[Freeipa-users] Trusts with Windows Server 2003

Tue Jul 15 10:16:45 UTC 2014

On Mon, Jul 14, 2014 at 02:02:16PM -0300, tizo wrote:
> On Mon, Jul 14, 2014 at 5:57 AM, Jakub Hrozek <jhrozek at redhat.com> wrote:
> 
> > On Fri, Jul 11, 2014 at 05:22:59PM -0300, tizo wrote:
> > > On Fri, Jul 11, 2014 at 4:54 PM, Dmitri Pal <dpal at redhat.com> wrote:
> > >
> > > >  On 07/11/2014 03:27 PM, tizo wrote:
> > > >
> > > >
> > > >  On Fri, Jul 4, 2014 at 5:09 PM, tizo <tizone at gmail.com> wrote:
> > > >
> > > >>  I have seen in
> > > >>
> > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Trusts_and_Windows_Server_2003_R2
> > > >> that trusts can be configured with Windows Server 2003 R2.
> > > >>
> > > >>  We have a Windows Server 2003 (not R2). Before starting to make some
> > > >> tests, does anyone know if trusts can be configured with this version
> > of
> > > >> Windows Server 2003?.
> > > >>
> > > >>  Thanks very much.
> > > >>
> > > >>
> > > >  As I have not received any answer, I decided to give it a try. I
> > follow
> > > > the document step by step with our Windows 2003, and everything looks
> > good,
> > > > except when I try to login to the FreeIPA server with an AD user (ssh
> > or
> > > > tty).
> > > >
> > > >  Does anyone know how could I debug this problem?.
> > > >
> > > >
> > > >  Sorry that you did not get a response. It is a hot time, a lot of
> > people
> > > > on vacation and we also got 4.0 just out of the door.
> > > >
> > > > Set debug_level to 10 in the sssd.conf. It will create a lot of output
> > and
> > > > this might give you a hint of what is going on. From there you will see
> > > > whether the user is processed by SSSD or SSH is not configured and
> > user do
> > > > not hit SSSD at all (unlikely), and if user is processed what the
> > problem
> > > > is.
> > > >
> > > >
> > > Thanks Dmitri. I set the debug_level to 10, and the file
> > > sssd_my.domain.com.log is telling something about the AD user trying to
> > > connect with SSH. I am sending it to you privately, because it contains
> > > some sensitive information.
> >
> > Hi,
> >
> > I realize you were following our own documentation, which originated
> > from this thread:
> > https://www.redhat.com/archives/freeipa-users/2013-June/msg00119.html
> >
> > Maybe it would be helpful to read it, too, at least to see how some other
> > users were setting up the trust and what their problems were.
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go To http://freeipa.org for more info on the project
> >
> 
> 
> Dmitri and Jakub, thanks very much for your help.
> 
> Jakub, I took a look in the thread, but I couldn't find anything that could
> help us with our problem.
> 
> I am attaching the logs from sssd with the sensitive information removed.
> Any help is really appreciated; I don't really know where should I continue
> searching for the problem.

Thanks, the logs don't show what the error is, but do tell us that the
error is on the server side:

> (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation
> (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 8
> (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]] [sdap_process_result] (0x2000): Trace: sh[0x2293ed0], connected[1], ops[0x2293680], ldap[0x2293b40]
> (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED]
> (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Operations error(1), (null)
> (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.

What IPA version are you testing with? The debugging procedure differs
for versions with winbind on the server side and with sssd..