[Freeipa-users] ssh login from windows AD trust host not working

Natxo Asenjo natxo.asenjo at gmail.com
Sat Apr 20 21:21:01 UTC 2013 

On Sat, Apr 20, 2013 at 8:32 PM, Sumit Bose <sbose at redhat.com> wrote:

> On Fri, Apr 19, 2013 at 10:14:36PM +0200, Natxo Asenjo wrote:
>
> > # wbinfo --online-status
> > BUILTIN : online
> > IPA : online
> > AD : offline
> >
> > # wbinfo --domain-info ad.asenjo.nx
> > Name              : AD
> > Alt_Name          : ad.asenjo.nx
> > SID               : S-1-5-21-2508008360-1834726910-79835928
> > Active Directory  : No
> > Native            : No
> > Primary           : No
> >
> > # wbinfo --domain ad.asenjo.nx -u
> > With this last command I would expect to see all the users I created in
> the
> > AD.
> >
> > # getent group ad_users
> > ad_users:*:642801446:administrator at ad.asenjo.nx
> >
> > this tellms me that the external group we created has only the AD
> > administrator in it, so It makes sense only this one is allowed. But I I
>
> no, this  is a wrong interpretation. The group membership for users from
> trusted domains is only evaluated at login time with the help of the
> data stored in the MS-PAC. Because group-membership resolution in an AD
> environment can be cumbersome, especially when it comes to forests and
> forest trusts, and the MS-PAC provides all memberships we decided to
> rely only on the MS-PAC here. As a consequence getent group only shows
> the users of the IPA domain and AD users who already  logged in
> successfully.
>
>
ok, got it.


> > checked the SID of the mapped group:
> >
> > # ipa group-show ad_users_external
> >   Group name: ad_users_external
> >   Description: AD users external map
> >   Member of groups: ad_users
> >   External member: S-1-5-21-2508008360-1834726910-79835928-513
> >
> > And it is the AD\Domain Users sid, I checked it on the windows host
> because
> > wbinfo shows me no info:
> >
> > [root at kdc ~]# wbinfo -n "AD\Domain Users"
> > failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not lookup name AD\Domain Users
> > [root at kdc ~]# wbinfo -s S-1-5-21-2508008360-1834726910-79835928-513
> > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not lookup sid S-1-5-21-2508008360-1834726910-79835928-513
> > [root at kdc ~]# wbinfo -s S-1-5-21-2508008360-1834726910-79835928-513 -d
> > ad.asenjo.nx
> > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not lookup sid S-1-5-21-2508008360-1834726910-79835928-513
>
> looks like winbind has some issues connecting to the AD server. Did you
> change any firewall setting that might cause the issue here?
>
>
With the firewalls (both at the linux host and at the windows host) enabled
I can login as AD\administrator user from the same windows host I cannot
ssh to as a normal 'domain user' . So the firewall does not seem the issue
at hand.

My iptables rules:

# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport
dports 80,443,389,636,88,464,53,138,139,445 state NEW,ESTABLISHED
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           multiport
dports 88,464,53,123,138,139,389,445 state NEW,ESTABLISHED
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with
icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with
icmp-host-prohibited


> More details might be available in the winbind logs.
>
>
What logs exactly would you like to see?

ls -l /var/log/samba/log.winbindd*
-rw-r--r--. 1 root root 10854 Apr 19 21:49 /var/log/samba/log.winbindd
-rw-r--r--. 1 root root     0 Apr 19 15:02
/var/log/samba/log.winbindd-dc-connect
-rw-r--r--. 1 root root 28532 Apr 19 21:51 /var/log/samba/log.winbindd-idmap
-rw-r--r--. 1 root root   133 Apr 19 21:45
/var/log/samba/log.winbindd-locator

How can I get more debugging info from winbind?

--
Thanks,
natxo




> bye,
> Sumit
>
> >
> > So how can I get the rest of the users in the group mapped?
> >
> > TIA,
> >
> > --
> > groet,
> > natxo
>
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130420/77e32ced/attachment.htm>

More information about the Freeipa-users mailing list