[Freeipa-users] Forest trust and AD child domain

Sumit Bose sbose at redhat.com
Fri Dec 12 20:32:34 UTC 2014 

On Fri, Dec 12, 2014 at 08:41:27PM +0100, Manuel Lopes wrote:
> [root at support1 ~]# ipa idrange-find
> ----------------
> 3 ranges matched
> ----------------
> Range name: LINUX.COM_id_range
> First Posix ID of the range: 1066000000
> Number of IDs in the range: 200000
> First RID of the corresponding RID range: 1000
> First RID of the secondary RID range: 100000000
> Range type: local domain range
> 
> Range name: WINDOWS.COM_id_range
> First Posix ID of the range: 730200000
> Number of IDs in the range: 200000
> First RID of the corresponding RID range: 0
> Domain SID of the trusted domain: S-1-5-21-1701591335-3855227394-3044674468
> Range type: Active Directory domain range
> 
> Range name: ACME.WINDOWS.COM_id_range
> First Posix ID of the range: 365600000
> Number of IDs in the range: 200000
> First RID of the corresponding RID range: 0
> Domain SID of the trusted domain: S-1-5-21-1215373191-1991333051-3772904882
> Range type: Active Directory domain range
> ----------------------------
> Number of entries returned 3
> ----------------------------
> 
> 
> As we can see in the ouput of the command, the range type is "ad POSIX
> attributes".

no, it's only 'Active Directory domain range', this is good because with
this type we generate the UIDs and GIDs algorithmically.

> In our case, the gidNumber is not set in the "ACME\Domain Users" AD group,
> nor in the " WINDOWS\Domain Users".
> With a gidNumber attribute value, the 'wbinfo -n "ACME\Domain Users"' still
> command fails.

no need to set the ID attributes in AD. But I should have mentioned
that wbinfo is quite useless nowadays with FreeIPA because winbind is
only used to assure some types of communication with AD. All user and
group lookups and IP-mapping is done by SSSD. Please try

getent group 'ACME\Domain Users'


and send the sssd_nss.log and sssd_example.com.log files.

bye,
Sumit

> 
> Thanks
> 
> 2014-12-12 19:51 GMT+01:00 Manuel Lopes <manuel.lopes72 at gmail.com>:
> >
> > [root at support1 ~]# ipa idrange-find
> > ----------------
> > 3 ranges matched
> > ----------------
> >   Range name: LINUX.COM_id_range
> >   First Posix ID of the range: 1066000000
> >   Number of IDs in the range: 200000
> >   First RID of the corresponding RID range: 1000
> >   First RID of the secondary RID range: 100000000
> >   Range type: local domain range
> >
> >   Range name: WINDOWS.COM_id_range
> >   First Posix ID of the range: 730200000
> >   Number of IDs in the range: 200000
> >   First RID of the corresponding RID range: 0
> >   Domain SID of the trusted domain:
> > S-1-5-21-1701591335-3855227394-3044674468
> >   Range type: Active Directory domain range
> >
> >   Range name: ACME.WINDOWS.COM_id_range
> >   First Posix ID of the range: 365600000
> >   Number of IDs in the range: 200000
> >   First RID of the corresponding RID range: 0
> >   Domain SID of the trusted domain:
> > S-1-5-21-1215373191-1991333051-3772904882
> >   Range type: Active Directory domain range
> > ----------------------------
> > Number of entries returned 3
> > ----------------------------
> >
> >
> > As we can see in the ouput of the command, the range type is "ad POSIX
> > attributes".
> > In our case, the gidNumber is not set in the "ACME\Domain Users" AD group,
> > nor in the " WINDOWS\Domain Users".
> > With a gidNumber attribute value, the 'wbinfo -n "ACME\Domain Users"'
> > still command fails.
> >
> > Thanks
> >
> >
> > 2014-12-12 10:33 GMT+01:00 Sumit Bose <sbose at redhat.com>:
> >>
> >> On Fri, Dec 12, 2014 at 02:06:05AM +0100, Manuel Lopes wrote:
> >> > Hi Sumit,
> >> >
> >> > Thank you very much for the prompt reply
> >> >
> >> > [root at support1 ~]# ipa trustdomain-find windows.com
> >> >   Domain name: windows.com
> >> >   Domain NetBIOS name: WINDOWS
> >> >   Domain Security Identifier: S-1-5-21-1701591335-3855227394-3044674468
> >> >   Domain enabled: True
> >> >
> >> >   Domain name: acme.windows.com
> >> >   Domain NetBIOS name: ACME
> >> >   Domain Security Identifier: S-1-5-21-1215373191-1991333051-3772904882
> >> >   Domain enabled: True
> >> > ----------------------------
> >> > Number of entries returned 2
> >> > ----------------------------
> >>
> >> ok, so ACME was discovered successful, can you check next the output of
> >>
> >> ipa idrange-find
> >>
> >> The important attribute is the 'Range type' for the AD domains. If it is
> >> 'Active Directory trust range with POSIX attributes' it is expected that
> >> users and groups in the AD forest have the POSIX UID and GID attributes
> >> set and only those users and groups will be available in the IPA domain.
> >> In this case please check if 'ACME\Domain Users' have the GID attribute
> >> set.
> >>
> >> If this does not help (please mind the negative cache of SSSD) please
> >> send the SSSD logs in /var/log/sssd on the IPA server. You might need to
> >> enable logging in sssd.conf by setting 'debug_level = 10' in the
> >> [domain/..] and [nss] section of sssd.conf.
> >>
> >> bye,
> >> Sumit
> >>
> >> >
> >> > [root at support1 ~]# ipa trust-fetch-domains windows.com
> >> > -------------------------------
> >> > No new trust domains were found
> >> > -------------------------------
> >> > ----------------------------
> >> > Number of entries returned 0
> >> > ----------------------------
> >> >
> >> > Regards
> >> > Le 11 déc. 2014 20:08, "Sumit Bose" <sbose at redhat.com
> >> > <javascript:_e(%7B%7D,'cvml','sbose at redhat.com');>> a écrit :
> >> >
> >> > > On Thu, Dec 11, 2014 at 06:45:49PM +0100, Manuel Lopes wrote:
> >> > > >  Hello,
> >> > > >
> >> > > >
> >> > > > We have been following the AD integration guide for IPAv3:
> >> > > > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
> >> > > >
> >> > > >
> >> > > >
> >> > > > Our setup is:
> >> > > >
> >> > > > • 2 domain controllers with Windows 2008 R2 AD DC -> windows.com
> >> > > > <http://example.com/> as Forest Root Domain and acme.windows.com
> >> > > > <http://acme.example.com/> as transitive child domain
> >> > > >
> >> > > > • RHEL7 as IPA server with domain: linux.com
> >> > > > <http://linux.acme.example.com/>
> >> > > >
> >> > > >
> >> > > >
> >> > > > We have established a forest trust between windows.com and
> >> linux.com and
> >> > > > everything seems OK from an IPA perspective.
> >> > > >
> >> > > >
> >> > > >
> >> > > > We can work with Kerberos tickets without any issue from “windows”
> >> domain
> >> > > > or his child domain “acme”. (kinit, kvno…)
> >> > > >
> >> > > >
> >> > > >
> >> > > > When we use samba tools, the following command is working fine.
> >> > > >
> >> > > > *[root at support1 ]# wbinfo -n 'WINDOWS\Domain Admins'*
> >> > > >
> >> > > > *S-1-5-21-1701591335-3855227394-3044674468-512 SID_DOM_GROUP (2)*
> >> > > >
> >> > > >
> >> > > >
> >> > > > But, the same command against the acme domain returns an error.
> >> > > >
> >> > > > *[root at support1 ]# wbinfo -n 'ACME\Domain Admins'*
> >> > > >
> >> > > > *failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND*
> >> > > >
> >> > > > *Could not lookup name ACME\Domain Admins*
> >> > > >
> >> > > >
> >> > > >
> >> > > > Same problem with the following command:
> >> > > >
> >> > > > *[root at support1]# ipa group-add-member ad_users_external --external
> >> > > > "ACME\Domain Users"*
> >> > > >
> >> > > > *[member user]:*
> >> > > >
> >> > > > *[member group]:*
> >> > > >
> >> > > > *  Group name: ad_users_external*
> >> > > >
> >> > > > *  Description: AD users external map*
> >> > > >
> >> > > > *  External member: *
> >> > > >
> >> > > > *  Member of groups: ad_users*
> >> > > >
> >> > > > *  Failed members:*
> >> > > >
> >> > > > *    member user:*
> >> > > >
> >> > > > *    member group: ACME\Domain Users: Cannot find specified domain
> >> or
> >> > > > server name*
> >> > > >
> >> > > > *-------------------------*
> >> > > >
> >> > > > *Number of members added 0*
> >> > > >
> >> > > >
> >> > > >
> >> > > >
> >> > > >
> >> > > > Any help would be appreciated
> >> > >
> >> > > Does
> >> > >
> >> > > ipa trustdomain-find windows.com
> >> > >
> >> > > show acme.windows.com as well ?
> >> > >
> >> > > Does
> >> > >
> >> > > ipa trust-fetch-domains ad.devel
> >> > >
> >> > > help to retrieve the child domain?
> >> > >
> >> > > Please note that if acme.windows.com now shows up you might have to
> >> wait
> >> > > 1-2 minutes until SSSD's negative caches are flushed and the new
> >> domains
> >> > > is discovered by SSSD, as an alternative you can just restart SSSD.
> >> > >
> >> > > HTH
> >> > >
> >> > > bye,
> >> > > Sumit
> >> > >
> >> > > >
> >> > > >
> >> > > >
> >> > > > Regards
> >> > >
> >> > > > --
> >> > > > Manage your subscription for the Freeipa-users mailing list:
> >> > > > https://www.redhat.com/mailman/listinfo/freeipa-users
> >> > > > Go To http://freeipa.org for more info on the project
> >> > >
> >> > > --
> >> > > Manage your subscription for the Freeipa-users mailing list:
> >> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> >> > > Go To http://freeipa.org for more info on the project
> >>
> >> > --
> >> > Manage your subscription for the Freeipa-users mailing list:
> >> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >> > Go To http://freeipa.org for more info on the project
> >>
> >> --
> >> Manage your subscription for the Freeipa-users mailing list:
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >> Go To http://freeipa.org for more info on the project
> >>
> >

More information about the Freeipa-users mailing list