[Freeipa-users] Trusts with Windows Server 2003

tizo tizone at gmail.com
Thu Jul 17 21:12:51 UTC 2014 

On Tue, Jul 15, 2014 at 11:59 AM, tizo <tizone at gmail.com> wrote:

>
>
>
> On Tue, Jul 15, 2014 at 11:16 AM, Jakub Hrozek <jhrozek at redhat.com> wrote:
>
>> On Tue, Jul 15, 2014 at 11:04:23AM -0300, tizo wrote:
>> > On Tue, Jul 15, 2014 at 7:16 AM, Jakub Hrozek <jhrozek at redhat.com>
>> wrote:
>> >
>> > > On Mon, Jul 14, 2014 at 02:02:16PM -0300, tizo wrote:
>> > > > On Mon, Jul 14, 2014 at 5:57 AM, Jakub Hrozek <jhrozek at redhat.com>
>> > > wrote:
>> > > >
>> > > > > On Fri, Jul 11, 2014 at 05:22:59PM -0300, tizo wrote:
>> > > > > > On Fri, Jul 11, 2014 at 4:54 PM, Dmitri Pal <dpal at redhat.com>
>> wrote:
>> > > > > >
>> > > > > > >  On 07/11/2014 03:27 PM, tizo wrote:
>> > > > > > >
>> > > > > > >
>> > > > > > >  On Fri, Jul 4, 2014 at 5:09 PM, tizo <tizone at gmail.com>
>> wrote:
>> > > > > > >
>> > > > > > >>  I have seen in
>> > > > > > >>
>> > > > >
>> > >
>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Trusts_and_Windows_Server_2003_R2
>> > > > > > >> that trusts can be configured with Windows Server 2003 R2.
>> > > > > > >>
>> > > > > > >>  We have a Windows Server 2003 (not R2). Before starting to
>> make
>> > > some
>> > > > > > >> tests, does anyone know if trusts can be configured with this
>> > > version
>> > > > > of
>> > > > > > >> Windows Server 2003?.
>> > > > > > >>
>> > > > > > >>  Thanks very much.
>> > > > > > >>
>> > > > > > >>
>> > > > > > >  As I have not received any answer, I decided to give it a
>> try. I
>> > > > > follow
>> > > > > > > the document step by step with our Windows 2003, and
>> everything
>> > > looks
>> > > > > good,
>> > > > > > > except when I try to login to the FreeIPA server with an AD
>> user
>> > > (ssh
>> > > > > or
>> > > > > > > tty).
>> > > > > > >
>> > > > > > >  Does anyone know how could I debug this problem?.
>> > > > > > >
>> > > > > > >
>> > > > > > >  Sorry that you did not get a response. It is a hot time, a
>> lot of
>> > > > > people
>> > > > > > > on vacation and we also got 4.0 just out of the door.
>> > > > > > >
>> > > > > > > Set debug_level to 10 in the sssd.conf. It will create a lot
>> of
>> > > output
>> > > > > and
>> > > > > > > this might give you a hint of what is going on. From there you
>> > > will see
>> > > > > > > whether the user is processed by SSSD or SSH is not
>> configured and
>> > > > > user do
>> > > > > > > not hit SSSD at all (unlikely), and if user is processed what
>> the
>> > > > > problem
>> > > > > > > is.
>> > > > > > >
>> > > > > > >
>> > > > > > Thanks Dmitri. I set the debug_level to 10, and the file
>> > > > > > sssd_my.domain.com.log is telling something about the AD user
>> trying
>> > > to
>> > > > > > connect with SSH. I am sending it to you privately, because it
>> > > contains
>> > > > > > some sensitive information.
>> > > > >
>> > > > > Hi,
>> > > > >
>> > > > > I realize you were following our own documentation, which
>> originated
>> > > > > from this thread:
>> > > > >
>> https://www.redhat.com/archives/freeipa-users/2013-June/msg00119.html
>> > > > >
>> > > > > Maybe it would be helpful to read it, too, at least to see how
>> some
>> > > other
>> > > > > users were setting up the trust and what their problems were.
>> > > > >
>> > > > > --
>> > > > > Manage your subscription for the Freeipa-users mailing list:
>> > > > > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > > > > Go To http://freeipa.org for more info on the project
>> > > > >
>> > > >
>> > > >
>> > > > Dmitri and Jakub, thanks very much for your help.
>> > > >
>> > > > Jakub, I took a look in the thread, but I couldn't find anything
>> that
>> > > could
>> > > > help us with our problem.
>> > > >
>> > > > I am attaching the logs from sssd with the sensitive information
>> removed.
>> > > > Any help is really appreciated; I don't really know where should I
>> > > continue
>> > > > searching for the problem.
>> > >
>> > > Thanks, the logs don't show what the error is, but do tell us that the
>> > > error is on the server side:
>> > >
>> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
>> > > [ipa_s2n_exop_send] (0x0400): Executing extended operation
>> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
>> > > [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 8
>> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
>> > > [sdap_process_result] (0x2000): Trace: sh[0x2293ed0], connected[1],
>> > > ops[0x2293680], ldap[0x2293b40]
>> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
>> > > [sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED]
>> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
>> > > [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result:
>> Operations
>> > > error(1), (null)
>> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
>> > > [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
>> > >
>> > > What IPA version are you testing with? The debugging procedure differs
>> > > for versions with winbind on the server side and with sssd..
>> > >
>> >
>> > I am testing with an updated CentOS 6 and all the software versions of
>> its
>> > repositories. In detail:
>> >
>> >  * OS: CentOS release 6.5 (Final)
>> >  * IPA server: 3.0.0-37
>> >  * SSSD: 1.9.2-129
>> >  * Winbind: 4.0.0-61
>>
>> OK, so there's Winbind on the server side. Can you run:
>>     * smbcontrol winbindd debug 100
>>     * run the test on the client, check if you see the s2n exop failing
>>       in the logs
>>     * attach /var/log/samba/log.w*
>>     * reset the winbind logging back with: smbcontrol all debug 1
>>       otherwise you'll run out of disk space :-)
>>
>
> Jakub,
>
> I am sending the logs that you ask for. I don't know what do you mean when
> you say "run the test on the client, check if you see the s2n exop faiiling
> in the logs". The test that I am trying to do, is to connect to the FreeIPA
> server via ssh with an AD user. What logs should I check?
>
> Anyway, I found something wrong in the samba logs. In some of them, the
> server ADPRODSERVER is mentioned, which is our AD production server, with
> the domain xxx.com.uy. Our AD test server, the one that we are using for
> FreeIPA testing, is not mentioned there (its name is windows2003xxx). I
> don't really know how the microsoft world works, but here is our test
> scenario:
>
>  * Al servers (AD production, AD testing and FreeIPA testing), are at the
> same network (192.168.100.0/24).
>
>  * The AD domain is the same in production and in testing: xxx.com.uy.
>
>  * The AD testing server has its own DNS server, and is using it.
>
>  * The FreeIPA testing server has its own DNS server, and is using it.
>
> So, as a first though, I am thinking that beyond the DNS, FreeIPA is using
> something else to find the AD domain xxx.com.uy. Can that be possible?.
>
> Thanks very much.
>

I have created a new and isolated environment to test the integration.
Although Samba logs now are referencing the right AD server
(windows2003xxx), the problem is the same than before when trying to access
to the FreeIPA server with an AD user by ssh. I am attaching the logs of
the new scenario. Some useful information:

* Network: 192.168.99.0/24
* IPA Domain: fi.xxx.com.uy
* AD Domain: xxx.com.uy
* IPA Server: freeipa.fi.xxx.com.uy, 192.168.99.50
* AD Server: windows2003xxx.xxx.com.uy 192.168.99.51
* AD user for the test: usuad

I don't know if the following could help, but when I try to obtain a
Kerberos ticket in FreeIPA server with "kinit usuad at xxx.com.uy" and type a
wrong password, the message is "kinit: Preauthentication failed while
getting initial credentials". When I do the same thing but with the correct
password the message is "kinit: KDC reply did not match expectations while
getting initial credentials".

Any help is really appreciated. Thanks very much.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140717/03c45cac/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sssd.log
Type: text/x-log
Size: 420039 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140717/03c45cac/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: log.winbindd-dc-connect
Type: application/octet-stream
Size: 22744 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140717/03c45cac/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: log.winbindd
Type: application/octet-stream
Size: 28919 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140717/03c45cac/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: log.wb-XXX
Type: application/octet-stream
Size: 135569 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140717/03c45cac/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: log.winbindd-idmap
Type: application/octet-stream
Size: 1457 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140717/03c45cac/attachment-0003.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: log.wb-FI
Type: application/octet-stream
Size: 664 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140717/03c45cac/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: log.wb-BUILTIN
Type: application/octet-stream
Size: 669 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140717/03c45cac/attachment-0005.obj>

More information about the Freeipa-users mailing list