<html><head></head><body><div style="color:#000; background-color:#fff; font-family:verdana, helvetica, sans-serif;font-size:16px"><div id="yui_3_16_0_ym19_1_1481206740141_10459"><span>Hi,</span></div><div id="yui_3_16_0_ym19_1_1481206740141_10474"><span>An update.</span></div><div id="yui_3_16_0_ym19_1_1481206740141_10790"><span><br></span></div><div dir="ltr" id="yui_3_16_0_ym19_1_1481206740141_10792"><span id="yui_3_16_0_ym19_1_1481206740141_10646">I just got Trusty enrolled into FreeIPA by removing everything in: </span><span id="yui_3_16_0_ym19_1_1481206740141_10791"><span id="yui_3_16_0_ym19_1_1481206740141_10647">/etc/pki/nssdb</span> and running:<br></span></div><div class="qtdSeparateBR" id="yui_3_16_0_ym19_1_1481206740141_10460">/usr/bin/certutil -N --empty-password -d /etc/pki/nssdb<br><div dir="ltr" id="yui_3_16_0_ym19_1_1481206740141_10664">... before the client-install is run.</div><div dir="ltr"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1481206740141_11226">I get user IDs with Freeipa and AD domains:<br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1481206740141_10964">root@jamestrusty:/etc/pki/nssdb# id x_james.harrison@IPA.REALM.COM</div>uid=1082600009(x_james.harrison) gid=1082600009(x_james.harrison) groups=1082600009(x_james.harrison),1082600000(admins),1082600010(ipausers)<br id="yui_3_16_0_ym19_1_1481206740141_10619"><div dir="ltr" id="yui_3_16_0_ym19_1_1481206740141_10819"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1481206740141_10903">root@jamestrusty:/etc/pki/nssdb# id x_james.harrison@AD.DOMAIN.LOCAL<br id="yui_3_16_0_ym19_1_1481206740141_10920">uid=1039812876(x_james.harrison@ad.domain.local) gid=1039812876(x_james.harrison@ad.domain.local) groups=1039812876(x_james.harrison@ad.domain.locall)<br id="yui_3_16_0_ym19_1_1481206740141_10921"></div><div dir="ltr" id="yui_3_16_0_ym19_1_1481206740141_10966"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1481206740141_10965">However auth issues still the same as Precise. Doesnt accept the ssh public key stored with the IPA user or the Trust ID view user.<br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1481206740141_10922"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1481206740141_11139">Xenial has no problems.</div><div dir="ltr" id="yui_3_16_0_ym19_1_1481206740141_11162"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1481206740141_11163">Regards,</div><div dir="ltr" id="yui_3_16_0_ym19_1_1481206740141_11164">James Harrison<br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1481206740141_11165"><br></div></div><div class="yahoo_quoted" id="yui_3_16_0_ym19_1_1481206740141_10469" style="display: block;">  <div style="font-family: verdana, helvetica, sans-serif; font-size: 16px;" id="yui_3_16_0_ym19_1_1481206740141_10468"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif; font-size: 16px;" id="yui_3_16_0_ym19_1_1481206740141_10467"> <div dir="ltr" id="yui_3_16_0_ym19_1_1481206740141_10466"> <font id="yui_3_16_0_ym19_1_1481206740141_10465" size="2" face="Arial"> <hr id="yui_3_16_0_ym19_1_1481206740141_10464" size="1"> <b><span style="font-weight:bold;">From:</span></b> James Harrison <jamesaharrisonuk@yahoo.co.uk><br> <b><span style="font-weight: bold;">To:</span></b> "freeipa-users@redhat.com" <freeipa-users@redhat.com> <br> <b><span style="font-weight: bold;">Sent:</span></b> Thursday, 8 December 2016, 15:02<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_ym19_1_1481206740141_10879"><br><div id="yiv3862402848"><div id="yui_3_16_0_ym19_1_1481206740141_10878"><div style="color:#000;background-color:#fff;font-family:verdana, helvetica, sans-serif;font-size:16px;" id="yui_3_16_0_ym19_1_1481206740141_10877"><div class="yiv3862402848qtdSeparateBR" id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4015"><div id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4422"><br clear="none"></div><div id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4423">Hi,</div><div dir="ltr" id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4361">I would prefer not to compile anything. It means we have to maintain the package, rather than the distro maintainers.<br clear="none"></div><div id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4355"><br clear="none"></div><div dir="ltr" id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4354">Trusty has a completely different set of errors to Precise.  <br clear="none"></div><div dir="ltr" id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4190"><br clear="none"></div><div dir="ltr" id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4424">Xenial works with no problems.<br clear="none"></div><div dir="ltr" id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4433"><br clear="none"></div><div dir="ltr" id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4425">I run a script that allows the system to join  the IPA domain (the same script regardless of Ubuntu distro):</div><div dir="ltr" id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4426"><br clear="none"></div><div dir="ltr" id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4353">( $P_W is read in from stdin)<br clear="none"></div><div dir="ltr" id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4308"><br clear="none"></div><div dir="ltr" id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4227">ipa-client-install \<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4218" clear="none">     --server="$IPA_SERVER" \<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4219" clear="none">     --domain=dns.domain.com \<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4220" clear="none">     --principal=admin \<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4221" clear="none">     --password="$P_W" \<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4222" clear="none">     --preserve-sssd \<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4223" clear="none">     --mkhomedir \<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4224" clear="none">     --no-ntp \<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4225" clear="none">     -U<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4226" clear="none"><br clear="none"></div><div dir="ltr" id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4228"><br clear="none"></div><div dir="ltr" id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4189">Enter (Admins) Password:   <br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4090" clear="none">Confirm Password: <br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4091" clear="none">Hostname: jamestrusty.dns.domain.com<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4092" clear="none">Realm: IPA.REALM.COM<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4093" clear="none">DNS Domain: dns.domain.com<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4094" clear="none">IPA Server: pul-lv-ipa-01.dns.domain.com<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4095" clear="none">BaseDN: dc=int,dc=worldfirst,dc=com<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4096" clear="none"><br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4097" clear="none">Synchronizing time with KDC...<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4098" clear="none">Dec  8 14:50:58 jamestrusty ntpdate[2448]: ntpdate 4.2.6p5@1.2349-o Wed Oct  5 12:35:26 UTC 2016 (1)<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4099" clear="none">Dec  8 14:50:58 jamestrusty ntpdate[2448]: the NTP socket is in use, exiting<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4100" clear="none">...<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4101" clear="none">...<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4102" clear="none">...<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4103" clear="none">...<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4104" clear="none">...<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4105" clear="none">Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4106" clear="none">Successfully retrieved CA cert<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4107" clear="none">    Subject:     CN=SOMECERT<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4108" clear="none">    Issuer:      CN=SOMECERT<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4109" clear="none">    Valid From:  Wed Mar 12 00:00:00 2014 UTC<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4110" clear="none">    Valid Until: Sun Mar 11 23:59:59 3029 UTC<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4111" clear="none"><br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4112" clear="none">Enrolled in IPA realm IPA.REALM.COM<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4113" clear="none">Created /etc/ipa/default.conf<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4114" clear="none">New SSSD config will be created<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4115" clear="none">Configured /etc/sssd/sssd.conf<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4116" clear="none">Failed to add CA to the default NSS database.<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4117" clear="none">Installation failed. Rolling back changes.<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4118" clear="none">Unenrolling client from IPA server<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4119" clear="none">Unenrolling host failed: Error getting default Kerberos realm: Configuration file does not specify default realm.<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4120" clear="none"><br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4121" clear="none">Removing Kerberos service principals from /etc/krb5.keytab<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4122" clear="none">Disabling client Kerberos and LDAP configurations<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4123" clear="none">Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4124" clear="none">SSSD service could not be stopped<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4125" clear="none">Client uninstall complete.<br id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_4126" clear="none"><br clear="none"></div><br clear="none"></div><div class="yiv3862402848yqt6900418137" id="yiv3862402848yqt77099"><div class="yiv3862402848yahoo_quoted" id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_3932" style="display:block;">  <div id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_3931" style="font-family:verdana, helvetica, sans-serif;font-size:16px;"> <div id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_3930" style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif;font-size:16px;"> <div dir="ltr" id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_3989"> <font id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_3988" size="2" face="Arial"> </font><hr size="1"> <b><span style="font-weight:bold;">From:</span></b> Lukas Slebodnik <lslebodn@redhat.com><br clear="none"> <b><span style="font-weight:bold;">To:</span></b> James Harrison <jamesaharrisonuk@yahoo.co.uk> <br clear="none"><b><span style="font-weight:bold;">Cc:</span></b> "freeipa-users@redhat.com" <freeipa-users@redhat.com><br clear="none"> <b><span style="font-weight:bold;">Sent:</span></b> Thursday, 8 December 2016, 11:22<br clear="none"> <b><span style="font-weight:bold;">Subject:</span></b> Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account<br clear="none">  </div> <div class="yiv3862402848y_msg_container" id="yiv3862402848yui_3_16_0_ym19_1_1481206740141_3929"><br clear="none">On (07/12/16 18:19), James Harrison wrote:<br clear="none">>Hi all,<br clear="none">><br clear="none">>I am trying to authenticate an ubuntu Precise (12.06) fully patched system. Its enrolled into a FreeIPA server. The following trace is the output of syslog auth sssd/*.log and full debug (-ddd) from the sshd service.<br clear="none">><br clear="none">Are you able to reproduce with ubuntu 14.04<br clear="none">and sssd from trusty-updates(1.11.8-0ubuntu0.3)<br clear="none">You might also consig=der to test sssd-1.13.4 (in ubuntu 16.04)<br clear="none">or at least 1.12.5-1~trusty1 from ppa<br clear="none"><a rel="nofollow" shape="rect" target="_blank" href="https://launchpad.net/~sssd">https://launchpad.net/~sssd</a><div class="yiv3862402848yqt8623214856" id="yiv3862402848yqtfd66642"><br clear="none"><br clear="none">LS<br clear="none"></div><br clear="none"><br clear="none"></div> </div> </div>  </div></div></div></div></div><br><br></div> </div> </div>  </div></div></body></html>