[Freeipa-users] Issues creating trust with AD.

[Sumit Bose]

On Wed, Feb 19, 2014 at 12:17:59AM +0200, Genadi Postrilko wrote:
> After i restarted SSSD nothing changed - still cannot login via ssh/su.
> I have increased debug level to 6:
> https://gist.github.com/anonymous/9081367
> (krb5_child was empty)

The LDAP extented operation which should fetch the user data of the AD
user fails:

(Tue Feb 18 11:34:57 2014) [sssd[be[linux.adexample.com]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation
(Tue Feb 18 11:34:57 2014) [sssd[be[linux.adexample.com]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Operations error(1), (null)
(Tue Feb 18 11:34:57 2014) [sssd[be[linux.adexample.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.

hence the user is not available on the client and the login fails.

Since winbind is working correctly on the server as shown by the wbinfo
output below and the client is able to talk to the LDAP server in the
IPA server I assume that there is an issue in processing the exop
request or in the communication between the LDAP server and winbind.

For the second you might want to check if there are any SELinux denials
in your audit log.

For the first you should enable debug logging for the LDAP server, see
http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting for details.
The log level which is needed here is 65536 'Plug-in debugging'. The
logs might be too large for a mailing-list, fell free to send them to me
directly.

bye,
Sumit

> 
> Thank you.
> 
> 
> 
> 
> 2014-02-18 11:38 GMT+02:00 Sumit Bose <sbose at redhat.com>:
> 
> > On Tue, Feb 18, 2014 at 01:11:38AM +0200, Genadi Postrilko wrote:
> > > Thank you for the help!
> > > I have preformed downgrade:
> > >
> > > yum downgrade samba4*
> > >
> > > [root at ipaserver1 ~]# rpm -qa | grep samb
> > > samba4-python-4.0.0-58.el6.rc4.x86_64
> > > samba4-winbind-4.0.0-58.el6.rc4.x86_64
> > > samba4-common-4.0.0-58.el6.rc4.x86_64
> > > samba4-winbind-clients-4.0.0-58.el6.rc4.x86_64
> > > samba4-libs-4.0.0-58.el6.rc4.x86_64
> > > samba4-client-4.0.0-58.el6.rc4.x86_64
> > > samba4-4.0.0-58.el6.rc4.x86_64
> > >
> > > And it worked !
> > >
> > > *I am now able to perform login via "ssh" and su on to the ipaserver with
> > > AD users:*
> > >
> > > [root at ipaserver1 ~]# su Genadi at ADEXAMPLE.COM
> > > sh-4.1$
> > >
> > > *and wbinfo and getent return values:*
> > >
> > > [root at ipaserver1 ~]# wbinfo -u
> > > ADEXAMPLE\administrator
> > > ADEXAMPLE\guest
> > > ADEXAMPLE\genadi
> > > ADEXAMPLE\krbtgt
> > > ADEXAMPLE\linux$
> > > ADEXAMPLE\daniel
> > >
> > > [root at ipaserver1 ~]# wbinfo -g
> > > admins
> > > editors
> > > default smb group
> > > ad_users
> > > ADEXAMPLE\domain computers
> > > ADEXAMPLE\domain controllers
> > > ADEXAMPLE\schema admins
> > > ADEXAMPLE\enterprise admins
> > > ADEXAMPLE\domain admins
> > > ADEXAMPLE\domain users
> > > ADEXAMPLE\domain guests
> > > ADEXAMPLE\group policy creator owners
> > > ADEXAMPLE\read-only domain controllers
> > > ADEXAMPLE\enterprise read-only domain controllers
> > > ADEXAMPLE\dnsupdateproxy
> > >
> > > [root at ipaserver1 ~]# getent passwd Genadi at ADEXAMPLE.COM
> > > genadi at adexample.com:*:699001000:699001000::/home/adexample.com/genadi:
> >
> > Thanks a lot for confirming that -58 is working on the FreeIPA server.
> >
> > >
> > > *After this success, i have tried to execute a login on client machine
> > > (using AD user), but it did not work:*
> > >
> > > [root at ipaclient1 ~]# su Genadi at ADEXAMPLE.COM
> > > su: user Genadi at ADEXAMPLE.COM does not exist
> > >
> > > *Also wbinfo and getent do not return value:*
> > >
> > > [root at ipaclient1 ~]# wbinfo -u
> > > [root at ipaclient1 ~]# wbinfo -g
> > > [root at ipaclient1 ~]# getent passwd Genadi at ADEXAMPLE.COM
> >
> > Winbind is not running on the IPA client. SSSD running on the IPA client
> > use a LDAP extended operation to get the basic data about AD users and
> > group. Please try to restart SSSD on the client. If this does not help,
> > please send me the client's SSSD log files.
> >
> > bye,
> > Sumit
> >