[Freeipa-users] ipa-client login as AD user in trusted domain

Justin Stephenson jstephen at redhat.com
Wed Aug 10 01:47:20 UTC 2016 

Hello,

You may need to increase the debug level to 9 and look in the 
sssd_<ipadomain>.log for failures after the failed login attempt - i 
would look in between log messages 'Got request for bobt...' and 
'Backend returned' messages

https://fedorahosted.org/sssd/wiki/Troubleshooting

You can also send the debug logs here for review.

Make sure logins and lookups are working on the IPA server first before 
troubleshooting the IPA client.

Kind regards,

Justin Stephenson

On 08/09/2016 07:32 PM, Guy Knights wrote:
> I've set up a freeipa server on a centos 7 machine and have 
> successfully configured a 2-way trust between it and our active 
> directory domain controller. I've also installed ipa-client on an 
> ubuntu 14.04 machine and have run ipa-client-install, which has 
> apparently successfully joined the FreeIPA domain.
>
> So far, I can successfully do the following:
>
> 1. Log into the FreeIPA machine with an AD user account.
> 2. Log into the Ubuntu machine with a FreeIPA account.
> 3. Run 'getent passwd <freeipa username>' on the Ubuntu machine and 
> have it return the associated FreeIPA user account details (eg. 
> "jackt:*:1131000005:1131000005:Jack 
> Test:/home/ipa.bbg.net/jackt:/bin/bash 
> <http://ipa.bbg.net/jackt:/bin/bash>")
> 4. Run 'getent passwd <ad username>' on the Ubuntu machine and have it 
> return the associated AD user account details (eg. 
> "bobt at ad.bbg.net:*:1946801107:1946801107::/home/ad.bbg.net/bobt:/bin/bash 
> <http://ad.bbg.net/bobt:/bin/bash>")
>
> What I can't do is log into the Ubuntu machine with the AD user. I'm 
> using the following SSH command from the command line on my mac:
>
> ssh -o User=bobt at ad.bbg.net <mailto:bobt at ad.bbg.net> vm1.bbg.com 
> <http://vm1.bbg.com>
>
> It asks me for the password, I enter it and it says permissions 
> denied, please try again. I set the debug level in SSSD on the ubuntu 
> client to 5 and this is what shows up in the log during the login attempt:
>
> (Tue Aug  9 16:25:56 2016) [sssd[be[ipa.bbg.net 
> <http://ipa.bbg.net>]]] [be_get_account_info] (0x0100): Got request 
> for [4097][1][name=bobt]
> (Tue Aug  9 16:25:56 2016) [sssd[be[ipa.bbg.net 
> <http://ipa.bbg.net>]]] [acctinfo_callback] (0x0100): Request 
> processed. Returned 3,95,Account info lookup failed
> (Tue Aug  9 16:25:57 2016) [sssd[be[ipa.bbg.net 
> <http://ipa.bbg.net>]]] [acctinfo_callback] (0x0100): Request 
> processed. Returned 0,0,Success
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
> <http://ipa.bbg.net>]]] [be_get_account_info] (0x0100): Got request 
> for [3][1][name=bobt]
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
> <http://ipa.bbg.net>]]] [acctinfo_callback] (0x0100): Request 
> processed. Returned 3,95,Account info lookup failed
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
> <http://ipa.bbg.net>]]] [be_pam_handler] (0x0100): Got request with 
> the following data
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
> <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): command: 
> PAM_AUTHENTICATE
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
> <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): domain: ad.bbg.net 
> <http://ad.bbg.net>
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
> <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): user: 
> bobt at ad.bbg.net <mailto:bobt at ad.bbg.net>
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
> <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): service: sshd
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
> <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): tty: ssh
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
> <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): ruser:
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
> <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): rhost: 192.168.100.157
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
> <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): authtok type: 1
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
> <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): newauthtok type: 0
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
> <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): priv: 1
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
> <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): cli_pid: 16230
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
> <http://ipa.bbg.net>]]] [krb5_auth_send] (0x0100): No ccache file for 
> user [bobt at ad.bbg.net <mailto:bobt at ad.bbg.net>] found.
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
> <http://ipa.bbg.net>]]] [fo_resolve_service_send] (0x0100): Trying to 
> resolve service 'IPA'
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
> <http://ipa.bbg.net>]]] [be_resolve_server_process] (0x0200): Found 
> address for server dc.ipa.bbg.net <http://dc.ipa.bbg.net>: 
> [192.168.100.14] TTL 3600
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
> <http://ipa.bbg.net>]]] [be_pam_handler_callback] (0x0100): Backend 
> returned: (0, 4, <NULL>) [Success]
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
> <http://ipa.bbg.net>]]] [be_pam_handler_callback] (0x0100): Sending 
> result [4][ad.bbg.net <http://ad.bbg.net>]
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
> <http://ipa.bbg.net>]]] [be_pam_handler_callback] (0x0100): Sent 
> result [4][ad.bbg.net <http://ad.bbg.net>]
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
> <http://ipa.bbg.net>]]] [child_sig_handler] (0x0100): child [16313] 
> finished successfully.
>
> Can anyone explain why it's saying account info lookup failed when it 
> can get the account info fine via getent?
>
> Thanks,
> Guy
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160809/6425b1cc/attachment.htm>

More information about the Freeipa-users mailing list