[Freeipa-users] Trusts with Windows Server 2003

Jakub Hrozek jhrozek at redhat.com
Tue Jul 15 14:16:17 UTC 2014 

On Tue, Jul 15, 2014 at 11:04:23AM -0300, tizo wrote:
> On Tue, Jul 15, 2014 at 7:16 AM, Jakub Hrozek <jhrozek at redhat.com> wrote:
> 
> > On Mon, Jul 14, 2014 at 02:02:16PM -0300, tizo wrote:
> > > On Mon, Jul 14, 2014 at 5:57 AM, Jakub Hrozek <jhrozek at redhat.com>
> > wrote:
> > >
> > > > On Fri, Jul 11, 2014 at 05:22:59PM -0300, tizo wrote:
> > > > > On Fri, Jul 11, 2014 at 4:54 PM, Dmitri Pal <dpal at redhat.com> wrote:
> > > > >
> > > > > >  On 07/11/2014 03:27 PM, tizo wrote:
> > > > > >
> > > > > >
> > > > > >  On Fri, Jul 4, 2014 at 5:09 PM, tizo <tizone at gmail.com> wrote:
> > > > > >
> > > > > >>  I have seen in
> > > > > >>
> > > >
> > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Trusts_and_Windows_Server_2003_R2
> > > > > >> that trusts can be configured with Windows Server 2003 R2.
> > > > > >>
> > > > > >>  We have a Windows Server 2003 (not R2). Before starting to make
> > some
> > > > > >> tests, does anyone know if trusts can be configured with this
> > version
> > > > of
> > > > > >> Windows Server 2003?.
> > > > > >>
> > > > > >>  Thanks very much.
> > > > > >>
> > > > > >>
> > > > > >  As I have not received any answer, I decided to give it a try. I
> > > > follow
> > > > > > the document step by step with our Windows 2003, and everything
> > looks
> > > > good,
> > > > > > except when I try to login to the FreeIPA server with an AD user
> > (ssh
> > > > or
> > > > > > tty).
> > > > > >
> > > > > >  Does anyone know how could I debug this problem?.
> > > > > >
> > > > > >
> > > > > >  Sorry that you did not get a response. It is a hot time, a lot of
> > > > people
> > > > > > on vacation and we also got 4.0 just out of the door.
> > > > > >
> > > > > > Set debug_level to 10 in the sssd.conf. It will create a lot of
> > output
> > > > and
> > > > > > this might give you a hint of what is going on. From there you
> > will see
> > > > > > whether the user is processed by SSSD or SSH is not configured and
> > > > user do
> > > > > > not hit SSSD at all (unlikely), and if user is processed what the
> > > > problem
> > > > > > is.
> > > > > >
> > > > > >
> > > > > Thanks Dmitri. I set the debug_level to 10, and the file
> > > > > sssd_my.domain.com.log is telling something about the AD user trying
> > to
> > > > > connect with SSH. I am sending it to you privately, because it
> > contains
> > > > > some sensitive information.
> > > >
> > > > Hi,
> > > >
> > > > I realize you were following our own documentation, which originated
> > > > from this thread:
> > > > https://www.redhat.com/archives/freeipa-users/2013-June/msg00119.html
> > > >
> > > > Maybe it would be helpful to read it, too, at least to see how some
> > other
> > > > users were setting up the trust and what their problems were.
> > > >
> > > > --
> > > > Manage your subscription for the Freeipa-users mailing list:
> > > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > > Go To http://freeipa.org for more info on the project
> > > >
> > >
> > >
> > > Dmitri and Jakub, thanks very much for your help.
> > >
> > > Jakub, I took a look in the thread, but I couldn't find anything that
> > could
> > > help us with our problem.
> > >
> > > I am attaching the logs from sssd with the sensitive information removed.
> > > Any help is really appreciated; I don't really know where should I
> > continue
> > > searching for the problem.
> >
> > Thanks, the logs don't show what the error is, but do tell us that the
> > error is on the server side:
> >
> > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
> > [ipa_s2n_exop_send] (0x0400): Executing extended operation
> > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
> > [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 8
> > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
> > [sdap_process_result] (0x2000): Trace: sh[0x2293ed0], connected[1],
> > ops[0x2293680], ldap[0x2293b40]
> > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
> > [sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED]
> > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
> > [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Operations
> > error(1), (null)
> > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
> > [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
> >
> > What IPA version are you testing with? The debugging procedure differs
> > for versions with winbind on the server side and with sssd..
> >
> 
> I am testing with an updated CentOS 6 and all the software versions of its
> repositories. In detail:
> 
>  * OS: CentOS release 6.5 (Final)
>  * IPA server: 3.0.0-37
>  * SSSD: 1.9.2-129
>  * Winbind: 4.0.0-61

OK, so there's Winbind on the server side. Can you run:
    * smbcontrol winbindd debug 100
    * run the test on the client, check if you see the s2n exop failing
      in the logs
    * attach /var/log/samba/log.w*
    * reset the winbind logging back with: smbcontrol all debug 1
      otherwise you'll run out of disk space :-)

More information about the Freeipa-users mailing list