[Freeipa-users] ssh login from windows AD trust host not working
Natxo Asenjo
natxo.asenjo at gmail.com
Sat Apr 20 21:21:01 UTC 2013
On Sat, Apr 20, 2013 at 8:32 PM, Sumit Bose <sbose at redhat.com> wrote:
> On Fri, Apr 19, 2013 at 10:14:36PM +0200, Natxo Asenjo wrote:
>
> > # wbinfo --online-status
> > BUILTIN : online
> > IPA : online
> > AD : offline
> >
> > # wbinfo --domain-info ad.asenjo.nx
> > Name : AD
> > Alt_Name : ad.asenjo.nx
> > SID : S-1-5-21-2508008360-1834726910-79835928
> > Active Directory : No
> > Native : No
> > Primary : No
> >
> > # wbinfo --domain ad.asenjo.nx -u
> > With this last command I would expect to see all the users I created in
> the
> > AD.
> >
> > # getent group ad_users
> > ad_users:*:642801446:administrator at ad.asenjo.nx
> >
> > this tellms me that the external group we created has only the AD
> > administrator in it, so It makes sense only this one is allowed. But I I
>
> no, this is a wrong interpretation. The group membership for users from
> trusted domains is only evaluated at login time with the help of the
> data stored in the MS-PAC. Because group-membership resolution in an AD
> environment can be cumbersome, especially when it comes to forests and
> forest trusts, and the MS-PAC provides all memberships we decided to
> rely only on the MS-PAC here. As a consequence getent group only shows
> the users of the IPA domain and AD users who already logged in
> successfully.
>
>
ok, got it.
> > checked the SID of the mapped group:
> >
> > # ipa group-show ad_users_external
> > Group name: ad_users_external
> > Description: AD users external map
> > Member of groups: ad_users
> > External member: S-1-5-21-2508008360-1834726910-79835928-513
> >
> > And it is the AD\Domain Users sid, I checked it on the windows host
> because
> > wbinfo shows me no info:
> >
> > [root at kdc ~]# wbinfo -n "AD\Domain Users"
> > failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not lookup name AD\Domain Users
> > [root at kdc ~]# wbinfo -s S-1-5-21-2508008360-1834726910-79835928-513
> > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not lookup sid S-1-5-21-2508008360-1834726910-79835928-513
> > [root at kdc ~]# wbinfo -s S-1-5-21-2508008360-1834726910-79835928-513 -d
> > ad.asenjo.nx
> > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not lookup sid S-1-5-21-2508008360-1834726910-79835928-513
>
> looks like winbind has some issues connecting to the AD server. Did you
> change any firewall setting that might cause the issue here?
>
>
With the firewalls (both at the linux host and at the windows host) enabled
I can login as AD\administrator user from the same windows host I cannot
ssh to as a normal 'domain user' . So the firewall does not seem the issue
at hand.
My iptables rules:
# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp
dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport
dports 80,443,389,636,88,464,53,138,139,445 state NEW,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport
dports 88,464,53,123,138,139,389,445 state NEW,ESTABLISHED
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-host-prohibited
> More details might be available in the winbind logs.
>
>
What logs exactly would you like to see?
ls -l /var/log/samba/log.winbindd*
-rw-r--r--. 1 root root 10854 Apr 19 21:49 /var/log/samba/log.winbindd
-rw-r--r--. 1 root root 0 Apr 19 15:02
/var/log/samba/log.winbindd-dc-connect
-rw-r--r--. 1 root root 28532 Apr 19 21:51 /var/log/samba/log.winbindd-idmap
-rw-r--r--. 1 root root 133 Apr 19 21:45
/var/log/samba/log.winbindd-locator
How can I get more debugging info from winbind?
--
Thanks,
natxo
> bye,
> Sumit
>
> >
> > So how can I get the rest of the users in the group mapped?
> >
> > TIA,
> >
> > --
> > groet,
> > natxo
>
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130420/77e32ced/attachment.htm>
More information about the Freeipa-users
mailing list