[Freeipa-users] domain trust linux to AD server not finding user profiles

Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) licause at hp.com
Tue Oct 7 21:03:20 UTC 2014 


I've been following the steps outlined in section 7.3.5 of the manual entitled

Integrating OpenShift Enterprise
with Identity Management (IdM)
in Red Hat Enterprise Linux
OpenShift Enterprise 2.1
IdM in Red Hat Enterprise Linux 7
Windows Server 2012 - Active Directory Integration

I now have our RHEL V7 running IdM, setup as an IdM Server in a domain, Realm and subnet
different from our existing AD server running Windows 2008 R2 with a populated user database
that can be queried using ldapsearch and can authorize users.

I have successfully created a domain trust between the RHEL V7 Server
(linux.ipa.cxo.cpqcorp.net 10.20.0.59/24) and the AD Server
(win2008.osn.cxo.cpqcorp.net 16.112.240.55).

To simplify the configuration I have no firewall running and so have stopped both iptables
and firewalld.

All steps in section 7.3.5 have been followed.   But when I run the first test for a user
on the AD system, the system is unable to find anything:

[root at linux ~]# getent group 'OSN\Domain Users'
[root at linux ~]#
[root at linux ~]#
[root at linux ~]# getent passwd 'OSN\ldap25'
[root at linux ~]#


I find this in the krb5kdc.log file:
Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.20.0.59: NEEDED_PREAUTH: host/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET for krbtgt/IPA.CXO.CPQCORP.NET at IPA.CXO.CPQCORP.NET, Additional pre-authentication required
Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.20.0.59: ISSUE: authtime 1412713681, etypes {rep=18 tkt=18 ses=18}, host/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET for krbtgt/IPA.CXO.CPQCORP.NET at IPA.CXO.CPQCORP.NET
Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.20.0.59: ISSUE: authtime 1412713681, etypes {rep=18 tkt=18 ses=18}, host/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET for ldap/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET
Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): closing down fd 11

I'm not quite sure what else I'm missing or have not understood in order to query the
AD server from the linux IdM server...but it would appear that something is not correctly
defined in the krb5.conf file found below:

[root at linux ~]# cat /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = IPA.CXO.CPQCORP.NET
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
IPA.CXO.CPQCORP.NET = {
  kdc = linux.ipa.cxo.cpqcorp.net:88
  master_kdc = linux.ipa.cxo.cpqcorp.net:88
  admin_server = linux.ipa.cxo.cpqcorp.net:749
  default_domain = ipa.cxo.cpqcorp.net
  pkinit_anchors = FILE:/etc/ipa/ca.crt
  auth_to_local = RULE:[1:$1@$0](^.*@OSN.CXO.CPQCORP.NET$)s/@OSN.CXO.CPQCORP.NET/@osn.cxo.cpqcorp.net/ auth_to_local = DEFAULT
}

OSN.CXO.CPQCORP.NET = {
  kdc = win2008.osn.cxo.cpqcorp.net
  master_kdc = win2008.osn.cxo.cpqcorp.net
  admin_sever = win2008.osn.cxo.cpqcorp.net
  }

[domain_realm]
.ipa.cxo.cpqcorp.net = IPA.CXO.CPQCORP.NET
ipa.cxo.cpqcorp.net = IPA.CXO.CPQCORP.NET
.osn.cxo.cpqcorp.net = OSN.CXO.CPQCORP.NET
osn.cxo.cpqcorp.net = OSN.CXO.CPQCORP.NET

[dbmodules]
  IPA.CXO.CPQCORP.NET = {
    db_library = ipadb.so
  }



Any help greatly appreciated.

Al

Al Licause
CSC Americas BCS Technical Specialist
HP Customer Support Center
Hours 5am-2pm Pacific time USA
Manager: mark.bailey at hp.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141007/94d593ed/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 2051 bytes
Desc: image001.gif
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141007/94d593ed/attachment.gif>

More information about the Freeipa-users mailing list