[Freeipa-users] Freeipa-users Digest, Vol 77, Issue 15

Shashi M svm2k20 at gmail.com
Tue Dec 16 18:30:44 UTC 2014 

On Fri, Dec 5, 2014 at 12:26 PM, <freeipa-users-request at redhat.com> wrote:
>
> Send Freeipa-users mailing list submissions to
>         freeipa-users at redhat.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://www.redhat.com/mailman/listinfo/freeipa-users
> or, via email, send a message with subject or body 'help' to
>         freeipa-users-request at redhat.com
>
> You can reach the person managing the list at
>         freeipa-users-owner at redhat.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeipa-users digest..."
>
>
> Today's Topics:
>
>    1. ad trust and default_domain_suffix (Nicolas Zin)
>    2. Re: ad trust and default_domain_suffix (Nicolas Zin)
>    3. Re: strange error - disconnecting a replica? (Martin Kosek)
>    4. Re: strange error - disconnecting a replica? (thierry bordaz)
>    5. Re: strange error - disconnecting a replica? (thierry bordaz)
>    6. Re: strange error - disconnecting a replica? (Martin Kosek)
>    7. Re: Cross-Realm authentification (Andreas Ladanyi)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 4 Dec 2014 12:49:36 -0500 (EST)
> From: Nicolas Zin <nicolas.zin at savoirfairelinux.com>
> To: freeipa-users at redhat.com
> Subject: [Freeipa-users] ad trust and default_domain_suffix
> Message-ID: <227542639.160677.1417715376443.JavaMail.root at mail>
> Content-Type: text/plain; charset=utf-8
>
> Hi,
>
> I have a IDM (v3.3) installed on a Redhat7.
> I have a IDM realm connected to an AD via trust relationship.
> In the IDM realm there are Redhat6 and Redhat5 clients.
>
>
> My client ask to be able to connect to the Linux machine with their AD
> without entering their domain (just username). On Redhat 6 there is an
> option for sssd (default_domain_suffix=)
> Seems to be exactly what I need, but I have a problem. If I use this
> option, I can indeed login with my AD username with domain name, but I
> cannot login with my Linux IDM username anymore, even if I use my fully
> qualified username at realm. i.e. In the middle of the PAM authentication it
> seems to fails (when ssh to the machine with ssh <server> -l admin@<realm>,
> I get Write failed: Broken pipe). If needed I can send more logs.
>
> I reproduce the problem in a more simple environment: just a Linux realm,
> and default_domain_suffix set to a inexistant domain, and again I cannot
> ssh to my server with my fully qualified username at realm
>
> Here is my sssd.conf:
> [domain/idm1]
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = idm1
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = dc.idm1
> chpass_provider = ipa
> ipa_server = dc.idm1
> ipa_server_mode = True
> ldap_tls_cacert = /etc/ipa/ca.crt
> [sssd]
> services = nss, pam, ssh
> config_file_version = 2
>
> domains = idm1
>
> default_domain_suffix=toto.com
> [nss]
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
>
>
>
> Here is my krb5.conf:
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  default_realm = IDM1
>  dns_lookup_realm = false
>  dns_lookup_kdc = true
>  rdns = false
>  ticket_lifetime = 24h
>  forwardable = yes
>  default_ccache_name = KEYRING:persistent:%{uid}
>  ignore_acceptor_hostname = true
>
> [realms]
>  IDM1 = {
>   kdc = dc.idm1:88
>   master_kdc = dc.idm1:88
>   admin_server = dc.idm1:749
>   default_domain = idm1
>   pkinit_anchors = FILE:/etc/ipa/ca.crt
> }
>
> [domain_realm]
>  .idm1 = IDM1
>  idm1 = IDM1
>
> [dbmodules]
>   IDM1 = {
>     db_library = ipadb.so
>   }
>
>
>
> is there something to add to make it working?
>
>
>
>
> Site note: also with Redhat5 which is configured following ipa-advise
> sssd-before-1.9, the default_domain_suffix is not understood with sssd<1.9.
> Is there a way to connect to force RHEL5 to let my windows user connect
> without entering their domain. I don?t know if there is a way to tune the
> compatibility tree return by the ldap server for example.
>
> Or should I try to compile sssd 1.9 for RHEL5? (but I guess this is easier
> said than done) or it doesn?t worth it? (incompatibility with kerberos, or
> with the RHEL5 kernel?)
>
>
> Regards,
>
>
> Nicolas Zin
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 4 Dec 2014 16:53:00 -0500 (EST)
> From: Nicolas Zin <nicolas.zin at savoirfairelinux.com>
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] ad trust and default_domain_suffix
> Message-ID: <992955671.305465.1417729980028.JavaMail.root at mail>
> Content-Type: text/plain; charset=utf-8
>
> I answer to myself. (but my problem is not resolved)
>
> > ----- Mail original -----
> > De: "Nicolas Zin" <nicolas.zin at savoirfairelinux.com>
> > ?: freeipa-users at redhat.com
> > Envoy?: Jeudi 4 D?cembre 2014 18:49:36
> > Objet: [Freeipa-users] ad trust and default_domain_suffix
> >
> > Hi,
> >
> > I have a IDM (v3.3) installed on a Redhat7.
> > I have a IDM realm connected to an AD via trust relationship.
> > In the IDM realm there are Redhat6 and Redhat5 clients.
> >
> >
> > My client ask to be able to connect to the Linux machine with their AD
> without entering their domain (just username). On Redhat 6 there is an
> option for sssd (default_domain_suffix=)
> > Seems to be exactly what I need, but I have a problem. If I use this
> option, I can indeed login with my AD username with domain name, but I
> cannot login with my Linux IDM username anymore, even if I use my fully
> qualified username at realm. i.e. In the middle of the PAM authentication it
> seems to fails (when ssh to the machine with ssh <server> -l admin@<realm>,
> I get Write failed: Broken pipe). If needed I can send more logs.
> >
> > I reproduce the problem in a more simple environment: just a Linux
> realm, and default_domain_suffix set to a inexistant domain, and again I
> cannot ssh to my server with my fully qualified username at realm
>
> so when I try to do "ssh localhost -l admin at idm1" (idm is my domain name),
> in the /var/log/sssd/sssd_nss.log I find:
> ...
> (Wed Dec  3 22:44:43 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100):
> Requesting info for [admin at idm1]
> (Wed Dec  3 22:44:43 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
> Requesting info for [admin] from [idm1]
> (Wed Dec  3 22:44:43 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100):
> Requesting info for [admin at idm1]
> (Wed Dec  3 22:44:43 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
> Requesting info for [admin] from [idm1]
> (Wed Dec  3 22:44:43 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100):
> Requesting info for [admin at idm1]
> (Wed Dec  3 22:44:43 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
> Requesting info for [admin] from [idm1]
> (Wed Dec  3 22:44:43 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100):
> Requesting info for [admin at idm1]
> (Wed Dec  3 22:44:43 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
> Requesting info for [admin] from [idm1]
> (Wed Dec  3 22:44:43 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100):
> Requesting info for [admin at idm1]
> (Wed Dec  3 22:44:43 2014) [sssd[nss]] [nss_cmd_getbynam_done] (0x0040):
> Invalid name received [admin]
>
>
> So it seems to be a problem with nss not able to find my user.
> Indeed, if I do a "getent passwd admin" it doesn't show anything, but if I
> do a "getent passwd admin at idm1" it works.
>
> I found a "workardound":
> getent passwd admin at idm1 >> /etc/passwd
>
>
> Now I can ssh to my server:
> ssh localhost -l admin at idm1
>
>
>
> Is it a bug? is there a better "workaround"?
>
>
> Regards,
>
>
>
> ------------------------------
>
> Hi,

Did you find any other workaround for this issue?
I am also having same issue. I am looking for migrating existing IPA to
full trust with AD, this might be not acceptable to my end users.

Anyone else has any workaround on using default_domain_suffix for AD users
but without using fully qualified name for IPA users?

I observed that if the IPA user is in sssd cache, id other command works
for IPA user but ssh without @ipadomain does not work in any case.

Regards,
Shashikant
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141216/e11bb1c0/attachment.htm>

More information about the Freeipa-users mailing list