On Sat, Apr 20, 2013 at 8:32 PM, Sumit Bose <span dir="ltr"><<a href="mailto:sbose@redhat.com" target="_blank">sbose@redhat.com</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div>On Fri, Apr 19, 2013 at 10:14:36PM +0200, Natxo Asenjo wrote:<br>
<br>
> # wbinfo --online-status<br>
> BUILTIN : online<br>
> IPA : online<br>
> AD : offline<br>
><br>
> # wbinfo --domain-info ad.asenjo.nx<br>
> Name : AD<br>
> Alt_Name : ad.asenjo.nx<br>
> SID : S-1-5-21-2508008360-1834726910-79835928<br>
> Active Directory : No<br>
> Native : No<br>
> Primary : No<br>
><br>
> # wbinfo --domain ad.asenjo.nx -u<br>
> With this last command I would expect to see all the users I created in the<br>
> AD.<br>
><br>
> # getent group ad_users<br>
> ad_users:*:642801446:administrator@ad.asenjo.nx<br>
><br>
> this tellms me that the external group we created has only the AD<br>
> administrator in it, so It makes sense only this one is allowed. But I I<br>
<br>
</div></div>no, this is a wrong interpretation. The group membership for users from<br>
trusted domains is only evaluated at login time with the help of the<br>
data stored in the MS-PAC. Because group-membership resolution in an AD<br>
environment can be cumbersome, especially when it comes to forests and<br>
forest trusts, and the MS-PAC provides all memberships we decided to<br>
rely only on the MS-PAC here. As a consequence getent group only shows<br>
the users of the IPA domain and AD users who already logged in<br>
successfully.<br>
<div><br></div></blockquote><div><br>ok, got it.<br> <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>
> checked the SID of the mapped group:<br>
><br>
> # ipa group-show ad_users_external<br>
> Group name: ad_users_external<br>
> Description: AD users external map<br>
> Member of groups: ad_users<br>
> External member: S-1-5-21-2508008360-1834726910-79835928-513<br>
><br>
> And it is the AD\Domain Users sid, I checked it on the windows host because<br>
> wbinfo shows me no info:<br>
><br>
> [root@kdc ~]# wbinfo -n "AD\Domain Users"<br>
> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND<br>
> Could not lookup name AD\Domain Users<br>
> [root@kdc ~]# wbinfo -s S-1-5-21-2508008360-1834726910-79835928-513<br>
> failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND<br>
> Could not lookup sid S-1-5-21-2508008360-1834726910-79835928-513<br>
> [root@kdc ~]# wbinfo -s S-1-5-21-2508008360-1834726910-79835928-513 -d<br>
> ad.asenjo.nx<br>
> failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND<br>
> Could not lookup sid S-1-5-21-2508008360-1834726910-79835928-513<br>
<br>
</div>looks like winbind has some issues connecting to the AD server. Did you<br>
change any firewall setting that might cause the issue here?<br>
<br></blockquote><div><br>With the firewalls (both at the linux host and at the windows host) enabled I can login as AD\administrator user from the same windows host I cannot ssh to as a normal 'domain user' . So the firewall does not seem the issue at hand.<br>
<br>My iptables rules:<br><br># iptables -L -n<br>Chain INPUT (policy ACCEPT)<br>target prot opt source destination <br>ACCEPT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> state RELATED,ESTABLISHED <br>
ACCEPT icmp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <br>ACCEPT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <br>
ACCEPT tcp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> state NEW tcp dpt:22 <br>ACCEPT tcp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> multiport dports 80,443,389,636,88,464,53,138,139,445 state NEW,ESTABLISHED <br>
ACCEPT udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> multiport dports 88,464,53,123,138,139,389,445 state NEW,ESTABLISHED <br>
REJECT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> reject-with icmp-host-prohibited <br>
<br>Chain FORWARD (policy ACCEPT)<br>target prot opt source destination <br>REJECT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> reject-with icmp-host-prohibited<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
More details might be available in the winbind logs.<br>
<br></blockquote><div><br>What logs exactly would you like to see?<br><br>ls -l /var/log/samba/log.winbindd*<br>-rw-r--r--. 1 root root 10854 Apr 19 21:49 /var/log/samba/log.winbindd<br>-rw-r--r--. 1 root root 0 Apr 19 15:02 /var/log/samba/log.winbindd-dc-connect<br>
-rw-r--r--. 1 root root 28532 Apr 19 21:51 /var/log/samba/log.winbindd-idmap<br>-rw-r--r--. 1 root root 133 Apr 19 21:45 /var/log/samba/log.winbindd-locator<br><br>How can I get more debugging info from winbind?<br><br>
--<br>Thanks,<br>natxo<br><br><br> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
bye,<br>
Sumit<br>
<div><br>
><br>
> So how can I get the rest of the users in the group mapped?<br>
><br>
> TIA,<br>
><br>
> --<br>
> groet,<br>
> natxo<br>
<br>
</div>> _______________________________________________<br>
> Freeipa-users mailing list<br>
> <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br>
</blockquote></div><br>