<div dir="ltr"> <div class="gmail_extra"> <div class="gmail_quote">On Tue, Jul 15, 2014 at 11:16 AM, Jakub Hrozek <<a href="mailto:jhrozek@redhat.com" target="_blank">jhrozek@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class=""><div class="h5">On Tue, Jul 15, 2014 at 11:04:23AM -0300, tizo wrote: > On Tue, Jul 15, 2014 at 7:16 AM, Jakub Hrozek <<a href="mailto:jhrozek@redhat.com">jhrozek@redhat.com</a>> wrote: > > > On Mon, Jul 14, 2014 at 02:02:16PM -0300, tizo wrote: > > > On Mon, Jul 14, 2014 at 5:57 AM, Jakub Hrozek <<a href="mailto:jhrozek@redhat.com">jhrozek@redhat.com</a>> > > wrote: > > > > > > > On Fri, Jul 11, 2014 at 05:22:59PM -0300, tizo wrote: > > > > > On Fri, Jul 11, 2014 at 4:54 PM, Dmitri Pal <<a href="mailto:dpal@redhat.com">dpal@redhat.com</a>> wrote: > > > > > > > > > > > On 07/11/2014 03:27 PM, tizo wrote: > > > > > > > > > > > > > > > > > > On Fri, Jul 4, 2014 at 5:09 PM, tizo <<a href="mailto:tizone@gmail.com">tizone@gmail.com</a>> wrote: > > > > > > > > > > > >> I have seen in > > > > > >> > > > > > > <a href="http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Trusts_and_Windows_Server_2003_R2" target="_blank">http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Trusts_and_Windows_Server_2003_R2</a> > > > > > >> that trusts can be configured with Windows Server 2003 R2. > > > > > >> > > > > > >> We have a Windows Server 2003 (not R2). Before starting to make > > some > > > > > >> tests, does anyone know if trusts can be configured with this > > version > > > > of > > > > > >> Windows Server 2003?. > > > > > >> > > > > > >> Thanks very much. > > > > > >> > > > > > >> > > > > > > As I have not received any answer, I decided to give it a try. I > > > > follow > > > > > > the document step by step with our Windows 2003, and everything > > looks > > > > good, > > > > > > except when I try to login to the FreeIPA server with an AD user > > (ssh > > > > or > > > > > > tty). > > > > > > > > > > > > Does anyone know how could I debug this problem?. > > > > > > > > > > > > > > > > > > Sorry that you did not get a response. It is a hot time, a lot of > > > > people > > > > > > on vacation and we also got 4.0 just out of the door. > > > > > > > > > > > > Set debug_level to 10 in the sssd.conf. It will create a lot of > > output > > > > and > > > > > > this might give you a hint of what is going on. From there you > > will see > > > > > > whether the user is processed by SSSD or SSH is not configured and > > > > user do > > > > > > not hit SSSD at all (unlikely), and if user is processed what the > > > > problem > > > > > > is. > > > > > > > > > > > > > > > > > Thanks Dmitri. I set the debug_level to 10, and the file > > > > > sssd_my.domain.com.log is telling something about the AD user trying > > to > > > > > connect with SSH. I am sending it to you privately, because it > > contains > > > > > some sensitive information. > > > > > > > > Hi, > > > > > > > > I realize you were following our own documentation, which originated > > > > from this thread: > > > > <a href="https://www.redhat.com/archives/freeipa-users/2013-June/msg00119.html" target="_blank">https://www.redhat.com/archives/freeipa-users/2013-June/msg00119.html</a> > > > > > > > > Maybe it would be helpful to read it, too, at least to see how some > > other > > > > users were setting up the trust and what their problems were. > > > > > > > > -- > > > > Manage your subscription for the Freeipa-users mailing list: > > > > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > > > > Go To <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project > > > > > > > > > > > > > Dmitri and Jakub, thanks very much for your help. > > > > > > Jakub, I took a look in the thread, but I couldn't find anything that > > could > > > help us with our problem. > > > > > > I am attaching the logs from sssd with the sensitive information removed. > > > Any help is really appreciated; I don't really know where should I > > continue > > > searching for the problem. > > > > Thanks, the logs don't show what the error is, but do tell us that the > > error is on the server side: > > > > > (Fri Jul 11 17:19:27 2014) [sssd[be[<a href="http://lan.xxx.com.uy" target="_blank">lan.xxx.com.uy</a>]]] > > [ipa_s2n_exop_send] (0x0400): Executing extended operation > > > (Fri Jul 11 17:19:27 2014) [sssd[be[<a href="http://lan.xxx.com.uy" target="_blank">lan.xxx.com.uy</a>]]] > > [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 8 > > > (Fri Jul 11 17:19:27 2014) [sssd[be[<a href="http://lan.xxx.com.uy" target="_blank">lan.xxx.com.uy</a>]]] > > [sdap_process_result] (0x2000): Trace: sh[0x2293ed0], connected[1], > > ops[0x2293680], ldap[0x2293b40] > > > (Fri Jul 11 17:19:27 2014) [sssd[be[<a href="http://lan.xxx.com.uy" target="_blank">lan.xxx.com.uy</a>]]] > > [sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED] > > > (Fri Jul 11 17:19:27 2014) [sssd[be[<a href="http://lan.xxx.com.uy" target="_blank">lan.xxx.com.uy</a>]]] > > [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Operations > > error(1), (null) > > > (Fri Jul 11 17:19:27 2014) [sssd[be[<a href="http://lan.xxx.com.uy" target="_blank">lan.xxx.com.uy</a>]]] > > [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. > > > > What IPA version are you testing with? The debugging procedure differs > > for versions with winbind on the server side and with sssd.. > > > > I am testing with an updated CentOS 6 and all the software versions of its > repositories. In detail: > > * OS: CentOS release 6.5 (Final) > * IPA server: 3.0.0-37 > * SSSD: 1.9.2-129 > * Winbind: 4.0.0-61 </div></div>OK, so there's Winbind on the server side. Can you run: * smbcontrol winbindd debug 100 * run the test on the client, check if you see the s2n exop failing in the logs * attach /var/log/samba/log.w* * reset the winbind logging back with: smbcontrol all debug 1 otherwise you'll run out of disk space :-) </blockquote></div> </div><div class="gmail_extra">Jakub, </div><div class="gmail_extra"> I am sending the logs that you ask for. I don't know what do you mean when you say "run the test on the client, check if you see the s2n exop faiiling in the logs". The test that I am trying to do, is to connect to the FreeIPA server via ssh with an AD user. What logs should I check? </div><div class="gmail_extra">Anyway, I found something wrong in the samba logs. In some of them, the server ADPRODSERVER is mentioned, which is our AD production server, with the domain <a href="http://xxx.com.uy">xxx.com.uy</a>. Our AD test server, the one that we are using for FreeIPA testing, is not mentioned there (its name is windows2003xxx). I don't really know how the microsoft world works, but here is our test scenario: </div><div class="gmail_extra"> * Al servers (AD production, AD testing and FreeIPA testing), are at the same network (<a href="http://192.168.100.0/24">192.168.100.0/24</a>). </div><div class="gmail_extra"> * The AD domain is the same in production and in testing: <a href="http://xxx.com.uy">xxx.com.uy</a>. </div><div class="gmail_extra"> * The AD testing server has its own DNS server, and is using it. </div><div class="gmail_extra"> * The FreeIPA testing server has its own DNS server, and is using it. </div> <div class="gmail_extra">So, as a first though, I am thinking that beyond the DNS, FreeIPA is using something else to find the AD domain <a href="http://xxx.com.uy">xxx.com.uy</a>. Can that be possible?. Thanks very much. </div></div>