[Freeipa-users] Forest trust and AD child domain
Manuel Lopes
manuel.lopes72 at gmail.com
Mon Dec 15 20:35:52 UTC 2014
Hi,
Attached, the good log.
We are running sssd-1.11.2-68.el7_0.6 on RHEL 7.
ipa-server-3.3.3-28.el7_0.3
Regards
2014-12-15 18:34 GMT+01:00 Sumit Bose <sbose at redhat.com>:
>
> On Mon, Dec 15, 2014 at 05:38:05PM +0100, Manuel Lopes wrote:
> > Attached the sssd_linux.com.log file
> >
> > Regards
>
> Thank you, there is no request logged in the logs, did you run ipa
> group-add-member after restarting SSSD? Nevertheless I think I know what
> is happening, you hit an issue which should be fixed in SSSD 1.12.2,
> which version of SSSD are you running on which platform?
>
> bye,
> Sumit
>
> >
> > 2014-12-15 17:03 GMT+01:00 Sumit Bose <sbose at redhat.com>:
> > >
> > > On Mon, Dec 15, 2014 at 04:39:29PM +0100, Manuel Lopes wrote:
> > > > The file sssd_linux.com.log is empty.
> > >
> > > please add
> > >
> > > debug_level = 10
> > >
> > > to the [domain/...] section in sssd.conf to enable logging for this
> part
> > > of SSSD.
> > >
> > > bye,
> > > Sumit
> > > >
> > > >
> > > >
> > > > 2014-12-15 15:42 GMT+01:00 Sumit Bose <sbose at redhat.com>:
> > > > >
> > > > > On Sat, Dec 13, 2014 at 02:13:30PM +0100, Manuel Lopes wrote:
> > > > > > Hi,
> > > > > >
> > > > > > As explained in the previous email, the getent is successful.
> > > > > >
> > > > > >
> > > > > > *[root at support1 ~]# getent group 'ACME\Domain Users' domain
> > > > > > users at acme.windows.com:*:**
> 365600513:administrator at acme.windows.com
> > > > > > <365600513%3Aadministrator at acme.windows.com>*
> > > > > >
> > > > > >
> > > > > >
> > > > > > In fact, our real problem is not the “wbinfo –n” but the
> following
> > > > > command:
> > > > > >
> > > > > > *[root at support1 sssd]# ipa group-add-member ad_users_external
> > > --external
> > > > > > "ACME\Domain Users"*
> > > > > >
> > > > > > *[member user]:*
> > > > > >
> > > > > > *[member group]:*
> > > > > >
> > > > > > * Group name: ad_users_external*
> > > > > >
> > > > > > * Description: AD users external map*
> > > > > >
> > > > > > * External member: *
> > > > > >
> > > > > > * Member of groups: ad_users*
> > > > > >
> > > > > > * Failed members:*
> > > > > >
> > > > > > * member user:*
> > > > > >
> > > > > > * member group: ACME\Domain Users: Cannot find specified
> domain or
> > > > > > server name*
> > > > > >
> > > > > > *-------------------------*
> > > > > >
> > > > > > *Number of members added 0*
> > > > > >
> > > > > > *-------------------------*
> > > > > >
> > > > > >
> > > > > >
> > > > > > We cannot add ACME’s domain users in the ad_users_external.
> > > > > >
> > > > > >
> > > > > >
> > > > > > I attached the sssd logs.
> > > > >
> > > > > Can you send the corresponding domain log file as well, it should
> be
> > > > > called sssd_linux.com.log or similar.
> > > > >
> > > > > bye,
> > > > > Sumit
> > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > Regards
> > > > > >
> > > > > > 2014-12-12 21:51 GMT+01:00 Manuel Lopes <
> manuel.lopes72 at gmail.com>:
> > > > > > >
> > > > > > > OK.
> > > > > > >
> > > > > > > Command successful
> > > > > > > [root at support1 ~]# getent group 'ACME\Domain Users'
> > > > > > > domain users at acme.windows.com:*:
> > > > > 365600513:administrator at acme.windows.com
> > > > > > >
> > > > > > > Log files attached
> > > > > > >
> > > > > > > Thanks
> > > > > > >
> > > > > > > 2014-12-12 21:32 GMT+01:00 Sumit Bose <sbose at redhat.com>:
> > > > > > >>
> > > > > > >> On Fri, Dec 12, 2014 at 08:41:27PM +0100, Manuel Lopes wrote:
> > > > > > >> > [root at support1 ~]# ipa idrange-find
> > > > > > >> > ----------------
> > > > > > >> > 3 ranges matched
> > > > > > >> > ----------------
> > > > > > >> > Range name: LINUX.COM_id_range
> > > > > > >> > First Posix ID of the range: 1066000000
> > > > > > >> > Number of IDs in the range: 200000
> > > > > > >> > First RID of the corresponding RID range: 1000
> > > > > > >> > First RID of the secondary RID range: 100000000
> > > > > > >> > Range type: local domain range
> > > > > > >> >
> > > > > > >> > Range name: WINDOWS.COM_id_range
> > > > > > >> > First Posix ID of the range: 730200000
> > > > > > >> > Number of IDs in the range: 200000
> > > > > > >> > First RID of the corresponding RID range: 0
> > > > > > >> > Domain SID of the trusted domain:
> > > > > > >> S-1-5-21-1701591335-3855227394-3044674468
> > > > > > >> > Range type: Active Directory domain range
> > > > > > >> >
> > > > > > >> > Range name: ACME.WINDOWS.COM_id_range
> > > > > > >> > First Posix ID of the range: 365600000
> > > > > > >> > Number of IDs in the range: 200000
> > > > > > >> > First RID of the corresponding RID range: 0
> > > > > > >> > Domain SID of the trusted domain:
> > > > > > >> S-1-5-21-1215373191-1991333051-3772904882
> > > > > > >> > Range type: Active Directory domain range
> > > > > > >> > ----------------------------
> > > > > > >> > Number of entries returned 3
> > > > > > >> > ----------------------------
> > > > > > >> >
> > > > > > >> >
> > > > > > >> > As we can see in the ouput of the command, the range type
> is "ad
> > > > > POSIX
> > > > > > >> > attributes".
> > > > > > >>
> > > > > > >> no, it's only 'Active Directory domain range', this is good
> > > because
> > > > > with
> > > > > > >> this type we generate the UIDs and GIDs algorithmically.
> > > > > > >>
> > > > > > >> > In our case, the gidNumber is not set in the "ACME\Domain
> > > Users" AD
> > > > > > >> group,
> > > > > > >> > nor in the " WINDOWS\Domain Users".
> > > > > > >> > With a gidNumber attribute value, the 'wbinfo -n
> "ACME\Domain
> > > > > Users"'
> > > > > > >> still
> > > > > > >> > command fails.
> > > > > > >>
> > > > > > >> no need to set the ID attributes in AD. But I should have
> > > mentioned
> > > > > > >> that wbinfo is quite useless nowadays with FreeIPA because
> > > winbind is
> > > > > > >> only used to assure some types of communication with AD. All
> user
> > > and
> > > > > > >> group lookups and IP-mapping is done by SSSD. Please try
> > > > > > >>
> > > > > > >> getent group 'ACME\Domain Users'
> > > > > > >>
> > > > > > >>
> > > > > > >> and send the sssd_nss.log and sssd_example.com.log files.
> > > > > > >>
> > > > > > >> bye,
> > > > > > >> Sumit
> > > > > > >>
> > > > > > >> >
> > > > > > >> > Thanks
> > > > > > >> >
> > > > > > >> > 2014-12-12 19:51 GMT+01:00 Manuel Lopes <
> > > manuel.lopes72 at gmail.com>:
> > > > > > >> > >
> > > > > > >> > > [root at support1 ~]# ipa idrange-find
> > > > > > >> > > ----------------
> > > > > > >> > > 3 ranges matched
> > > > > > >> > > ----------------
> > > > > > >> > > Range name: LINUX.COM_id_range
> > > > > > >> > > First Posix ID of the range: 1066000000
> > > > > > >> > > Number of IDs in the range: 200000
> > > > > > >> > > First RID of the corresponding RID range: 1000
> > > > > > >> > > First RID of the secondary RID range: 100000000
> > > > > > >> > > Range type: local domain range
> > > > > > >> > >
> > > > > > >> > > Range name: WINDOWS.COM_id_range
> > > > > > >> > > First Posix ID of the range: 730200000
> > > > > > >> > > Number of IDs in the range: 200000
> > > > > > >> > > First RID of the corresponding RID range: 0
> > > > > > >> > > Domain SID of the trusted domain:
> > > > > > >> > > S-1-5-21-1701591335-3855227394-3044674468
> > > > > > >> > > Range type: Active Directory domain range
> > > > > > >> > >
> > > > > > >> > > Range name: ACME.WINDOWS.COM_id_range
> > > > > > >> > > First Posix ID of the range: 365600000
> > > > > > >> > > Number of IDs in the range: 200000
> > > > > > >> > > First RID of the corresponding RID range: 0
> > > > > > >> > > Domain SID of the trusted domain:
> > > > > > >> > > S-1-5-21-1215373191-1991333051-3772904882
> > > > > > >> > > Range type: Active Directory domain range
> > > > > > >> > > ----------------------------
> > > > > > >> > > Number of entries returned 3
> > > > > > >> > > ----------------------------
> > > > > > >> > >
> > > > > > >> > >
> > > > > > >> > > As we can see in the ouput of the command, the range type
> is
> > > "ad
> > > > > POSIX
> > > > > > >> > > attributes".
> > > > > > >> > > In our case, the gidNumber is not set in the "ACME\Domain
> > > Users"
> > > > > AD
> > > > > > >> group,
> > > > > > >> > > nor in the " WINDOWS\Domain Users".
> > > > > > >> > > With a gidNumber attribute value, the 'wbinfo -n
> "ACME\Domain
> > > > > Users"'
> > > > > > >> > > still command fails.
> > > > > > >> > >
> > > > > > >> > > Thanks
> > > > > > >> > >
> > > > > > >> > >
> > > > > > >> > > 2014-12-12 10:33 GMT+01:00 Sumit Bose <sbose at redhat.com>:
> > > > > > >> > >>
> > > > > > >> > >> On Fri, Dec 12, 2014 at 02:06:05AM +0100, Manuel Lopes
> wrote:
> > > > > > >> > >> > Hi Sumit,
> > > > > > >> > >> >
> > > > > > >> > >> > Thank you very much for the prompt reply
> > > > > > >> > >> >
> > > > > > >> > >> > [root at support1 ~]# ipa trustdomain-find windows.com
> > > > > > >> > >> > Domain name: windows.com
> > > > > > >> > >> > Domain NetBIOS name: WINDOWS
> > > > > > >> > >> > Domain Security Identifier:
> > > > > > >> S-1-5-21-1701591335-3855227394-3044674468
> > > > > > >> > >> > Domain enabled: True
> > > > > > >> > >> >
> > > > > > >> > >> > Domain name: acme.windows.com
> > > > > > >> > >> > Domain NetBIOS name: ACME
> > > > > > >> > >> > Domain Security Identifier:
> > > > > > >> S-1-5-21-1215373191-1991333051-3772904882
> > > > > > >> > >> > Domain enabled: True
> > > > > > >> > >> > ----------------------------
> > > > > > >> > >> > Number of entries returned 2
> > > > > > >> > >> > ----------------------------
> > > > > > >> > >>
> > > > > > >> > >> ok, so ACME was discovered successful, can you check
> next the
> > > > > output
> > > > > > >> of
> > > > > > >> > >>
> > > > > > >> > >> ipa idrange-find
> > > > > > >> > >>
> > > > > > >> > >> The important attribute is the 'Range type' for the AD
> > > domains.
> > > > > If
> > > > > > >> it is
> > > > > > >> > >> 'Active Directory trust range with POSIX attributes' it
> is
> > > > > expected
> > > > > > >> that
> > > > > > >> > >> users and groups in the AD forest have the POSIX UID and
> GID
> > > > > > >> attributes
> > > > > > >> > >> set and only those users and groups will be available in
> the
> > > IPA
> > > > > > >> domain.
> > > > > > >> > >> In this case please check if 'ACME\Domain Users' have
> the GID
> > > > > > >> attribute
> > > > > > >> > >> set.
> > > > > > >> > >>
> > > > > > >> > >> If this does not help (please mind the negative cache of
> > > SSSD)
> > > > > please
> > > > > > >> > >> send the SSSD logs in /var/log/sssd on the IPA server.
> You
> > > might
> > > > > > >> need to
> > > > > > >> > >> enable logging in sssd.conf by setting 'debug_level =
> 10' in
> > > the
> > > > > > >> > >> [domain/..] and [nss] section of sssd.conf.
> > > > > > >> > >>
> > > > > > >> > >> bye,
> > > > > > >> > >> Sumit
> > > > > > >> > >>
> > > > > > >> > >> >
> > > > > > >> > >> > [root at support1 ~]# ipa trust-fetch-domains windows.com
> > > > > > >> > >> > -------------------------------
> > > > > > >> > >> > No new trust domains were found
> > > > > > >> > >> > -------------------------------
> > > > > > >> > >> > ----------------------------
> > > > > > >> > >> > Number of entries returned 0
> > > > > > >> > >> > ----------------------------
> > > > > > >> > >> >
> > > > > > >> > >> > Regards
> > > > > > >> > >> > Le 11 déc. 2014 20:08, "Sumit Bose" <sbose at redhat.com
> > > > > > >> > >> > <javascript:_e(%7B%7D,'cvml','sbose at redhat.com');>> a
> > > écrit :
> > > > > > >> > >> >
> > > > > > >> > >> > > On Thu, Dec 11, 2014 at 06:45:49PM +0100, Manuel
> Lopes
> > > wrote:
> > > > > > >> > >> > > > Hello,
> > > > > > >> > >> > > >
> > > > > > >> > >> > > >
> > > > > > >> > >> > > > We have been following the AD integration guide for
> > > IPAv3:
> > > > > > >> > >> > > >
> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
> > > > > > >> > >> > > >
> > > > > > >> > >> > > >
> > > > > > >> > >> > > >
> > > > > > >> > >> > > > Our setup is:
> > > > > > >> > >> > > >
> > > > > > >> > >> > > > • 2 domain controllers with Windows 2008 R2 AD DC
> ->
> > > > > > >> windows.com
> > > > > > >> > >> > > > <http://example.com/> as Forest Root Domain and
> > > > > > >> acme.windows.com
> > > > > > >> > >> > > > <http://acme.example.com/> as transitive child
> domain
> > > > > > >> > >> > > >
> > > > > > >> > >> > > > • RHEL7 as IPA server with domain: linux.com
> > > > > > >> > >> > > > <http://linux.acme.example.com/>
> > > > > > >> > >> > > >
> > > > > > >> > >> > > >
> > > > > > >> > >> > > >
> > > > > > >> > >> > > > We have established a forest trust between
> windows.com
> > > and
> > > > > > >> > >> linux.com and
> > > > > > >> > >> > > > everything seems OK from an IPA perspective.
> > > > > > >> > >> > > >
> > > > > > >> > >> > > >
> > > > > > >> > >> > > >
> > > > > > >> > >> > > > We can work with Kerberos tickets without any issue
> > > from
> > > > > > >> “windows”
> > > > > > >> > >> domain
> > > > > > >> > >> > > > or his child domain “acme”. (kinit, kvno…)
> > > > > > >> > >> > > >
> > > > > > >> > >> > > >
> > > > > > >> > >> > > >
> > > > > > >> > >> > > > When we use samba tools, the following command is
> > > working
> > > > > fine.
> > > > > > >> > >> > > >
> > > > > > >> > >> > > > *[root at support1 ]# wbinfo -n 'WINDOWS\Domain
> Admins'*
> > > > > > >> > >> > > >
> > > > > > >> > >> > > > *S-1-5-21-1701591335-3855227394-3044674468-512
> > > > > SID_DOM_GROUP
> > > > > > >> (2)*
> > > > > > >> > >> > > >
> > > > > > >> > >> > > >
> > > > > > >> > >> > > >
> > > > > > >> > >> > > > But, the same command against the acme domain
> returns
> > > an
> > > > > error.
> > > > > > >> > >> > > >
> > > > > > >> > >> > > > *[root at support1 ]# wbinfo -n 'ACME\Domain Admins'*
> > > > > > >> > >> > > >
> > > > > > >> > >> > > > *failed to call wbcLookupName:
> > > WBC_ERR_DOMAIN_NOT_FOUND*
> > > > > > >> > >> > > >
> > > > > > >> > >> > > > *Could not lookup name ACME\Domain Admins*
> > > > > > >> > >> > > >
> > > > > > >> > >> > > >
> > > > > > >> > >> > > >
> > > > > > >> > >> > > > Same problem with the following command:
> > > > > > >> > >> > > >
> > > > > > >> > >> > > > *[root at support1]# ipa group-add-member
> > > ad_users_external
> > > > > > >> --external
> > > > > > >> > >> > > > "ACME\Domain Users"*
> > > > > > >> > >> > > >
> > > > > > >> > >> > > > *[member user]:*
> > > > > > >> > >> > > >
> > > > > > >> > >> > > > *[member group]:*
> > > > > > >> > >> > > >
> > > > > > >> > >> > > > * Group name: ad_users_external*
> > > > > > >> > >> > > >
> > > > > > >> > >> > > > * Description: AD users external map*
> > > > > > >> > >> > > >
> > > > > > >> > >> > > > * External member: *
> > > > > > >> > >> > > >
> > > > > > >> > >> > > > * Member of groups: ad_users*
> > > > > > >> > >> > > >
> > > > > > >> > >> > > > * Failed members:*
> > > > > > >> > >> > > >
> > > > > > >> > >> > > > * member user:*
> > > > > > >> > >> > > >
> > > > > > >> > >> > > > * member group: ACME\Domain Users: Cannot find
> > > specified
> > > > > > >> domain
> > > > > > >> > >> or
> > > > > > >> > >> > > > server name*
> > > > > > >> > >> > > >
> > > > > > >> > >> > > > *-------------------------*
> > > > > > >> > >> > > >
> > > > > > >> > >> > > > *Number of members added 0*
> > > > > > >> > >> > > >
> > > > > > >> > >> > > >
> > > > > > >> > >> > > >
> > > > > > >> > >> > > >
> > > > > > >> > >> > > >
> > > > > > >> > >> > > > Any help would be appreciated
> > > > > > >> > >> > >
> > > > > > >> > >> > > Does
> > > > > > >> > >> > >
> > > > > > >> > >> > > ipa trustdomain-find windows.com
> > > > > > >> > >> > >
> > > > > > >> > >> > > show acme.windows.com as well ?
> > > > > > >> > >> > >
> > > > > > >> > >> > > Does
> > > > > > >> > >> > >
> > > > > > >> > >> > > ipa trust-fetch-domains ad.devel
> > > > > > >> > >> > >
> > > > > > >> > >> > > help to retrieve the child domain?
> > > > > > >> > >> > >
> > > > > > >> > >> > > Please note that if acme.windows.com now shows up
> you
> > > might
> > > > > > >> have to
> > > > > > >> > >> wait
> > > > > > >> > >> > > 1-2 minutes until SSSD's negative caches are flushed
> and
> > > the
> > > > > new
> > > > > > >> > >> domains
> > > > > > >> > >> > > is discovered by SSSD, as an alternative you can just
> > > restart
> > > > > > >> SSSD.
> > > > > > >> > >> > >
> > > > > > >> > >> > > HTH
> > > > > > >> > >> > >
> > > > > > >> > >> > > bye,
> > > > > > >> > >> > > Sumit
> > > > > > >> > >> > >
> > > > > > >> > >> > > >
> > > > > > >> > >> > > >
> > > > > > >> > >> > > >
> > > > > > >> > >> > > > Regards
> > > > > > >> > >> > >
> > > > > > >> > >> > > > --
> > > > > > >> > >> > > > Manage your subscription for the Freeipa-users
> mailing
> > > > > list:
> > > > > > >> > >> > > >
> https://www.redhat.com/mailman/listinfo/freeipa-users
> > > > > > >> > >> > > > Go To http://freeipa.org for more info on the
> project
> > > > > > >> > >> > >
> > > > > > >> > >> > > --
> > > > > > >> > >> > > Manage your subscription for the Freeipa-users
> mailing
> > > list:
> > > > > > >> > >> > >
> https://www.redhat.com/mailman/listinfo/freeipa-users
> > > > > > >> > >> > > Go To http://freeipa.org for more info on the
> project
> > > > > > >> > >>
> > > > > > >> > >> > --
> > > > > > >> > >> > Manage your subscription for the Freeipa-users mailing
> > > list:
> > > > > > >> > >> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > > > > >> > >> > Go To http://freeipa.org for more info on the project
> > > > > > >> > >>
> > > > > > >> > >> --
> > > > > > >> > >> Manage your subscription for the Freeipa-users mailing
> list:
> > > > > > >> > >> https://www.redhat.com/mailman/listinfo/freeipa-users
> > > > > > >> > >> Go To http://freeipa.org for more info on the project
> > > > > > >> > >>
> > > > > > >> > >
> > > > > > >>
> > > > > > >>
> > > > > > >>
> > > > > > >>
> > > > >
> > > > >
> > > > >
> > > > >
> > >
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141215/0a50a9fb/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sssd_linux.com.log
Type: application/octet-stream
Size: 211587 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141215/0a50a9fb/attachment.obj>
More information about the Freeipa-users
mailing list