn't seem to work.
>>
>> Here is the result of getent passwd on solaris (last 2 lines):
>> admin:x:375200000:375200000:Administrator:/home/admin:/bin/bash
>> ipauser1:x:375200006:375200006:ipa user1:/home/ipauser1:/bin/bash
>>
>> So once again, we can see FreeIPA users, but not AD users.
>>
>> I don't think this is a Solaris problem because when I go onto my 
>> windows
>> desktop and load ldp.exe and view the ldap tree, I can view
>> cn=compat,dc=mydomain,dc=net
>>
>> However, the compat tree has a users section that only includes my 
>> FreeIPA
>> internal users.  So my questions are :
>> 1.)What is the point of a compat tree in FreeIPA if it doesn't list 
>> AD users?
>> 2.)How do I get my compat tree to list my AD users?
>> 3.)If there is something manual I have to do to make my compat tree show
>> AD users, why is this not done when enable the trust with 
>> --enable-compat.
>>
>> >From what I can see, my compat tree basically contains the exact same
>> users and groups as my regular tree, so it will never allow a client 
>> using
>> ldap only auth to see the AD users?
>>
>>
> What version of IPA are you using?
> Have you verified that trust actually works by looking up or
> authenticating with the AD users on the SSSD client or on the server 
> itself?
>
> The compat tree fills the data dynamically as you need it. When an AD
> user accesses Solaris box Solaris would authenticate against the compat
> tree. Compat tree will use SSSD on the server to authenticate against
> the AD. It seems that this part is failing. SSSD logs from the IPA
> server with high debug level would be helpful.
>
> More info is here:
> http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list