<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jul 22, 2014 at 1:20 PM, tizo <span dir="ltr"><<a href="mailto:tizone@gmail.com" target="_blank">tizone@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <div dir="ltr"><div><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jul 17, 2014 at 6:12 PM, tizo <span dir="ltr"><<a href="mailto:tizone@gmail.com" target="_blank">tizone@gmail.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <div dir="ltr"><div><div><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jul 15, 2014 at 11:59 AM, tizo <span dir="ltr"><<a href="mailto:tizone@gmail.com" target="_blank">tizone@gmail.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jul 15, 2014 at 11:16 AM, Jakub Hrozek <span dir="ltr"><<a href="mailto:jhrozek@redhat.com" target="_blank">jhrozek@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div>On Tue, Jul 15, 2014 at 11:04:23AM -0300, tizo wrote:<br> > On Tue, Jul 15, 2014 at 7:16 AM, Jakub Hrozek <<a href="mailto:jhrozek@redhat.com" target="_blank">jhrozek@redhat.com</a>> wrote:<br> ><br> > > On Mon, Jul 14, 2014 at 02:02:16PM -0300, tizo wrote:<br> > > > On Mon, Jul 14, 2014 at 5:57 AM, Jakub Hrozek <<a href="mailto:jhrozek@redhat.com" target="_blank">jhrozek@redhat.com</a>><br> > > wrote:<br> > > ><br> > > > > On Fri, Jul 11, 2014 at 05:22:59PM -0300, tizo wrote:<br> > > > > > On Fri, Jul 11, 2014 at 4:54 PM, Dmitri Pal <<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>> wrote:<br> > > > > ><br> > > > > > > On 07/11/2014 03:27 PM, tizo wrote:<br> > > > > > ><br> > > > > > ><br> > > > > > > On Fri, Jul 4, 2014 at 5:09 PM, tizo <<a href="mailto:tizone@gmail.com" target="_blank">tizone@gmail.com</a>> wrote:<br> > > > > > ><br> > > > > > >> I have seen in<br> > > > > > >><br> > > > ><br> > > <a href="http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Trusts_and_Windows_Server_2003_R2" target="_blank">http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Trusts_and_Windows_Server_2003_R2</a><br> > > > > > >> that trusts can be configured with Windows Server 2003 R2.<br> > > > > > >><br> > > > > > >> We have a Windows Server 2003 (not R2). Before starting to make<br> > > some<br> > > > > > >> tests, does anyone know if trusts can be configured with this<br> > > version<br> > > > > of<br> > > > > > >> Windows Server 2003?.<br> > > > > > >><br> > > > > > >> Thanks very much.<br> > > > > > >><br> > > > > > >><br> > > > > > > As I have not received any answer, I decided to give it a try. I<br> > > > > follow<br> > > > > > > the document step by step with our Windows 2003, and everything<br> > > looks<br> > > > > good,<br> > > > > > > except when I try to login to the FreeIPA server with an AD user<br> > > (ssh<br> > > > > or<br> > > > > > > tty).<br> > > > > > ><br> > > > > > > Does anyone know how could I debug this problem?.<br> > > > > > ><br> > > > > > ><br> > > > > > > Sorry that you did not get a response. It is a hot time, a lot of<br> > > > > people<br> > > > > > > on vacation and we also got 4.0 just out of the door.<br> > > > > > ><br> > > > > > > Set debug_level to 10 in the sssd.conf. It will create a lot of<br> > > output<br> > > > > and<br> > > > > > > this might give you a hint of what is going on. From there you<br> > > will see<br> > > > > > > whether the user is processed by SSSD or SSH is not configured and<br> > > > > user do<br> > > > > > > not hit SSSD at all (unlikely), and if user is processed what the<br> > > > > problem<br> > > > > > > is.<br> > > > > > ><br> > > > > > ><br> > > > > > Thanks Dmitri. I set the debug_level to 10, and the file<br> > > > > > sssd_my.domain.com.log is telling something about the AD user trying<br> > > to<br> > > > > > connect with SSH. I am sending it to you privately, because it<br> > > contains<br> > > > > > some sensitive information.<br> > > > ><br> > > > > Hi,<br> > > > ><br> > > > > I realize you were following our own documentation, which originated<br> > > > > from this thread:<br> > > > > <a href="https://www.redhat.com/archives/freeipa-users/2013-June/msg00119.html" target="_blank">https://www.redhat.com/archives/freeipa-users/2013-June/msg00119.html</a><br> > > > ><br> > > > > Maybe it would be helpful to read it, too, at least to see how some<br> > > other<br> > > > > users were setting up the trust and what their problems were.<br> > > > ><br> > > > > --<br> > > > > Manage your subscription for the Freeipa-users mailing list:<br> > > > > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br> > > > > Go To <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project<br> > > > ><br> > > ><br> > > ><br> > > > Dmitri and Jakub, thanks very much for your help.<br> > > ><br> > > > Jakub, I took a look in the thread, but I couldn't find anything that<br> > > could<br> > > > help us with our problem.<br> > > ><br> > > > I am attaching the logs from sssd with the sensitive information removed.<br> > > > Any help is really appreciated; I don't really know where should I<br> > > continue<br> > > > searching for the problem.<br> > ><br> > > Thanks, the logs don't show what the error is, but do tell us that the<br> > > error is on the server side:<br> > ><br> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[<a href="http://lan.xxx.com.uy" target="_blank">lan.xxx.com.uy</a>]]]<br> > > [ipa_s2n_exop_send] (0x0400): Executing extended operation<br> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[<a href="http://lan.xxx.com.uy" target="_blank">lan.xxx.com.uy</a>]]]<br> > > [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 8<br> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[<a href="http://lan.xxx.com.uy" target="_blank">lan.xxx.com.uy</a>]]]<br> > > [sdap_process_result] (0x2000): Trace: sh[0x2293ed0], connected[1],<br> > > ops[0x2293680], ldap[0x2293b40]<br> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[<a href="http://lan.xxx.com.uy" target="_blank">lan.xxx.com.uy</a>]]]<br> > > [sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED]<br> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[<a href="http://lan.xxx.com.uy" target="_blank">lan.xxx.com.uy</a>]]]<br> > > [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Operations<br> > > error(1), (null)<br> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[<a href="http://lan.xxx.com.uy" target="_blank">lan.xxx.com.uy</a>]]]<br> > > [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.<br> > ><br> > > What IPA version are you testing with? The debugging procedure differs<br> > > for versions with winbind on the server side and with sssd..<br> > ><br> ><br> > I am testing with an updated CentOS 6 and all the software versions of its<br> > repositories. In detail:<br> ><br> > * OS: CentOS release 6.5 (Final)<br> > * IPA server: 3.0.0-37<br> > * SSSD: 1.9.2-129<br> > * Winbind: 4.0.0-61<br> <br> </div></div>OK, so there's Winbind on the server side. Can you run:<br> * smbcontrol winbindd debug 100<br> * run the test on the client, check if you see the s2n exop failing<br> in the logs<br> * attach /var/log/samba/log.w*<br> * reset the winbind logging back with: smbcontrol all debug 1<br> otherwise you'll run out of disk space :-)<br> </blockquote></div><br></div></div></div><div class="gmail_extra">Jakub,<br></div><div class="gmail_extra"><br>I am sending the logs that you ask for. I don't know what do you mean when you say "run the test on the client, check if you see the s2n exop faiiling in the logs". The test that I am trying to do, is to connect to the FreeIPA server via ssh with an AD user. What logs should I check?<br> <br></div><div class="gmail_extra">Anyway, I found something wrong in the samba logs. In some of them, the server ADPRODSERVER is mentioned, which is our AD production server, with the domain <a href="http://xxx.com.uy" target="_blank">xxx.com.uy</a>. Our AD test server, the one that we are using for FreeIPA testing, is not mentioned there (its name is windows2003xxx). I don't really know how the microsoft world works, but here is our test scenario:<br> <br></div><div class="gmail_extra"> * Al servers (AD production, AD testing and FreeIPA testing), are at the same network (<a href="http://192.168.100.0/24" target="_blank">192.168.100.0/24</a>).<br><br></div><div class="gmail_extra"> * The AD domain is the same in production and in testing: <a href="http://xxx.com.uy" target="_blank">xxx.com.uy</a>.<br> <br></div><div class="gmail_extra"> * The AD testing server has its own DNS server, and is using it.<br><br></div><div class="gmail_extra"> * The FreeIPA testing server has its own DNS server, and is using it.<br><br></div> <div class="gmail_extra">So, as a first though, I am thinking that beyond the DNS, FreeIPA is using something else to find the AD domain <a href="http://xxx.com.uy" target="_blank">xxx.com.uy</a>. Can that be possible?.<br> <br>Thanks very much.<br> </div></div> </blockquote></div><br></div></div></div><div class="gmail_extra">I have created a new and isolated environment to test the integration. Although Samba logs now are referencing the right AD server (windows2003xxx), the problem is the same than before when trying to access to the FreeIPA server with an AD user by ssh. I am attaching the logs of the new scenario. Some useful information:<br> <br>* Network: <a href="http://192.168.99.0/24" target="_blank">192.168.99.0/24</a><br>* IPA Domain: <a href="http://fi.xxx.com.uy" target="_blank">fi.xxx.com.uy</a><br>* AD Domain: <a href="http://xxx.com.uy" target="_blank">xxx.com.uy</a><br> * IPA Server: <a href="http://freeipa.fi.xxx.com.uy" target="_blank">freeipa.fi.xxx.com.uy</a>, 192.168.99.50<br> * AD Server: <a href="http://windows2003xxx.xxx.com.uy" target="_blank">windows2003xxx.xxx.com.uy</a> 192.168.99.51<br></div><div class="gmail_extra">* AD user for the test: usuad<br><br></div><div class="gmail_extra">I don't know if the following could help, but when I try to obtain a Kerberos ticket in FreeIPA server with "kinit <a href="mailto:usuad@xxx.com.uy" target="_blank">usuad@xxx.com.uy</a>" and type a wrong password, the message is "kinit: Preauthentication failed while getting initial credentials". When I do the same thing but with the correct password the message is "kinit: KDC reply did not match expectations while getting initial credentials".<br> </div><div class="gmail_extra"><br></div><div class="gmail_extra">Any help is really appreciated. Thanks very much.<br></div></div> </blockquote></div><br></div></div></div><div class="gmail_extra">I have noted that kinit with the AD domain in uppercase is working (kinit <a href="mailto:usuad@XXX.COM.UY" target="_blank">usuad@XXX.COM.UY</a>). However, ssh is not working neither with uppercase nor with lowercase. Maybe is a misconfiguration on /etc/krb5.conf?. I have added the following two line there (as in <a href="http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Edit_.2Fetc.2Fkrb5.conf" target="_blank">http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Edit_.2Fetc.2Fkrb5.conf</a>):<br> <br>[realms]<br> <a href="http://FI.XXX.COM.UY" target="_blank">FI.XXX.COM.UY</a> = {<br> ....<br> auth_to_local = RULE:[1:$1@$0](^.*@<a href="http://XXX.COM.UY" target="_blank">XXX.COM.UY</a>$)s/@<a href="http://XXX.COM.UY/@xxx.com.uy/" target="_blank">XXX.COM.UY/@xxx.com.uy/</a><br> auth_to_local = DEFAULT<br>}<br><br></div></div> </blockquote></div><br>Yessss, at last!. It is working now after downgrading samba packages to its 4.0.0-58 versions, as it was suggested in <a href="https://www.redhat.com/archives/freeipa-users/2014-February/msg00261.html">https://www.redhat.com/archives/freeipa-users/2014-February/msg00261.html</a><br> <br></div><div class="gmail_extra">Thanks very much!<br><br></div></div>