[Freeipa-users] Issues creating trust with AD.

Sumit Bose sbose at redhat.com
Mon Feb 17 08:34:33 UTC 2014 

On Sat, Feb 15, 2014 at 12:14:58AM +0200, Genadi Postrilko wrote:
> I have seen threads where opened on trust issues:
> "AD - Freeipa trust confusion"
> "Cross domain trust"
> "Cannot loging via SSH with AD user TO IPA Domain" - which I opened.
> 
> It looks like after creation of trust, TGT ticket can be issued from AD,
> but "su" and "ssh" do not allow a log in with AD user.
> I'm not sure if a conclusion has been reached on this subject.
> 
> I gave it a try again and attempted to create a trust with IPA as a DNS
> subdomain of AD.
> I followed :
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ipa-subdomain.html
> 
> AD domain: ADEXAMPLE.COM
> IPA subdoamin: LINUX.ADEXAMPLE.COM
> 
> When i finished the necessary steps i attempted to retrieve a TGT from AD
> (while logged in to IPA server):
> 
> [root at ipaserver1 sbin]# kinit Administrator at ADEXAMPLE.COM
> Password for Administrator at ADEXAMPLE.COM:
> [root at ipaserver1 sbin]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Administrator at ADEXAMPLE.COM
> 
> Valid starting     Expires            Service principal
> 02/14/14 07:50:21  02/14/14 17:50:20  krbtgt/ADEXAMPLE.COM at ADEXAMPLE.COM
>         renew until 02/15/14 07:50:21
> 
> But logging in by "ssh" and "su" ended in failure:
> 
> login as: Administrator at ADEXAMPLE.COM
> Administrator at ADDC.COM@192.168.227.201's password:
> Access denied
> 
> After reading
> http://www.freeipa.org/page/IPAv3_testing_AD_trust#Create_a_trust_to_an_AD_domaini
> did the following on the AD server:
> 
> Administrative Tools -> Active Directory Domains and Trust ->
> adexample.com(right click) -> Properties -> Trust -> Domain Trusted by
> this domain
> (outgoing trust) -> Properties -> General -> Validate
> 
> *After doing this i was able to login via "ssh" and "su" with
> "Administrator" **user :*
> 
> login as: Administrator at ADEXAMPLE.COM
> Administrator at ADEXAMPLE.COM@192.168.227.201's password:
> Last login: Wed Feb 12 14:39:49 2014 from 192.168.227.1
> Could not chdir to home directory /home/adexample.com/administrator: No
> such file or directory
> /usr/bin/xauth:  error in locking authority file /home/
> adexample.com/administrator/.Xauthority
> -sh-4.1$
> 
> *But still not able to login with other AD accounts:*
> 
> [root at ipaserver1 sbin]# su Genadi at ADEXAMPLE.COM
> su: user Genadi at ADEXAMPLE.COM does not exist
> 
> After reading the other threads, ill try and provide as much information as
> i can:
> 
> *wbinfo -u does not return values.*
> [root at ipaserver1 sbin]# wbinfo -u
> [root at ipaserver1 sbin]#
> 
> *wbinfo -u output:*
> [root at ipaserver1 sbin]# wbinfo -g
> admins
> editors
> default smb group
> ad_users
> 
> *wbinfo --online-status shows ADEXAMPLE is offline*
> [root at ipaserver1 ~]# wbinfo --online-status
> BUILTIN : online
> LINUX : online
> ADEXAMPLE : offline
> 
> *getent for Administrator does return value.*
> [root at ipaserver1 sbin]# getent passwd Administrator at ADEXAMPLE.COM
> administrator at adexample.com:*:699000500:699000500::/home/
> adexample.com/administrator:
> 
> *getent for other AD users does not return value.*
> [root at ipaserver1 sbin]# getent passwd Genadi at ADEXAMPLE.COM
> [root at ipaserver1 sbin]#
> 
> 
> *System info/configurations:*
> 
> [root at ipaserver1 ~]# cat /etc/redhat-release
> Red Hat Enterprise Linux Server release 6.2 Beta (Santiago)
> 
> [root at ipaserver1 sbin]# rpm -qa | grep ipa
> ipa-python-3.0.0-37.el6.x86_64
> ipa-client-3.0.0-37.el6.x86_64
> libipa_hbac-python-1.9.2-129.el6.x86_64
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> ipa-server-trust-ad-3.0.0-37.el6.x86_64
> libipa_hbac-1.9.2-129.el6.x86_64
> ipa-admintools-3.0.0-37.el6.x86_64
> ipa-server-selinux-3.0.0-37.el6.x86_64
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> ipa-server-3.0.0-37.el6.x86_64
> python-iniparse-0.3.1-2.1.el6.noarch
> 
> [root at ipaserver1 ~]# rpm -qa | grep sssd
> sssd-1.9.2-129.el6.x86_64
> sssd-client-1.9.2-129.el6.x86_64
> 
> [root at ipaserver1 sbin]# rpm -qa | grep samb
> samba4-common-4.0.0-60.el6_5.rc4.x86_64
> samba4-winbind-clients-4.0.0-60.el6_5.rc4.x86_64
> samba4-libs-4.0.0-60.el6_5.rc4.x86_64
> samba4-python-4.0.0-60.el6_5.rc4.x86_64
> samba4-4.0.0-60.el6_5.rc4.x86_64
> samba4-client-4.0.0-60.el6_5.rc4.x86_64
> samba4-winbind-4.0.0-60.el6_5.rc4.x86_64

Thank you very much for the detailed report. Looks like  you are hit by
the 'NT_STATUS_INVALID_PARAMETER_MIX' issue (see log.wb-ADEXAMPLE). We
are currently investigating this issue.

I you would like to help it would be nice if you can try to downgrade
the samba4 packages to the -58 release and see if this works any better
for you.

Currently I'll try tor reproduce this issue locally and will give you an
update as soon as I find anything which might help to get around this
issue.

bye,
Sumit

> 
> *SSSD*
> 
> [root at ipaserver1 ~]# cat /etc/sssd/sssd.conf
> [domain/linux.adexample.com]
> 
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = linux.adexample.com
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = ipaserver1.linux.adexample.com
> chpass_provider = ipa
> ipa_server = ipaserver1.linux.adexample.com
> ldap_tls_cacert = /etc/ipa/ca.crt
> subdomains_provider = ipa
> debug_level = 6
> [sssd]
> services = nss, pam, ssh, pac
> config_file_version = 2
> 
> domains = linux.adexample.com
> debug_level = 6
> [nss]
> debug_level = 6
> [pam]
> debug_level = 6
> [sudo]
> debug_level = 6
> [autofs]
> debug_level = 6
> [ssh]
> debug_level = 6
> [pac]
> debug_level = 6
> 
> *KRB5*
> 
> [root at ipaserver1 ~]# cat /etc/krb5.conf
> includedir /var/lib/sss/pubconf/krb5.include.d/
> 
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  default_realm = LINUX.ADEXAMPLE.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = true
>  rdns = false
>  ticket_lifetime = 24h
>  forwardable = yes
> 
> [realms]
>  LINUX.ADEXAMPLE.COM = {
>   kdc = ipaserver1.linux.adexample.com:88
>   master_kdc = ipaserver1.linux.adexample.com:88
>   admin_server = ipaserver1.linux.adexample.com:749
>   default_domain = linux.adexample.com
>   pkinit_anchors = FILE:/etc/ipa/ca.crt
>   auth_to_local = RULE:[1:$1@$0](^.*@ADEXAMPLE.COM$)s/@
> ADEXAMPLE.COM/@adexample.com/
>   auth_to_local = DEFAULT
> }
> 
> [domain_realm]
>  .linux.adexample.com = LINUX.ADEXAMPLE.COM
>  linux.adexample.com = LINUX.ADEXAMPLE.COM
> 
> [dbmodules]
>   LINUX.ADEXAMPLE.COM = {
>     db_library = ipadb.so
>   }
> 
> I have increased the debug level of the IPA components.
> Here are the logs (*krb5_child.log, **ldap_child.log, **log.smbd,
> **log.wb-ADEXAMPLE,
> **log.wb-LINUX, **log.winbindd, **log.winbindd-dc-connect,
> log.winbindd-idmap*, *sssd.log*, *sssd_linux.adexample.com.log*,*sssd_nss.log,
> **sssd_pac.log*, *sssd_pam.log, *
> 
> 
> 
> *sssd_ssh.log, /var/log/secure):https://gist.github.com/anonymous/9006532
> <https://gist.github.com/anonymous/9006532>*
> Any insights on why only Administrator is recognized by the Trust? And why
> extra step on AD was needed?

> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list