<html><head></head><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div id="yui_3_16_0_1_1468946979415_3700">Sorry, I typed things out instead of copy/paste</div><div id="yui_3_16_0_1_1468946979415_3700"> </div><div id="yui_3_16_0_1_1468946979415_3680">my etc hosts looks like: </div><div id="yui_3_16_0_1_1468946979415_3680"> </div><div id="yui_3_16_0_1_1468946979415_3681">search ad.local</div><div id="yui_3_16_0_1_1468946979415_3682">127.0.0.1 localhost</div><div id="yui_3_16_0_1_1468946979415_3683"> </div><div id="yui_3_16_0_1_1468946979415_3685"># The following lines are desirable for IPv6 capable hosts</div><div id="yui_3_16_0_1_1468946979415_3686">::1 localhost ip6-localhost ip6-loopback</div><div id="yui_3_16_0_1_1468946979415_3687">ff02::1 ip6-allnodes</div><div id="yui_3_16_0_1_1468946979415_3688">ff02::2 ip6-allrouters</div><div id="yui_3_16_0_1_1468946979415_3689"> </div><div id="yui_3_16_0_1_1468946979415_3691" dir="ltr">10.10.10.1 ipa_server.ipa.internal ipa_server</div><div id="yui_3_16_0_1_1468946979415_3692" dir="ltr">172.19.10.10 ad_server1.ad.local</div><div id="yui_3_16_0_1_1468946979415_3693" dir="ltr">172.19.10.10 ad_server2.ad.local</div><div id="yui_3_16_0_1_1468946979415_3694" dir="ltr">172.19.10.10 ad_server3.ad.local</div><div dir="ltr" id="yui_3_16_0_1_1468946979415_3695"> </div><div class="qtdSeparateBR" id="yui_3_16_0_1_1468946979415_3601" dir="ltr">If you want I can send you the sssd logs again </div><div class="yahoo_quoted" id="yui_3_16_0_1_1468946979415_3515" style="display: block;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" id="yui_3_16_0_1_1468946979415_3514"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" id="yui_3_16_0_1_1468946979415_3513"> <div dir="ltr" id="yui_3_16_0_1_1468946979415_3600"> <hr size="1" id="yui_3_16_0_1_1468946979415_3994"> From: Sumit Bose <sbose@redhat.com> To: pgb205 <pgb205@yahoo.com> Cc: Freeipa-users <freeipa-users@redhat.com> Sent: Tuesday, July 19, 2016 3:33 AM Subject: Re: [Freeipa-users] Unable to ssh after establishing trust </div> <div class="y_msg_container" id="yui_3_16_0_1_1468946979415_3512"> On Mon, Jul 18, 2016 at 09:21:07PM +0000, pgb205 wrote: > Sumit, > > I have set the names of all the Domain Controllers to be resolvable to the IP > of the one reachable Domain Controller in /etc/hosts > > /etc/hosts: > Reachable_IP_BOX 172.10.10.1 > DC1 172.10.10.1 > DC2 172.10.10.1 > ... > ... The IP address should come first, please see man hosts for details. > > However, I still see the following > Marking SRV lookup of service 'gc_addomain.local' as 'neutral' > Marking server dc1.addomain.local' as 'name not resolved' Have you tried to add the fully-qualified names (dc1.addomain.local) in the right format (see above) to /etc/hosts? > > > Additionally I have configured > [domain/ipa.internal] > with > subdomain_inherit = ldap_user_principal > ldap_user_principal = nosuchattr > > > As far as your earlier note about seeing ewr-fipa-x1 in logs. That used to be > the old hostname of the IPA KDC. > After much troubleshooting I believe I got this fixed by deleting extra > folders in > /var/named/dyndb-ldap/ipa/master > Right now the only two folders are ipa.internal and <ip.adddr>.in-addr.arpa. > I think this is what helped with this issue. but can you please confirm if it > sounds reasonable. Not sure how you got the additional directories but if on only have a single IPA DNS domain the two directories are sufficient. bye,<div class="yqt0037778561" id="yqtfd56232"> Sumit > > > Ssh is still failing, possibly due to the problem 1 above. Is there anything > else I can do to force ipa to pay attention to the /etc/hosts ? > Or is this some other issue? > > thanks > ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ > From: Sumit Bose <<a shape="rect" ymailto="mailto:sbose@redhat.com" href="mailto:sbose@redhat.com">sbose@redhat.com</a>> > To: pgb205 <<a shape="rect" ymailto="mailto:pgb205@yahoo.com" href="mailto:pgb205@yahoo.com">pgb205@yahoo.com</a>> > Cc: Sumit Bose <<a shape="rect" ymailto="mailto:sbose@redhat.com" href="mailto:sbose@redhat.com">sbose@redhat.com</a>>; Freeipa-users <<a shape="rect" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>> > Sent: Wednesday, July 13, 2016 5:43 AM > Subject: Re: [Freeipa-users] Unable to ssh after establishing trust > > On Tue, Jul 12, 2016 at 06:40:22PM +0000, pgb205 wrote: > > +freeipa-users list > > > > From: pgb205 <<a shape="rect" ymailto="mailto:pgb205@yahoo.com" href="mailto:pgb205@yahoo.com">pgb205@yahoo.com</a>> > > To: Sumit Bose <<a shape="rect" ymailto="mailto:sbose@redhat.com" href="mailto:sbose@redhat.com">sbose@redhat.com</a>> > > Sent: Tuesday, July 12, 2016 2:12 PM > > Subject: Re: [Freeipa-users] Unable to ssh after establishing trust > > > > Sumit, thanks for replying > > So the first issue is my fault, probably from when I was sanitizing logs. > > our active directory domain is ad_domain.local, but users would expect to > login as <a shape="rect" ymailto="mailto:userid@ad_domain.com" href="mailto:userid@ad_domain.com">userid@ad_domain.com</a> or just userid.for ipa the kerberos realm is > IPA_DOMAIN.INTERNAL and domain is ipa_domain.internal. > > ewr-fipa_server used to be old trial server so I am not sure why it's still > in the dns lookup results. I'll check this part further. > > Lastly. only the connection to one of the domain controllers on AD side is > open. As discussed previously with Alexandr BokovoyI forced, in /etc/krb5.conf, > a connection to this single, accessible domain controller. Are there any other > files where I would needto lock down the connections between ipa->ad so that > all traffic goes to specific active directory domain controller? > > thanks again for replying so quickly. > > Currently it is not possible to specify individual AD DC SSSD on the IPA > server should talk to. We have ticket > <a shape="rect" href="https://fedorahosted.org/sssd/ticket/2599" target="_blank">https://fedorahosted.org/sssd/ticket/2599 </a>to make this possible in some > later versions of SSSD. > > Currently SSSD uses a DNS SRV lookup like _ldap._tcp.ad_domain.local to > get a list of AD DC, then picks one to get the next nearest site for the > IPA domain and finally tries to lookup a DC from the matching site (if > any). > > According to your logs SSSD was able to find 18 DCs with the SRV lookup. > A call like > > dig SRV _ldap._tcp.ad_domain.local > > on the IPA server should return the same list of 18 DCs. > > As a work-around, or better a hack, you might want to try to set the IP > address of all the 18 DC returned to the IP address of the only > accessible DC in /etc/hosts. This way SSSD should have no chance to > connect to a different DC. > > bye, > > Sumit > > > > > From: Sumit Bose <<a shape="rect" ymailto="mailto:sbose@redhat.com" href="mailto:sbose@redhat.com">sbose@redhat.com</a>> > > To: pgb205 <<a shape="rect" ymailto="mailto:pgb205@yahoo.com" href="mailto:pgb205@yahoo.com">pgb205@yahoo.com</a>> > > Cc: Sumit Bose <<a shape="rect" ymailto="mailto:sbose@redhat.com" href="mailto:sbose@redhat.com">sbose@redhat.com</a>> > > Sent: Tuesday, July 12, 2016 5:37 AM > > Subject: Re: [Freeipa-users] Unable to ssh after establishing trust > > > > On Mon, Jul 11, 2016 at 09:14:03PM +0000, pgb205 wrote: > > > Sumit, > > > sssd log files attached with debug=10 in all sections.I have attempted > several logins for comparison as well as kinit commands > > > > I came across two issues in the logs. > > > > First it looks like you use '<a shape="rect" ymailto="mailto:user@AD_DOMAIN.LOCAL" href="mailto:user@AD_DOMAIN.LOCAL">user@AD_DOMAIN.LOCAL</a>' at the login prompt > > but there seem to be an alternative domain suffix 'AD_DOMAIN.COM' on the > > AD side and user principal attributes '<a shape="rect" ymailto="mailto:user@AD_DOMAIN.COM" href="mailto:user@AD_DOMAIN.COM">user@AD_DOMAIN.COM</a>'. Currently > > FreeIPA cannot resolve those principals correctly. It was planned for > > IPA 4.4.0 and SSSD 1.14.0 but because of an issue found in 4.4.0 it will > > be available (hopefully) with IPA 4.4.1 and SSSD 1.14.1. In the meantime > > please try to work-around suggested at the end of > > <a shape="rect" href="http://osdir.com/ml/freeipa-users/2016-01/msg00304.html" target="_blank">http://osdir.com/ml/freeipa-users/2016-01/msg00304.html </a>. When trying to > > authenticate with <a shape="rect" ymailto="mailto:user@AD_DOMAIN.COM" href="mailto:user@AD_DOMAIN.COM">user@AD_DOMAIN.COM</a> SSSD looks for a server called > > ewr-fipa_server.ad_domain.com but cannot find it an return the error code > > for "Cannot contact any KDC for requested realm". > > > > Second there are some issues access AD DCs via LDAP. SSSD tries to > > connect to mm-sfdc01.ad_domain.local and mm-tokyo-02.ad_domain.local but > > both fails. It is not clear from the logs if already the DNS lookup for > > those fails or if the connection itself runs into a timeout. In the > > former case you should make sure that the names can be resolved in the > > IPA server in the latter you can try to increase ldap_network_timeout > > (see man sssd-ldap for details). Since SSSD cannot connect to the DCs it > > switches the AD domains to offline. The authentication request is > > handled offline as well but since there are no cached credentials you > > get the permission denied error. > > > > HTH > > > > bye, > > Sumit > > > > > > > > From: Sumit Bose <<a shape="rect" ymailto="mailto:sbose@redhat.com" href="mailto:sbose@redhat.com">sbose@redhat.com</a>> > > > To: pgb205 <<a shape="rect" ymailto="mailto:pgb205@yahoo.com" href="mailto:pgb205@yahoo.com">pgb205@yahoo.com</a>> > > > Cc: "<a shape="rect" ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>" <<a shape="rect" ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> > > > Sent: Monday, July 11, 2016 3:06 AM > > > Subject: Re: [Freeipa-users] Unable to ssh after establishing trust > > > > > > On Mon, Jul 11, 2016 at 03:46:57AM +0000, pgb205 wrote: > > > > I have successfully established trust and am able to obtain ticket > granting ticketkinit <a shape="rect" ymailto="mailto:user@AD_DOMAIN.COMI" href="mailto:user@AD_DOMAIN.COMI">user@AD_DOMAIN.COMI</a> can also do kinit > <a shape="rect" ymailto="mailto:admin@IPA_DOMAIN.COMssh" href="mailto:admin@IPA_DOMAIN.COMssh">admin@IPA_DOMAIN.COMssh</a> <a shape="rect" ymailto="mailto:admin@IPA_DOMAIN.COM" href="mailto:admin@IPA_DOMAIN.COM">admin@IPA_DOMAIN.COM</a> also works > > > > however, ssh <a shape="rect" ymailto="mailto:user@AD_DOMAIN.COM" href="mailto:user@AD_DOMAIN.COM">user@AD_DOMAIN.COM</a> or <a shape="rect" ymailto="mailto:user@ad_domain.com" href="mailto:user@ad_domain.com">user@ad_domain.com</a> fails > > > > I have checked that there are no hbac rules other then the default > allow_all rule > > > > in sssd_ssh.log see > > > > permission denied (6) error in sssd_ipa.domain.log file I see > > > > pam_handler_callback 6 permission_denied > > > > in sssd_nss.log Unable to get information from Data ProviderError: 3 > Account info lookup failedWill try to return what we have in cache > > > > in /var/log/secure received for user <a shape="rect" ymailto="mailto:user@AD_DOMAIN.COM" href="mailto:user@AD_DOMAIN.COM">user@AD_DOMAIN.COM</a>: 6 (Permission > denied) > > > > > > > > I can provided full logs if necessary to diagnose the above problem. > > > > > > Yes, full SSSD logs with debug_level=10 would be best. > > > > > > > ----------Additionally, I would like to be able to login as user not > <a shape="rect" ymailto="mailto:user@AD_DOMAIN.COM" href="mailto:user@AD_DOMAIN.COM">user@AD_DOMAIN.COM</a> > > > > My understanding that only thing that I have to change to make this > happen is /etc/krb5.conffor line > > > > [libdefaults] default_realm=AD_DOMAN.COM and then restarting ipa > services. > > > > > > No, please do not change the default_realm. This is not related to the > > > issues you are seeing. > > > > > > bye, > > > Sumit > > > > > > > However, when I do this I get failure to restart Samba service > > > > > > > -- > > > > Manage your subscription for the Freeipa-users mailing list: > > > > <a shape="rect" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > > > > Go to <a shape="rect" href="http://freeipa.org/" target="_blank">http://freeipa.org </a>for more info on the project > > > > > > > > > > > > > > > > > > > > > > > > > > > > </div> </div> </div> </div> </div></div></body></html>