[Freeipa-users] Issues creating trust with AD.

Genadi Postrilko genadipost at gmail.com
Fri Feb 14 22:14:58 UTC 2014 

I have seen threads where opened on trust issues:
"AD - Freeipa trust confusion"
"Cross domain trust"
"Cannot loging via SSH with AD user TO IPA Domain" - which I opened.

It looks like after creation of trust, TGT ticket can be issued from AD,
but "su" and "ssh" do not allow a log in with AD user.
I'm not sure if a conclusion has been reached on this subject.

I gave it a try again and attempted to create a trust with IPA as a DNS
subdomain of AD.
I followed :
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ipa-subdomain.html

AD domain: ADEXAMPLE.COM
IPA subdoamin: LINUX.ADEXAMPLE.COM

When i finished the necessary steps i attempted to retrieve a TGT from AD
(while logged in to IPA server):

[root at ipaserver1 sbin]# kinit Administrator at ADEXAMPLE.COM
Password for Administrator at ADEXAMPLE.COM:
[root at ipaserver1 sbin]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at ADEXAMPLE.COM

Valid starting     Expires            Service principal
02/14/14 07:50:21  02/14/14 17:50:20  krbtgt/ADEXAMPLE.COM at ADEXAMPLE.COM
        renew until 02/15/14 07:50:21

But logging in by "ssh" and "su" ended in failure:

login as: Administrator at ADEXAMPLE.COM
Administrator at ADDC.COM@192.168.227.201's password:
Access denied

After reading
http://www.freeipa.org/page/IPAv3_testing_AD_trust#Create_a_trust_to_an_AD_domaini
did the following on the AD server:

Administrative Tools -> Active Directory Domains and Trust ->
adexample.com(right click) -> Properties -> Trust -> Domain Trusted by
this domain
(outgoing trust) -> Properties -> General -> Validate

*After doing this i was able to login via "ssh" and "su" with
"Administrator" **user :*

login as: Administrator at ADEXAMPLE.COM
Administrator at ADEXAMPLE.COM@192.168.227.201's password:
Last login: Wed Feb 12 14:39:49 2014 from 192.168.227.1
Could not chdir to home directory /home/adexample.com/administrator: No
such file or directory
/usr/bin/xauth:  error in locking authority file /home/
adexample.com/administrator/.Xauthority
-sh-4.1$

*But still not able to login with other AD accounts:*

[root at ipaserver1 sbin]# su Genadi at ADEXAMPLE.COM
su: user Genadi at ADEXAMPLE.COM does not exist

After reading the other threads, ill try and provide as much information as
i can:

*wbinfo -u does not return values.*
[root at ipaserver1 sbin]# wbinfo -u
[root at ipaserver1 sbin]#

*wbinfo -u output:*
[root at ipaserver1 sbin]# wbinfo -g
admins
editors
default smb group
ad_users

*wbinfo --online-status shows ADEXAMPLE is offline*
[root at ipaserver1 ~]# wbinfo --online-status
BUILTIN : online
LINUX : online
ADEXAMPLE : offline

*getent for Administrator does return value.*
[root at ipaserver1 sbin]# getent passwd Administrator at ADEXAMPLE.COM
administrator at adexample.com:*:699000500:699000500::/home/
adexample.com/administrator:

*getent for other AD users does not return value.*
[root at ipaserver1 sbin]# getent passwd Genadi at ADEXAMPLE.COM
[root at ipaserver1 sbin]#


*System info/configurations:*

[root at ipaserver1 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.2 Beta (Santiago)

[root at ipaserver1 sbin]# rpm -qa | grep ipa
ipa-python-3.0.0-37.el6.x86_64
ipa-client-3.0.0-37.el6.x86_64
libipa_hbac-python-1.9.2-129.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-server-trust-ad-3.0.0-37.el6.x86_64
libipa_hbac-1.9.2-129.el6.x86_64
ipa-admintools-3.0.0-37.el6.x86_64
ipa-server-selinux-3.0.0-37.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-server-3.0.0-37.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch

[root at ipaserver1 ~]# rpm -qa | grep sssd
sssd-1.9.2-129.el6.x86_64
sssd-client-1.9.2-129.el6.x86_64

[root at ipaserver1 sbin]# rpm -qa | grep samb
samba4-common-4.0.0-60.el6_5.rc4.x86_64
samba4-winbind-clients-4.0.0-60.el6_5.rc4.x86_64
samba4-libs-4.0.0-60.el6_5.rc4.x86_64
samba4-python-4.0.0-60.el6_5.rc4.x86_64
samba4-4.0.0-60.el6_5.rc4.x86_64
samba4-client-4.0.0-60.el6_5.rc4.x86_64
samba4-winbind-4.0.0-60.el6_5.rc4.x86_64

*SSSD*

[root at ipaserver1 ~]# cat /etc/sssd/sssd.conf
[domain/linux.adexample.com]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = linux.adexample.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipaserver1.linux.adexample.com
chpass_provider = ipa
ipa_server = ipaserver1.linux.adexample.com
ldap_tls_cacert = /etc/ipa/ca.crt
subdomains_provider = ipa
debug_level = 6
[sssd]
services = nss, pam, ssh, pac
config_file_version = 2

domains = linux.adexample.com
debug_level = 6
[nss]
debug_level = 6
[pam]
debug_level = 6
[sudo]
debug_level = 6
[autofs]
debug_level = 6
[ssh]
debug_level = 6
[pac]
debug_level = 6

*KRB5*

[root at ipaserver1 ~]# cat /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = LINUX.ADEXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 LINUX.ADEXAMPLE.COM = {
  kdc = ipaserver1.linux.adexample.com:88
  master_kdc = ipaserver1.linux.adexample.com:88
  admin_server = ipaserver1.linux.adexample.com:749
  default_domain = linux.adexample.com
  pkinit_anchors = FILE:/etc/ipa/ca.crt
  auth_to_local = RULE:[1:$1@$0](^.*@ADEXAMPLE.COM$)s/@
ADEXAMPLE.COM/@adexample.com/
  auth_to_local = DEFAULT
}

[domain_realm]
 .linux.adexample.com = LINUX.ADEXAMPLE.COM
 linux.adexample.com = LINUX.ADEXAMPLE.COM

[dbmodules]
  LINUX.ADEXAMPLE.COM = {
    db_library = ipadb.so
  }

I have increased the debug level of the IPA components.
Here are the logs (*krb5_child.log, **ldap_child.log, **log.smbd,
**log.wb-ADEXAMPLE,
**log.wb-LINUX, **log.winbindd, **log.winbindd-dc-connect,
log.winbindd-idmap*, *sssd.log*, *sssd_linux.adexample.com.log*,*sssd_nss.log,
**sssd_pac.log*, *sssd_pam.log, *



*sssd_ssh.log, /var/log/secure):https://gist.github.com/anonymous/9006532
<https://gist.github.com/anonymous/9006532>*
Any insights on why only Administrator is recognized by the Trust? And why
extra step on AD was needed?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140215/7cd8a46c/attachment.htm>

More information about the Freeipa-users mailing list