[Freeipa-users] Trusts with Windows Server 2003

tizo tizone at gmail.com
Tue Jul 22 20:08:36 UTC 2014


On Tue, Jul 22, 2014 at 1:20 PM, tizo <tizone at gmail.com> wrote:

>
> On Thu, Jul 17, 2014 at 6:12 PM, tizo <tizone at gmail.com> wrote:
>
>>
>>
>>
>> On Tue, Jul 15, 2014 at 11:59 AM, tizo <tizone at gmail.com> wrote:
>>
>>>
>>>
>>>
>>> On Tue, Jul 15, 2014 at 11:16 AM, Jakub Hrozek <jhrozek at redhat.com>
>>> wrote:
>>>
>>>> On Tue, Jul 15, 2014 at 11:04:23AM -0300, tizo wrote:
>>>> > On Tue, Jul 15, 2014 at 7:16 AM, Jakub Hrozek <jhrozek at redhat.com>
>>>> wrote:
>>>> >
>>>> > > On Mon, Jul 14, 2014 at 02:02:16PM -0300, tizo wrote:
>>>> > > > On Mon, Jul 14, 2014 at 5:57 AM, Jakub Hrozek <jhrozek at redhat.com
>>>> >
>>>> > > wrote:
>>>> > > >
>>>> > > > > On Fri, Jul 11, 2014 at 05:22:59PM -0300, tizo wrote:
>>>> > > > > > On Fri, Jul 11, 2014 at 4:54 PM, Dmitri Pal <dpal at redhat.com>
>>>> wrote:
>>>> > > > > >
>>>> > > > > > >  On 07/11/2014 03:27 PM, tizo wrote:
>>>> > > > > > >
>>>> > > > > > >
>>>> > > > > > >  On Fri, Jul 4, 2014 at 5:09 PM, tizo <tizone at gmail.com>
>>>> wrote:
>>>> > > > > > >
>>>> > > > > > >>  I have seen in
>>>> > > > > > >>
>>>> > > > >
>>>> > >
>>>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Trusts_and_Windows_Server_2003_R2
>>>> > > > > > >> that trusts can be configured with Windows Server 2003 R2.
>>>> > > > > > >>
>>>> > > > > > >>  We have a Windows Server 2003 (not R2). Before starting
>>>> to make
>>>> > > some
>>>> > > > > > >> tests, does anyone know if trusts can be configured with
>>>> this
>>>> > > version
>>>> > > > > of
>>>> > > > > > >> Windows Server 2003?.
>>>> > > > > > >>
>>>> > > > > > >>  Thanks very much.
>>>> > > > > > >>
>>>> > > > > > >>
>>>> > > > > > >  As I have not received any answer, I decided to give it a
>>>> try. I
>>>> > > > > follow
>>>> > > > > > > the document step by step with our Windows 2003, and
>>>> everything
>>>> > > looks
>>>> > > > > good,
>>>> > > > > > > except when I try to login to the FreeIPA server with an AD
>>>> user
>>>> > > (ssh
>>>> > > > > or
>>>> > > > > > > tty).
>>>> > > > > > >
>>>> > > > > > >  Does anyone know how could I debug this problem?.
>>>> > > > > > >
>>>> > > > > > >
>>>> > > > > > >  Sorry that you did not get a response. It is a hot time, a
>>>> lot of
>>>> > > > > people
>>>> > > > > > > on vacation and we also got 4.0 just out of the door.
>>>> > > > > > >
>>>> > > > > > > Set debug_level to 10 in the sssd.conf. It will create a
>>>> lot of
>>>> > > output
>>>> > > > > and
>>>> > > > > > > this might give you a hint of what is going on. From there
>>>> you
>>>> > > will see
>>>> > > > > > > whether the user is processed by SSSD or SSH is not
>>>> configured and
>>>> > > > > user do
>>>> > > > > > > not hit SSSD at all (unlikely), and if user is processed
>>>> what the
>>>> > > > > problem
>>>> > > > > > > is.
>>>> > > > > > >
>>>> > > > > > >
>>>> > > > > > Thanks Dmitri. I set the debug_level to 10, and the file
>>>> > > > > > sssd_my.domain.com.log is telling something about the AD user
>>>> trying
>>>> > > to
>>>> > > > > > connect with SSH. I am sending it to you privately, because it
>>>> > > contains
>>>> > > > > > some sensitive information.
>>>> > > > >
>>>> > > > > Hi,
>>>> > > > >
>>>> > > > > I realize you were following our own documentation, which
>>>> originated
>>>> > > > > from this thread:
>>>> > > > >
>>>> https://www.redhat.com/archives/freeipa-users/2013-June/msg00119.html
>>>> > > > >
>>>> > > > > Maybe it would be helpful to read it, too, at least to see how
>>>> some
>>>> > > other
>>>> > > > > users were setting up the trust and what their problems were.
>>>> > > > >
>>>> > > > > --
>>>> > > > > Manage your subscription for the Freeipa-users mailing list:
>>>> > > > > https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> > > > > Go To http://freeipa.org for more info on the project
>>>> > > > >
>>>> > > >
>>>> > > >
>>>> > > > Dmitri and Jakub, thanks very much for your help.
>>>> > > >
>>>> > > > Jakub, I took a look in the thread, but I couldn't find anything
>>>> that
>>>> > > could
>>>> > > > help us with our problem.
>>>> > > >
>>>> > > > I am attaching the logs from sssd with the sensitive information
>>>> removed.
>>>> > > > Any help is really appreciated; I don't really know where should I
>>>> > > continue
>>>> > > > searching for the problem.
>>>> > >
>>>> > > Thanks, the logs don't show what the error is, but do tell us that
>>>> the
>>>> > > error is on the server side:
>>>> > >
>>>> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
>>>> > > [ipa_s2n_exop_send] (0x0400): Executing extended operation
>>>> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
>>>> > > [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid =
>>>> 8
>>>> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
>>>> > > [sdap_process_result] (0x2000): Trace: sh[0x2293ed0], connected[1],
>>>> > > ops[0x2293680], ldap[0x2293b40]
>>>> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
>>>> > > [sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED]
>>>> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
>>>> > > [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result:
>>>> Operations
>>>> > > error(1), (null)
>>>> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
>>>> > > [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
>>>> > >
>>>> > > What IPA version are you testing with? The debugging procedure
>>>> differs
>>>> > > for versions with winbind on the server side and with sssd..
>>>> > >
>>>> >
>>>> > I am testing with an updated CentOS 6 and all the software versions
>>>> of its
>>>> > repositories. In detail:
>>>> >
>>>> >  * OS: CentOS release 6.5 (Final)
>>>> >  * IPA server: 3.0.0-37
>>>> >  * SSSD: 1.9.2-129
>>>> >  * Winbind: 4.0.0-61
>>>>
>>>> OK, so there's Winbind on the server side. Can you run:
>>>>     * smbcontrol winbindd debug 100
>>>>     * run the test on the client, check if you see the s2n exop failing
>>>>       in the logs
>>>>     * attach /var/log/samba/log.w*
>>>>     * reset the winbind logging back with: smbcontrol all debug 1
>>>>       otherwise you'll run out of disk space :-)
>>>>
>>>
>>> Jakub,
>>>
>>> I am sending the logs that you ask for. I don't know what do you mean
>>> when you say "run the test on the client, check if you see the s2n exop
>>> faiiling in the logs". The test that I am trying to do, is to connect to
>>> the FreeIPA server via ssh with an AD user. What logs should I check?
>>>
>>> Anyway, I found something wrong in the samba logs. In some of them, the
>>> server ADPRODSERVER is mentioned, which is our AD production server, with
>>> the domain xxx.com.uy. Our AD test server, the one that we are using
>>> for FreeIPA testing, is not mentioned there (its name is windows2003xxx). I
>>> don't really know how the microsoft world works, but here is our test
>>> scenario:
>>>
>>>  * Al servers (AD production, AD testing and FreeIPA testing), are at
>>> the same network (192.168.100.0/24).
>>>
>>>  * The AD domain is the same in production and in testing: xxx.com.uy.
>>>
>>>  * The AD testing server has its own DNS server, and is using it.
>>>
>>>  * The FreeIPA testing server has its own DNS server, and is using it.
>>>
>>> So, as a first though, I am thinking that beyond the DNS, FreeIPA is
>>> using something else to find the AD domain xxx.com.uy. Can that be
>>> possible?.
>>>
>>> Thanks very much.
>>>
>>
>> I have created a new and isolated environment to test the integration.
>> Although Samba logs now are referencing the right AD server
>> (windows2003xxx), the problem is the same than before when trying to access
>> to the FreeIPA server with an AD user by ssh. I am attaching the logs of
>> the new scenario. Some useful information:
>>
>> * Network: 192.168.99.0/24
>> * IPA Domain: fi.xxx.com.uy
>> * AD Domain: xxx.com.uy
>> * IPA Server: freeipa.fi.xxx.com.uy, 192.168.99.50
>> * AD Server: windows2003xxx.xxx.com.uy 192.168.99.51
>> * AD user for the test: usuad
>>
>> I don't know if the following could help, but when I try to obtain a
>> Kerberos ticket in FreeIPA server with "kinit usuad at xxx.com.uy" and type
>> a wrong password, the message is "kinit: Preauthentication failed while
>> getting initial credentials". When I do the same thing but with the correct
>> password the message is "kinit: KDC reply did not match expectations while
>> getting initial credentials".
>>
>> Any help is really appreciated. Thanks very much.
>>
>
> I have noted that kinit with the AD domain in uppercase is working (kinit
> usuad at XXX.COM.UY). However, ssh is not working neither with uppercase nor
> with lowercase. Maybe is a misconfiguration on /etc/krb5.conf?. I have
> added the following two line there (as in
> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Edit_.2Fetc.2Fkrb5.conf
> ):
>
> [realms]
>  FI.XXX.COM.UY = {
>   ....
>   auth_to_local = RULE:[1:$1@$0](^.*@XXX.COM.UY$)s/@
> XXX.COM.UY/@xxx.com.uy/
>   auth_to_local = DEFAULT
> }
>
>
Yessss, at last!. It is working now after downgrading samba packages to its
4.0.0-58 versions, as it was suggested in
https://www.redhat.com/archives/freeipa-users/2014-February/msg00261.html

Thanks very much!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140722/cbd60cf8/attachment.htm>


More information about the Freeipa-users mailing list