<html><head></head><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div id="yui_3_16_0_1_1468345525838_6384"><span></span></div><div class="qtdSeparateBR" id="yui_3_16_0_1_1468345525838_6413">+freeipa-users list<br><br></div><div class="yahoo_quoted" id="yui_3_16_0_1_1468345525838_6419" style="display: block;">  <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" id="yui_3_16_0_1_1468345525838_6418"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" id="yui_3_16_0_1_1468345525838_6417"> <div dir="ltr" id="yui_3_16_0_1_1468345525838_6416"> <font size="2" face="Arial" id="yui_3_16_0_1_1468345525838_6415"> <hr size="1" id="yui_3_16_0_1_1468345525838_6414"> <b id="yui_3_16_0_1_1468345525838_6421"><span style="font-weight:bold;" id="yui_3_16_0_1_1468345525838_6420">From:</span></b> pgb205 <pgb205@yahoo.com><br> <b><span style="font-weight: bold;">To:</span></b> Sumit Bose <sbose@redhat.com> <br> <b><span style="font-weight: bold;">Sent:</span></b> Tuesday, July 12, 2016 2:12 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [Freeipa-users] Unable to ssh after establishing trust<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_1_1468345525838_6428"><br><div id="yiv6054888636"><div id="yui_3_16_0_1_1468345525838_6427"><div style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;" id="yui_3_16_0_1_1468345525838_6426"><div id="yiv6054888636yui_3_16_0_1_1468345525838_3340"><span>Sumit, thanks for replying</span></div><div id="yiv6054888636yui_3_16_0_1_1468345525838_3051"><span><br clear="none"></span></div><div dir="ltr" id="yiv6054888636yui_3_16_0_1_1468345525838_3272"><span id="yiv6054888636yui_3_16_0_1_1468345525838_3271">So the first issue is my fault, probably from when I was sanitizing logs. <br clear="none">our active directory domain is ad_domain.<b>local</b>, but users would expect to login as userid@ad_domain.<b>com </b>or just userid.</span></div><div dir="ltr" id="yiv6054888636yui_3_16_0_1_1468345525838_3272"><span id="yiv6054888636yui_3_16_0_1_1468345525838_3480">for ipa the kerberos realm is IPA_DOMAIN.INTERNAL and domain is ipa_domain.internal.</span></div><div dir="ltr" id="yiv6054888636yui_3_16_0_1_1468345525838_3272"><span><br clear="none"></span></div><div dir="ltr" id="yiv6054888636yui_3_16_0_1_1468345525838_3272"><span id="yiv6054888636yui_3_16_0_1_1468345525838_3949">ewr-fipa_server used to be old trial server so I am not sure why it's still in the dns lookup results. I'll check this part further.</span></div><div dir="ltr" id="yiv6054888636yui_3_16_0_1_1468345525838_3272"><span><br clear="none"></span></div><div dir="ltr" id="yiv6054888636yui_3_16_0_1_1468345525838_3272"><span id="yiv6054888636yui_3_16_0_1_1468345525838_3948">Lastly. only the connection to one of the domain controllers on AD side is open. As discussed previously with Alexandr Bokovoy</span></div><div dir="ltr" id="yiv6054888636yui_3_16_0_1_1468345525838_3272"><span id="yiv6054888636yui_3_16_0_1_1468345525838_3947">I forced, in /etc/krb5.conf, a connection to this single, accessible domain controller. Are there any other files where I would need</span></div><div dir="ltr" id="yiv6054888636yui_3_16_0_1_1468345525838_3272"><span id="yiv6054888636yui_3_16_0_1_1468345525838_3849">to lock down the connections between ipa->ad so that all traffic goes to specific active directory domain controller?</span></div><div dir="ltr" id="yiv6054888636yui_3_16_0_1_1468345525838_3272"><span><br clear="none"></span></div><div dir="ltr" id="yiv6054888636yui_3_16_0_1_1468345525838_3272"><span id="yiv6054888636yui_3_16_0_1_1468345525838_4093">thanks again for replying so quickly.</span></div><div class="yiv6054888636qtdSeparateBR" id="yiv6054888636yui_3_16_0_1_1468345525838_2956"><br clear="none"><br clear="none"></div><div class="yiv6054888636yqt9222228512" id="yiv6054888636yqt87918"><div class="yiv6054888636yahoo_quoted" id="yiv6054888636yui_3_16_0_1_1468345525838_2897" style="display:block;">  <div id="yiv6054888636yui_3_16_0_1_1468345525838_2896" style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;"> <div id="yiv6054888636yui_3_16_0_1_1468345525838_2895" style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;"> <div dir="ltr" id="yiv6054888636yui_3_16_0_1_1468345525838_2904"> <font id="yiv6054888636yui_3_16_0_1_1468345525838_2903" size="2" face="Arial"> </font><hr size="1" id="yui_3_16_0_1_1468345525838_6429"> <b id="yiv6054888636yui_3_16_0_1_1468345525838_3781"><span id="yiv6054888636yui_3_16_0_1_1468345525838_3780" style="font-weight:bold;">From:</span></b> Sumit Bose <sbose@redhat.com><br clear="none"> <b id="yui_3_16_0_1_1468345525838_6431"><span style="font-weight:bold;" id="yui_3_16_0_1_1468345525838_6430">To:</span></b> pgb205 <pgb205@yahoo.com> <br clear="none"><b id="yui_3_16_0_1_1468345525838_6433"><span style="font-weight:bold;" id="yui_3_16_0_1_1468345525838_6432">Cc:</span></b> Sumit Bose <sbose@redhat.com><br clear="none"> <b><span style="font-weight:bold;">Sent:</span></b> Tuesday, July 12, 2016 5:37 AM<br clear="none"> <b><span style="font-weight:bold;">Subject:</span></b> Re: [Freeipa-users] Unable to ssh after establishing trust<br clear="none">  </div> <div class="yiv6054888636y_msg_container" id="yiv6054888636yui_3_16_0_1_1468345525838_2894"><br clear="none">On Mon, Jul 11, 2016 at 09:14:03PM +0000, pgb205 wrote:<br clear="none">> Sumit, <br clear="none">> sssd log files attached with debug=10 in all sections.I have attempted several logins for comparison as well as kinit commands<br clear="none"><br clear="none">I came across two issues in the logs.<br clear="none"><br clear="none">First it looks like you use '<a rel="nofollow" shape="rect" id="yiv6054888636yui_3_16_0_1_1468345525838_2957" ymailto="mailto:user@AD_DOMAIN.LOCAL" target="_blank" href="mailto:user@AD_DOMAIN.LOCAL">user@AD_DOMAIN.LOCAL</a>' at the login prompt<br clear="none">but there seem to be an alternative domain suffix 'AD_DOMAIN.COM' on the<br clear="none">AD side and user principal attributes '<a rel="nofollow" shape="rect" id="yiv6054888636yui_3_16_0_1_1468345525838_2958" ymailto="mailto:user@AD_DOMAIN.COM" target="_blank" href="mailto:user@AD_DOMAIN.COM">user@AD_DOMAIN.COM</a>'. Currently<br clear="none">FreeIPA cannot resolve those principals correctly. It was planned for<br clear="none">IPA 4.4.0 and SSSD 1.14.0 but because of an issue found in 4.4.0 it will<br clear="none">be available (hopefully) with IPA 4.4.1 and SSSD 1.14.1. In the meantime<br clear="none">please try to work-around suggested at the end of<br clear="none"><a rel="nofollow" shape="rect" id="yiv6054888636yui_3_16_0_1_1468345525838_4096" target="_blank" href="http://osdir.com/ml/freeipa-users/2016-01/msg00304.html">http://osdir.com/ml/freeipa-users/2016-01/msg00304.html </a>. When trying to<br clear="none">authenticate with <a rel="nofollow" shape="rect" ymailto="mailto:user@AD_DOMAIN.COM" target="_blank" href="mailto:user@AD_DOMAIN.COM">user@AD_DOMAIN.COM</a> SSSD looks for a server called<br clear="none">ewr-fipa_server.ad_domain.com but cannot find it an return the error code<br clear="none">for "Cannot contact any KDC for requested realm".<br clear="none"><br clear="none">Second there are some issues access AD DCs via LDAP. SSSD tries to<br clear="none">connect to mm-sfdc01.ad_domain.local and mm-tokyo-02.ad_domain.local but<br clear="none">both fails. It is not clear from the logs if already the DNS lookup for<br clear="none">those fails or if the connection itself runs into a timeout. In the<br clear="none">former case you should make sure that the names can be resolved in the<br clear="none">IPA server in the latter you can try to increase ldap_network_timeout<br clear="none">(see man sssd-ldap for details). Since SSSD cannot connect to the DCs it<br clear="none">switches the AD domains to offline. The authentication request is<br clear="none">handled offline as well but since there are no cached credentials you<br clear="none">get the permission denied error.<br clear="none"><br clear="none">HTH<br clear="none"><br clear="none">bye,<div class="yiv6054888636yqt7486183034" id="yiv6054888636yqtfd57231"><br clear="none">Sumit<br clear="none"><br clear="none">> <br clear="none">>       From: Sumit Bose <<a rel="nofollow" shape="rect" ymailto="mailto:sbose@redhat.com" target="_blank" href="mailto:sbose@redhat.com">sbose@redhat.com</a>><br clear="none">>  To: pgb205 <<a rel="nofollow" shape="rect" ymailto="mailto:pgb205@yahoo.com" target="_blank" href="mailto:pgb205@yahoo.com">pgb205@yahoo.com</a>> <br clear="none">> Cc: "<a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>" <<a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><br clear="none">>  Sent: Monday, July 11, 2016 3:06 AM<br clear="none">>  Subject: Re: [Freeipa-users] Unable to ssh after establishing trust<br clear="none">>    <br clear="none">> On Mon, Jul 11, 2016 at 03:46:57AM +0000, pgb205 wrote:<br clear="none">> > I have successfully established trust and am able to obtain ticket granting ticketkinit <a rel="nofollow" shape="rect" ymailto="mailto:user@AD_DOMAIN.COMI" target="_blank" href="mailto:user@AD_DOMAIN.COMI">user@AD_DOMAIN.COMI</a> can also do kinit <a rel="nofollow" shape="rect" ymailto="mailto:admin@IPA_DOMAIN.COMssh" target="_blank" href="mailto:admin@IPA_DOMAIN.COMssh">admin@IPA_DOMAIN.COMssh</a> <a rel="nofollow" shape="rect" ymailto="mailto:admin@IPA_DOMAIN.COM" target="_blank" href="mailto:admin@IPA_DOMAIN.COM">admin@IPA_DOMAIN.COM</a> also works<br clear="none">> > however, ssh <a rel="nofollow" shape="rect" ymailto="mailto:user@AD_DOMAIN.COM" target="_blank" href="mailto:user@AD_DOMAIN.COM">user@AD_DOMAIN.COM</a> or <a rel="nofollow" shape="rect" ymailto="mailto:user@ad_domain.com" target="_blank" href="mailto:user@ad_domain.com">user@ad_domain.com</a> fails<br clear="none">> > I have checked that there are no hbac rules other then the default allow_all rule<br clear="none">> > in sssd_ssh.log see<br clear="none">> > permission denied (6) error in sssd_ipa.domain.log file I see<br clear="none">> > pam_handler_callback 6 permission_denied<br clear="none">> > in sssd_nss.log Unable to get information from Data ProviderError: 3 Account info lookup failedWill try to return what we have in cache<br clear="none">> > in /var/log/secure received for user <a rel="nofollow" shape="rect" ymailto="mailto:user@AD_DOMAIN.COM" target="_blank" href="mailto:user@AD_DOMAIN.COM">user@AD_DOMAIN.COM</a>: 6 (Permission denied) <br clear="none">> > <br clear="none">> > I can provided full logs if necessary to diagnose the above problem.<br clear="none">> <br clear="none">> Yes, full SSSD logs with debug_level=10 would be best.<br clear="none">> <br clear="none">> > ----------Additionally, I would like to be able to login as user not <a rel="nofollow" shape="rect" ymailto="mailto:user@AD_DOMAIN.COM" target="_blank" href="mailto:user@AD_DOMAIN.COM">user@AD_DOMAIN.COM</a><br clear="none">> > My understanding that only thing that I have to change to make this happen is /etc/krb5.conffor line <br clear="none">> > [libdefaults] default_realm=AD_DOMAN.COM and then restarting ipa services.<br clear="none">> <br clear="none">> No, please do not change the default_realm. This is not related to the<br clear="none">> issues you are seeing.<br clear="none">> <br clear="none">> bye,<br clear="none">> Sumit<br clear="none">> <br clear="none">> > However, when I do this I get failure to restart Samba service<br clear="none">> <br clear="none">> > -- <br clear="none">> > Manage your subscription for the Freeipa-users mailing list:<br clear="none">> > <a rel="nofollow" shape="rect" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br clear="none">> > Go to <a rel="nofollow" shape="rect" target="_blank" href="http://freeipa.org/">http://freeipa.org </a>for more info on the project<br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">>   <br clear="none"><br clear="none"><br clear="none"></div><br clear="none"><br clear="none"></div> </div> </div>  </div></div></div></div></div><br><br></div> </div> </div>  </div></div></body></html>