[Freeipa-users] ipa-client login as AD user in trusted domain

Tue Aug 9 23:32:57 UTC 2016

I've set up a freeipa server on a centos 7 machine and have successfully
configured a 2-way trust between it and our active directory domain
controller. I've also installed ipa-client on an ubuntu 14.04 machine and
have run ipa-client-install, which has apparently successfully joined the
FreeIPA domain.

So far, I can successfully do the following:

1. Log into the FreeIPA machine with an AD user account.
2. Log into the Ubuntu machine with a FreeIPA account.
3. Run 'getent passwd <freeipa username>' on the Ubuntu machine and have it
return the associated FreeIPA user account details (eg.
"jackt:*:1131000005:1131000005:Jack Test:/home/ipa.bbg.net/jackt:/bin/bash")
4. Run 'getent passwd <ad username>' on the Ubuntu machine and have it
return the associated AD user account details (eg. "bobt at ad.bbg.net:
*:1946801107:1946801107::/home/ad.bbg.net/bobt:/bin/bash")

What I can't do is log into the Ubuntu machine with the AD user. I'm using
the following SSH command from the command line on my mac:

ssh -o User=bobt at ad.bbg.net vm1.bbg.com

It asks me for the password, I enter it and it says permissions denied,
please try again. I set the debug level in SSSD on the ubuntu client to 5
and this is what shows up in the log during the login attempt:

(Tue Aug  9 16:25:56 2016) [sssd[be[ipa.bbg.net]]] [be_get_account_info]
(0x0100): Got request for [4097][1][name=bobt]
(Tue Aug  9 16:25:56 2016) [sssd[be[ipa.bbg.net]]] [acctinfo_callback]
(0x0100): Request processed. Returned 3,95,Account info lookup failed
(Tue Aug  9 16:25:57 2016) [sssd[be[ipa.bbg.net]]] [acctinfo_callback]
(0x0100): Request processed. Returned 0,0,Success
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [be_get_account_info]
(0x0100): Got request for [3][1][name=bobt]
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [acctinfo_callback]
(0x0100): Request processed. Returned 3,95,Account info lookup failed
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [be_pam_handler]
(0x0100): Got request with the following data
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
(0x0100): command: PAM_AUTHENTICATE
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
(0x0100): domain: ad.bbg.net
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
(0x0100): user: bobt at ad.bbg.net
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
(0x0100): service: sshd
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
(0x0100): tty: ssh
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
(0x0100): ruser:
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
(0x0100): rhost: 192.168.100.157
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
(0x0100): authtok type: 1
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
(0x0100): priv: 1
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
(0x0100): cli_pid: 16230
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [krb5_auth_send]
(0x0100): No ccache file for user [bobt at ad.bbg.net] found.
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]]
[be_resolve_server_process] (0x0200): Found address for server
dc.ipa.bbg.net: [192.168.100.14] TTL 3600
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>)
[Success]
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]]
[be_pam_handler_callback] (0x0100): Sending result [4][ad.bbg.net]
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]]
[be_pam_handler_callback] (0x0100): Sent result [4][ad.bbg.net]
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [child_sig_handler]
(0x0100): child [16313] finished successfully.

Can anyone explain why it's saying account info lookup failed when it can
get the account info fine via getent?

Thanks,
Guy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160809/e33993cd/attachment.htm>