[Freeipa-users] domain trust linux to AD server not finding user profiles
Sumit Bose
sbose at redhat.com
Wed Oct 8 07:31:45 UTC 2014
On Tue, Oct 07, 2014 at 08:01:48PM -0400, Dmitri Pal wrote:
> On 10/07/2014 05:03 PM, Licause, Al (CSC AMS BCS - UNIX/Linux Network
> Support) wrote:
> >
> >I've been following the steps outlined in section 7.3.5 of the manual
> >entitled
> >
> >Integrating OpenShift Enterprise
> >
> >with Identity Management (IdM)
> >
> >in Red Hat Enterprise Linux
> >
> >OpenShift Enterprise 2.1
> >
> >IdM in Red Hat Enterprise Linux 7
> >
> >Windows Server 2012 - Active Directory Integration
> >
> >I now have our RHEL V7 running IdM, setup as an IdM Server in a domain,
> >Realm and subnet
> >
> >different from our existing AD server running Windows 2008 R2 with a
> >populated user database
> >
> >that can be queried using ldapsearch and can authorize users.
> >
> >I have successfully created a domain trust between the RHEL V7 Server
> >
> >(linux.ipa.cxo.cpqcorp.net 10.20.0.59/24) and the AD Server
> >
> >(win2008.osn.cxo.cpqcorp.net 16.112.240.55).
> >
> >To simplify the configuration I have no firewall running and so have
> >stopped both iptables
> >
> >and firewalld.
> >
> >All steps in section 7.3.5 have been followed. But when I run the first
> >test for a user
> >
> >on the AD system, the system is unable to find anything:
> >
> >[root at linux ~]# getent group 'OSN\Domain Users'
> >
> >[root at linux ~]#
> >
> >[root at linux ~]#
> >
> >[root at linux ~]# getent passwd 'OSN\ldap25'
> >
> >[root at linux ~]#
> >
>
> The users and related information are not fetched until you authenticate as
> this user.
> The ability to fetch users and groups that are not yet authenticated is
> tracked by the ticket https://fedorahosted.org/sssd/ticket/2159 and will be
> addressed in the next version of SSSD.
> How frequently do you really need to lookup unauthenticated AD users and AD
> groups on linux systems? What is the use case?
This is correct, but the simple lookups shown above should still work
even for unauthenticated users. What is missing is the full
group-membership of an unauthenticated user and the full list of members
for a group.
Coming back to the issue above, it would be nice if you can increase the
debug level of SSSD running on the host where you call the getent
commands and send the SSSD logs after running the commands. Feel free to
send them to me directly if you think that the logs are too big or might
contain information too sensitive for a public mailing-list.
bye,
Sumit
>
> The ticket above is for the cases when there is an application that needs to
> fetch the user so that admin of the application can assign privileges to
> this user. But this is a pretty corner case.
>
> >I find this in the krb5kdc.log file:
> >
> >Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): AS_REQ (6
> >etypes {18 17 16 23 25 26}) 10.20.0.59: NEEDED_PREAUTH:
> >host/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET for
> >krbtgt/IPA.CXO.CPQCORP.NET at IPA.CXO.CPQCORP.NET, Additional
> >pre-authentication required
> >
> >Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): AS_REQ (6
> >etypes {18 17 16 23 25 26}) 10.20.0.59: ISSUE: authtime 1412713681, etypes
> >{rep=18 tkt=18 ses=18}, host/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET
> >for krbtgt/IPA.CXO.CPQCORP.NET at IPA.CXO.CPQCORP.NET
> >
> >Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): TGS_REQ (6
> >etypes {18 17 16 23 25 26}) 10.20.0.59: ISSUE: authtime 1412713681, etypes
> >{rep=18 tkt=18 ses=18}, host/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET
> >for ldap/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET
> >
> >Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): closing
> >down fd 11
> >
> >I'm not quite sure what else I'm missing or have not understood in order
> >to query the
> >
> >AD server from the linux IdM server...but it would appear that something
> >is not correctly
> >
> >defined in the krb5.conf file found below:
> >
> >[root at linux ~]# cat /etc/krb5.conf
> >
> >includedir /var/lib/sss/pubconf/krb5.include.d/
> >
> >[logging]
> >
> >default = FILE:/var/log/krb5libs.log
> >
> >kdc = FILE:/var/log/krb5kdc.log
> >
> >admin_server = FILE:/var/log/kadmind.log
> >
> >[libdefaults]
> >
> >default_realm = IPA.CXO.CPQCORP.NET
> >
> >dns_lookup_realm = false
> >
> >dns_lookup_kdc = true
> >
> >rdns = false
> >
> >ticket_lifetime = 24h
> >
> >forwardable = yes
> >
> >default_ccache_name = KEYRING:persistent:%{uid}
> >
> >[realms]
> >
> >IPA.CXO.CPQCORP.NET = {
> >
> >kdc = linux.ipa.cxo.cpqcorp.net:88
> >
> >master_kdc = linux.ipa.cxo.cpqcorp.net:88
> >
> >admin_server = linux.ipa.cxo.cpqcorp.net:749
> >
> >default_domain = ipa.cxo.cpqcorp.net
> >
> >pkinit_anchors = FILE:/etc/ipa/ca.crt
> >
> >auth_to_local = RULE:[1:$1@$0](^.*@OSN.CXO.CPQCORP.NET$)s/@OSN.CXO.CPQCORP.NET/@osn.cxo.cpqcorp.net/
> >auth_to_local = DEFAULT
> >
> >}
> >
> >OSN.CXO.CPQCORP.NET = {
> >
> >kdc = win2008.osn.cxo.cpqcorp.net
> >
> >master_kdc = win2008.osn.cxo.cpqcorp.net
> >
> >admin_sever = win2008.osn.cxo.cpqcorp.net
> >
> >}
> >
> >[domain_realm]
> >
> >.ipa.cxo.cpqcorp.net = IPA.CXO.CPQCORP.NET
> >
> >ipa.cxo.cpqcorp.net = IPA.CXO.CPQCORP.NET
> >
> >.osn.cxo.cpqcorp.net = OSN.CXO.CPQCORP.NET
> >
> >osn.cxo.cpqcorp.net = OSN.CXO.CPQCORP.NET
> >
> >[dbmodules]
> >
> >IPA.CXO.CPQCORP.NET = {
> >
> >db_library = ipadb.so
> >
> >}
> >
> >Any help greatly appreciated.
> >
> >Al
> >
> >*Al Licause*
> >
> >*CSC Americas BCS Technical Specialist*
> >
> >*HP Customer Support Center*
> >
> >*Hours 5am-2pm Pacific time USA*
> >
> >*Manager: mark.bailey at hp.com*
> >
> >
> >
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list