[Freeipa-users] FW: domain trust linux to AD server not finding user profiles

Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) licause at hp.com
Wed Oct 8 13:13:14 UTC 2014


Thanks very much for the feedback.

RE: how often do we need to lookup unauthenticated users......this is strictly a test environment used to duplicate customer problems
so in reality we never have to do it but that is the current problem at hand.....customer is unable to consistently authenticate users.
They have implemented additional screening limits for the users, but for now we are only trying to get the basic functionality to work.

In our case, am unable to authenticate the valid users on the AD server using ssh on the IdM server;

[root at linux ~]# ssh -l ldap2 at osn.cxo.cpqcorp.net linux
ldap2 at osn.cxo.cpqcorp.net@linux's password:
Permission denied, please try again.
ldap2 at osn.cxo.cpqcorp.net@linux's password:
Received disconnect from 10.20.0.59: 2: Too many authentication failures for ldap2 at osn.cxo.cpqcorp.net<mailto:ldap2 at osn.cxo.cpqcorp.net>

We know the password that is used for this test user is correct.

The logs and the tcpdump seem to indicate a problem with Kerberos verification but not being a Kerberos heavy, I'm not sure
just what might be wrong, possibly with the krb5.conf file.     This is the krb5kdc.log entry for the attempted ssh login above:

Oct 08 08:58:51 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.20.0.59: NEEDED_PREAUTH: host/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET for krbtgt/IPA.CXO.CPQCORP.NET at IPA.CXO.CPQCORP.NET, Additional pre-authentication required
Oct 08 08:58:51 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.20.0.59: ISSUE: authtime 1412773131, etypes {rep=18 tkt=18 ses=18}, host/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET for krbtgt/IPA.CXO.CPQCORP.NET at IPA.CXO.CPQCORP.NET
Oct 08 08:58:51 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.20.0.59: ISSUE: authtime 1412773131, etypes {rep=18 tkt=18 ses=18}, host/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET for ldap/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET
Oct 08 08:58:51 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): closing down fd 11

>From tcpdump, the error given by Kerberos is STATUS_DOMAIN_TRUST_INCONSISTENT

>From the IdM server, this is the trust setup previously between the IdM server and the AD server;

[root at linux ~]# ipa trust-show osn.cxo.cpqcorp.net
  Realm name: osn.cxo.cpqcorp.net
  Domain NetBIOS name: OSN
  Domain Security Identifier: S-1-5-21-3753757867-1859638558-383537475
  Trust direction: Two-way trust
  Trust type: Active Directory domain

Further down in this e-mail is the krb5.conf file.

Do we have something defined incorrectly for Kerberos ?

Al









From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal
Sent: Tuesday, October 07, 2014 5:02 PM
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] domain trust linux to AD server not finding user profiles

On 10/07/2014 05:03 PM, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
[cid:part1.03030509.00090400 at redhat.com]

I've been following the steps outlined in section 7.3.5 of the manual entitled

Integrating OpenShift Enterprise
with Identity Management (IdM)
in Red Hat Enterprise Linux
OpenShift Enterprise 2.1
IdM in Red Hat Enterprise Linux 7
Windows Server 2012 - Active Directory Integration

I now have our RHEL V7 running IdM, setup as an IdM Server in a domain, Realm and subnet
different from our existing AD server running Windows 2008 R2 with a populated user database
that can be queried using ldapsearch and can authorize users.

I have successfully created a domain trust between the RHEL V7 Server
(linux.ipa.cxo.cpqcorp.net 10.20.0.59/24) and the AD Server
(win2008.osn.cxo.cpqcorp.net 16.112.240.55).

To simplify the configuration I have no firewall running and so have stopped both iptables
and firewalld.

All steps in section 7.3.5 have been followed.   But when I run the first test for a user
on the AD system, the system is unable to find anything:

[root at linux ~]# getent group 'OSN\Domain Users'
[root at linux ~]#
[root at linux ~]#
[root at linux ~]# getent passwd 'OSN\ldap25'
[root at linux ~]#

The users and related information are not fetched until you authenticate as this user.
The ability to fetch users and groups that are not yet authenticated is tracked by the ticket https://fedorahosted.org/sssd/ticket/2159 and will be addressed in the next version of SSSD.
How frequently do you really need to lookup unauthenticated AD users and AD groups on linux systems? What is the use case?

The ticket above is for the cases when there is an application that needs to fetch the user so that admin of the application can assign privileges to this user. But this is a pretty corner case.




I find this in the krb5kdc.log file:
Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.20.0.59: NEEDED_PREAUTH: host/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET<mailto:host/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET> for krbtgt/IPA.CXO.CPQCORP.NET at IPA.CXO.CPQCORP.NET<mailto:krbtgt/IPA.CXO.CPQCORP.NET at IPA.CXO.CPQCORP.NET>, Additional pre-authentication required
Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.20.0.59: ISSUE: authtime 1412713681, etypes {rep=18 tkt=18 ses=18}, host/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET<mailto:host/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET> for krbtgt/IPA.CXO.CPQCORP.NET at IPA.CXO.CPQCORP.NET<mailto:krbtgt/IPA.CXO.CPQCORP.NET at IPA.CXO.CPQCORP.NET>
Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.20.0.59: ISSUE: authtime 1412713681, etypes {rep=18 tkt=18 ses=18}, host/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET<mailto:host/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET> for ldap/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET<mailto:ldap/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET>
Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): closing down fd 11

I'm not quite sure what else I'm missing or have not understood in order to query the
AD server from the linux IdM server...but it would appear that something is not correctly
defined in the krb5.conf file found below:

[root at linux ~]# cat /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
default = FILE:/var/log/krb5libs.log<FILE:///\\var\log\krb5libs.log>
kdc = FILE:/var/log/krb5kdc.log<FILE:///\\var\log\krb5kdc.log>
admin_server = FILE:/var/log/kadmind.log<FILE:///\\var\log\kadmind.log>

[libdefaults]
default_realm = IPA.CXO.CPQCORP.NET
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
IPA.CXO.CPQCORP.NET = {
  kdc = linux.ipa.cxo.cpqcorp.net:88
  master_kdc = linux.ipa.cxo.cpqcorp.net:88
  admin_server = linux.ipa.cxo.cpqcorp.net:749
  default_domain = ipa.cxo.cpqcorp.net
  pkinit_anchors = FILE:/etc/ipa/ca.crt<FILE:///\\etc\ipa\ca.crt>
  auth_to_local = RULE:[1:$1@$0](^.*@OSN.CXO.CPQCORP.NET$)s/@OSN.CXO.CPQCORP.NET/@osn.cxo.cpqcorp.net/<mailto:%5e.*@OSN.CXO.CPQCORP.NET$)s/@OSN.CXO.CPQCORP.NET/@osn.cxo.cpqcorp.net/> auth_to_local = DEFAULT
}

OSN.CXO.CPQCORP.NET = {
  kdc = win2008.osn.cxo.cpqcorp.net
  master_kdc = win2008.osn.cxo.cpqcorp.net
  admin_sever = win2008.osn.cxo.cpqcorp.net
  }

[domain_realm]
.ipa.cxo.cpqcorp.net = IPA.CXO.CPQCORP.NET
ipa.cxo.cpqcorp.net = IPA.CXO.CPQCORP.NET
.osn.cxo.cpqcorp.net = OSN.CXO.CPQCORP.NET
osn.cxo.cpqcorp.net = OSN.CXO.CPQCORP.NET

[dbmodules]
  IPA.CXO.CPQCORP.NET = {
    db_library = ipadb.so
  }



Any help greatly appreciated.

Al

Al Licause
CSC Americas BCS Technical Specialist
HP Customer Support Center
Hours 5am-2pm Pacific time USA
Manager: mark.bailey at hp.com<mailto:mark.bailey at hp.com>







--

Thank you,

Dmitri Pal



Sr. Engineering Manager IdM portfolio

Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141008/f048acfe/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ATT00001.gif
Type: image/gif
Size: 2051 bytes
Desc: ATT00001.gif
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141008/f048acfe/attachment.gif>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT00002.txt
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141008/f048acfe/attachment.txt>


More information about the Freeipa-users mailing list