[Freeipa-users] Forest trust and AD child domain

Manuel Lopes manuel.lopes72 at gmail.com
Sat Dec 13 13:13:30 UTC 2014 

Hi,

As explained in the previous email, the getent is successful.


*[root at support1 ~]# getent group 'ACME\Domain Users' domain
users at acme.windows.com:*:**365600513:administrator at acme.windows.com
<365600513%3Aadministrator at acme.windows.com>*



In fact, our real problem is not the “wbinfo –n” but the following command:

*[root at support1 sssd]# ipa group-add-member ad_users_external --external
"ACME\Domain Users"*

*[member user]:*

*[member group]:*

*  Group name: ad_users_external*

*  Description: AD users external map*

*  External member: *

*  Member of groups: ad_users*

*  Failed members:*

*    member user:*

*    member group: ACME\Domain Users: Cannot find specified domain or
server name*

*-------------------------*

*Number of members added 0*

*-------------------------*



We cannot add ACME’s domain users in the ad_users_external.



I attached the sssd logs.



Regards

2014-12-12 21:51 GMT+01:00 Manuel Lopes <manuel.lopes72 at gmail.com>:
>
> OK.
>
> Command successful
> [root at support1 ~]# getent group  'ACME\Domain Users'
> domain users at acme.windows.com:*:365600513:administrator at acme.windows.com
>
> Log files attached
>
> Thanks
>
> 2014-12-12 21:32 GMT+01:00 Sumit Bose <sbose at redhat.com>:
>>
>> On Fri, Dec 12, 2014 at 08:41:27PM +0100, Manuel Lopes wrote:
>> > [root at support1 ~]# ipa idrange-find
>> > ----------------
>> > 3 ranges matched
>> > ----------------
>> > Range name: LINUX.COM_id_range
>> > First Posix ID of the range: 1066000000
>> > Number of IDs in the range: 200000
>> > First RID of the corresponding RID range: 1000
>> > First RID of the secondary RID range: 100000000
>> > Range type: local domain range
>> >
>> > Range name: WINDOWS.COM_id_range
>> > First Posix ID of the range: 730200000
>> > Number of IDs in the range: 200000
>> > First RID of the corresponding RID range: 0
>> > Domain SID of the trusted domain:
>> S-1-5-21-1701591335-3855227394-3044674468
>> > Range type: Active Directory domain range
>> >
>> > Range name: ACME.WINDOWS.COM_id_range
>> > First Posix ID of the range: 365600000
>> > Number of IDs in the range: 200000
>> > First RID of the corresponding RID range: 0
>> > Domain SID of the trusted domain:
>> S-1-5-21-1215373191-1991333051-3772904882
>> > Range type: Active Directory domain range
>> > ----------------------------
>> > Number of entries returned 3
>> > ----------------------------
>> >
>> >
>> > As we can see in the ouput of the command, the range type is "ad POSIX
>> > attributes".
>>
>> no, it's only 'Active Directory domain range', this is good because with
>> this type we generate the UIDs and GIDs algorithmically.
>>
>> > In our case, the gidNumber is not set in the "ACME\Domain Users" AD
>> group,
>> > nor in the " WINDOWS\Domain Users".
>> > With a gidNumber attribute value, the 'wbinfo -n "ACME\Domain Users"'
>> still
>> > command fails.
>>
>> no need to set the ID attributes in AD. But I should have mentioned
>> that wbinfo is quite useless nowadays with FreeIPA because winbind is
>> only used to assure some types of communication with AD. All user and
>> group lookups and IP-mapping is done by SSSD. Please try
>>
>> getent group 'ACME\Domain Users'
>>
>>
>> and send the sssd_nss.log and sssd_example.com.log files.
>>
>> bye,
>> Sumit
>>
>> >
>> > Thanks
>> >
>> > 2014-12-12 19:51 GMT+01:00 Manuel Lopes <manuel.lopes72 at gmail.com>:
>> > >
>> > > [root at support1 ~]# ipa idrange-find
>> > > ----------------
>> > > 3 ranges matched
>> > > ----------------
>> > >   Range name: LINUX.COM_id_range
>> > >   First Posix ID of the range: 1066000000
>> > >   Number of IDs in the range: 200000
>> > >   First RID of the corresponding RID range: 1000
>> > >   First RID of the secondary RID range: 100000000
>> > >   Range type: local domain range
>> > >
>> > >   Range name: WINDOWS.COM_id_range
>> > >   First Posix ID of the range: 730200000
>> > >   Number of IDs in the range: 200000
>> > >   First RID of the corresponding RID range: 0
>> > >   Domain SID of the trusted domain:
>> > > S-1-5-21-1701591335-3855227394-3044674468
>> > >   Range type: Active Directory domain range
>> > >
>> > >   Range name: ACME.WINDOWS.COM_id_range
>> > >   First Posix ID of the range: 365600000
>> > >   Number of IDs in the range: 200000
>> > >   First RID of the corresponding RID range: 0
>> > >   Domain SID of the trusted domain:
>> > > S-1-5-21-1215373191-1991333051-3772904882
>> > >   Range type: Active Directory domain range
>> > > ----------------------------
>> > > Number of entries returned 3
>> > > ----------------------------
>> > >
>> > >
>> > > As we can see in the ouput of the command, the range type is "ad POSIX
>> > > attributes".
>> > > In our case, the gidNumber is not set in the "ACME\Domain Users" AD
>> group,
>> > > nor in the " WINDOWS\Domain Users".
>> > > With a gidNumber attribute value, the 'wbinfo -n "ACME\Domain Users"'
>> > > still command fails.
>> > >
>> > > Thanks
>> > >
>> > >
>> > > 2014-12-12 10:33 GMT+01:00 Sumit Bose <sbose at redhat.com>:
>> > >>
>> > >> On Fri, Dec 12, 2014 at 02:06:05AM +0100, Manuel Lopes wrote:
>> > >> > Hi Sumit,
>> > >> >
>> > >> > Thank you very much for the prompt reply
>> > >> >
>> > >> > [root at support1 ~]# ipa trustdomain-find windows.com
>> > >> >   Domain name: windows.com
>> > >> >   Domain NetBIOS name: WINDOWS
>> > >> >   Domain Security Identifier:
>> S-1-5-21-1701591335-3855227394-3044674468
>> > >> >   Domain enabled: True
>> > >> >
>> > >> >   Domain name: acme.windows.com
>> > >> >   Domain NetBIOS name: ACME
>> > >> >   Domain Security Identifier:
>> S-1-5-21-1215373191-1991333051-3772904882
>> > >> >   Domain enabled: True
>> > >> > ----------------------------
>> > >> > Number of entries returned 2
>> > >> > ----------------------------
>> > >>
>> > >> ok, so ACME was discovered successful, can you check next the output
>> of
>> > >>
>> > >> ipa idrange-find
>> > >>
>> > >> The important attribute is the 'Range type' for the AD domains. If
>> it is
>> > >> 'Active Directory trust range with POSIX attributes' it is expected
>> that
>> > >> users and groups in the AD forest have the POSIX UID and GID
>> attributes
>> > >> set and only those users and groups will be available in the IPA
>> domain.
>> > >> In this case please check if 'ACME\Domain Users' have the GID
>> attribute
>> > >> set.
>> > >>
>> > >> If this does not help (please mind the negative cache of SSSD) please
>> > >> send the SSSD logs in /var/log/sssd on the IPA server. You might
>> need to
>> > >> enable logging in sssd.conf by setting 'debug_level = 10' in the
>> > >> [domain/..] and [nss] section of sssd.conf.
>> > >>
>> > >> bye,
>> > >> Sumit
>> > >>
>> > >> >
>> > >> > [root at support1 ~]# ipa trust-fetch-domains windows.com
>> > >> > -------------------------------
>> > >> > No new trust domains were found
>> > >> > -------------------------------
>> > >> > ----------------------------
>> > >> > Number of entries returned 0
>> > >> > ----------------------------
>> > >> >
>> > >> > Regards
>> > >> > Le 11 déc. 2014 20:08, "Sumit Bose" <sbose at redhat.com
>> > >> > <javascript:_e(%7B%7D,'cvml','sbose at redhat.com');>> a écrit :
>> > >> >
>> > >> > > On Thu, Dec 11, 2014 at 06:45:49PM +0100, Manuel Lopes wrote:
>> > >> > > >  Hello,
>> > >> > > >
>> > >> > > >
>> > >> > > > We have been following the AD integration guide for IPAv3:
>> > >> > > > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
>> > >> > > >
>> > >> > > >
>> > >> > > >
>> > >> > > > Our setup is:
>> > >> > > >
>> > >> > > > • 2 domain controllers with Windows 2008 R2 AD DC ->
>> windows.com
>> > >> > > > <http://example.com/> as Forest Root Domain and
>> acme.windows.com
>> > >> > > > <http://acme.example.com/> as transitive child domain
>> > >> > > >
>> > >> > > > • RHEL7 as IPA server with domain: linux.com
>> > >> > > > <http://linux.acme.example.com/>
>> > >> > > >
>> > >> > > >
>> > >> > > >
>> > >> > > > We have established a forest trust between windows.com and
>> > >> linux.com and
>> > >> > > > everything seems OK from an IPA perspective.
>> > >> > > >
>> > >> > > >
>> > >> > > >
>> > >> > > > We can work with Kerberos tickets without any issue from
>> “windows”
>> > >> domain
>> > >> > > > or his child domain “acme”. (kinit, kvno…)
>> > >> > > >
>> > >> > > >
>> > >> > > >
>> > >> > > > When we use samba tools, the following command is working fine.
>> > >> > > >
>> > >> > > > *[root at support1 ]# wbinfo -n 'WINDOWS\Domain Admins'*
>> > >> > > >
>> > >> > > > *S-1-5-21-1701591335-3855227394-3044674468-512 SID_DOM_GROUP
>> (2)*
>> > >> > > >
>> > >> > > >
>> > >> > > >
>> > >> > > > But, the same command against the acme domain returns an error.
>> > >> > > >
>> > >> > > > *[root at support1 ]# wbinfo -n 'ACME\Domain Admins'*
>> > >> > > >
>> > >> > > > *failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND*
>> > >> > > >
>> > >> > > > *Could not lookup name ACME\Domain Admins*
>> > >> > > >
>> > >> > > >
>> > >> > > >
>> > >> > > > Same problem with the following command:
>> > >> > > >
>> > >> > > > *[root at support1]# ipa group-add-member ad_users_external
>> --external
>> > >> > > > "ACME\Domain Users"*
>> > >> > > >
>> > >> > > > *[member user]:*
>> > >> > > >
>> > >> > > > *[member group]:*
>> > >> > > >
>> > >> > > > *  Group name: ad_users_external*
>> > >> > > >
>> > >> > > > *  Description: AD users external map*
>> > >> > > >
>> > >> > > > *  External member: *
>> > >> > > >
>> > >> > > > *  Member of groups: ad_users*
>> > >> > > >
>> > >> > > > *  Failed members:*
>> > >> > > >
>> > >> > > > *    member user:*
>> > >> > > >
>> > >> > > > *    member group: ACME\Domain Users: Cannot find specified
>> domain
>> > >> or
>> > >> > > > server name*
>> > >> > > >
>> > >> > > > *-------------------------*
>> > >> > > >
>> > >> > > > *Number of members added 0*
>> > >> > > >
>> > >> > > >
>> > >> > > >
>> > >> > > >
>> > >> > > >
>> > >> > > > Any help would be appreciated
>> > >> > >
>> > >> > > Does
>> > >> > >
>> > >> > > ipa trustdomain-find windows.com
>> > >> > >
>> > >> > > show acme.windows.com as well ?
>> > >> > >
>> > >> > > Does
>> > >> > >
>> > >> > > ipa trust-fetch-domains ad.devel
>> > >> > >
>> > >> > > help to retrieve the child domain?
>> > >> > >
>> > >> > > Please note that if acme.windows.com now shows up you might
>> have to
>> > >> wait
>> > >> > > 1-2 minutes until SSSD's negative caches are flushed and the new
>> > >> domains
>> > >> > > is discovered by SSSD, as an alternative you can just restart
>> SSSD.
>> > >> > >
>> > >> > > HTH
>> > >> > >
>> > >> > > bye,
>> > >> > > Sumit
>> > >> > >
>> > >> > > >
>> > >> > > >
>> > >> > > >
>> > >> > > > Regards
>> > >> > >
>> > >> > > > --
>> > >> > > > Manage your subscription for the Freeipa-users mailing list:
>> > >> > > > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > >> > > > Go To http://freeipa.org for more info on the project
>> > >> > >
>> > >> > > --
>> > >> > > Manage your subscription for the Freeipa-users mailing list:
>> > >> > > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > >> > > Go To http://freeipa.org for more info on the project
>> > >>
>> > >> > --
>> > >> > Manage your subscription for the Freeipa-users mailing list:
>> > >> > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > >> > Go To http://freeipa.org for more info on the project
>> > >>
>> > >> --
>> > >> Manage your subscription for the Freeipa-users mailing list:
>> > >> https://www.redhat.com/mailman/listinfo/freeipa-users
>> > >> Go To http://freeipa.org for more info on the project
>> > >>
>> > >
>>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141213/46083678/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sssd_nss.log
Type: application/octet-stream
Size: 44705 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141213/46083678/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sssd.log
Type: application/octet-stream
Size: 156858 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141213/46083678/attachment-0001.obj>

More information about the Freeipa-users mailing list