[Freeipa-users] FW: domain trust linux to AD server not finding user profiles

Alexander Bokovoy abokovoy at redhat.com
Wed Oct 8 13:21:50 UTC 2014


On Wed, 08 Oct 2014, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
>Thanks very much for the feedback.
>
>RE: how often do we need to lookup unauthenticated users......this is strictly a test environment used to duplicate customer problems
>so in reality we never have to do it but that is the current problem at hand.....customer is unable to consistently authenticate users.
>They have implemented additional screening limits for the users, but for now we are only trying to get the basic functionality to work.
>
>In our case, am unable to authenticate the valid users on the AD server using ssh on the IdM server;
>
>[root at linux ~]# ssh -l ldap2 at osn.cxo.cpqcorp.net linux
>ldap2 at osn.cxo.cpqcorp.net@linux's password:
>Permission denied, please try again.
>ldap2 at osn.cxo.cpqcorp.net@linux's password:
>Received disconnect from 10.20.0.59: 2: Too many authentication failures for ldap2 at osn.cxo.cpqcorp.net<mailto:ldap2 at osn.cxo.cpqcorp.net>
>
>We know the password that is used for this test user is correct.
>
>The logs and the tcpdump seem to indicate a problem with Kerberos verification but not being a Kerberos heavy, I'm not sure
>just what might be wrong, possibly with the krb5.conf file.     This is the krb5kdc.log entry for the attempted ssh login above:
>
>Oct 08 08:58:51 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.20.0.59: NEEDED_PREAUTH: host/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET for krbtgt/IPA.CXO.CPQCORP.NET at IPA.CXO.CPQCORP.NET, Additional pre-authentication required
>Oct 08 08:58:51 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.20.0.59: ISSUE: authtime 1412773131, etypes {rep=18 tkt=18 ses=18}, host/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET for krbtgt/IPA.CXO.CPQCORP.NET at IPA.CXO.CPQCORP.NET
>Oct 08 08:58:51 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.20.0.59: ISSUE: authtime 1412773131, etypes {rep=18 tkt=18 ses=18}, host/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET for ldap/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET
>Oct 08 08:58:51 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): closing down fd 11
>
>>From tcpdump, the error given by Kerberos is STATUS_DOMAIN_TRUST_INCONSISTENT
Ok, this means the process to establish trust didn't finish well. It is
a known issue that despite a possible failure status of 'trust-add' says
'established and verified', we have a bug for that already.

Please follow
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Debugging_trust
to give enough debugging data to see what the actual problem is.

>
>>From the IdM server, this is the trust setup previously between the IdM server and the AD server;
>
>[root at linux ~]# ipa trust-show osn.cxo.cpqcorp.net
>  Realm name: osn.cxo.cpqcorp.net
>  Domain NetBIOS name: OSN
>  Domain Security Identifier: S-1-5-21-3753757867-1859638558-383537475
>  Trust direction: Two-way trust
>  Trust type: Active Directory domain
>
>Further down in this e-mail is the krb5.conf file.
>
>Do we have something defined incorrectly for Kerberos ?
>
>Al
>
>
>
>
>
>
>
>
>
>From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal
>Sent: Tuesday, October 07, 2014 5:02 PM
>To: freeipa-users at redhat.com
>Subject: Re: [Freeipa-users] domain trust linux to AD server not finding user profiles
>
>On 10/07/2014 05:03 PM, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
>[cid:part1.03030509.00090400 at redhat.com]
>
>I've been following the steps outlined in section 7.3.5 of the manual entitled
>
>Integrating OpenShift Enterprise
>with Identity Management (IdM)
>in Red Hat Enterprise Linux
>OpenShift Enterprise 2.1
>IdM in Red Hat Enterprise Linux 7
>Windows Server 2012 - Active Directory Integration
>
>I now have our RHEL V7 running IdM, setup as an IdM Server in a domain, Realm and subnet
>different from our existing AD server running Windows 2008 R2 with a populated user database
>that can be queried using ldapsearch and can authorize users.
>
>I have successfully created a domain trust between the RHEL V7 Server
>(linux.ipa.cxo.cpqcorp.net 10.20.0.59/24) and the AD Server
>(win2008.osn.cxo.cpqcorp.net 16.112.240.55).
>
>To simplify the configuration I have no firewall running and so have stopped both iptables
>and firewalld.
>
>All steps in section 7.3.5 have been followed.   But when I run the first test for a user
>on the AD system, the system is unable to find anything:
>
>[root at linux ~]# getent group 'OSN\Domain Users'
>[root at linux ~]#
>[root at linux ~]#
>[root at linux ~]# getent passwd 'OSN\ldap25'
>[root at linux ~]#
>
>The users and related information are not fetched until you authenticate as this user.
>The ability to fetch users and groups that are not yet authenticated is tracked by the ticket https://fedorahosted.org/sssd/ticket/2159 and will be addressed in the next version of SSSD.
>How frequently do you really need to lookup unauthenticated AD users and AD groups on linux systems? What is the use case?
>
>The ticket above is for the cases when there is an application that needs to fetch the user so that admin of the application can assign privileges to this user. But this is a pretty corner case.
>
>
>
>
>I find this in the krb5kdc.log file:
>Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.20.0.59: NEEDED_PREAUTH: host/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET<mailto:host/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET> for krbtgt/IPA.CXO.CPQCORP.NET at IPA.CXO.CPQCORP.NET<mailto:krbtgt/IPA.CXO.CPQCORP.NET at IPA.CXO.CPQCORP.NET>, Additional pre-authentication required
>Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.20.0.59: ISSUE: authtime 1412713681, etypes {rep=18 tkt=18 ses=18}, host/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET<mailto:host/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET> for krbtgt/IPA.CXO.CPQCORP.NET at IPA.CXO.CPQCORP.NET<mailto:krbtgt/IPA.CXO.CPQCORP.NET at IPA.CXO.CPQCORP.NET>
>Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.20.0.59: ISSUE: authtime 1412713681, etypes {rep=18 tkt=18 ses=18}, host/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET<mailto:host/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET> for ldap/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET<mailto:ldap/linux.ipa.cxo.cpqcorp.net at IPA.CXO.CPQCORP.NET>
>Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): closing down fd 11
>
>I'm not quite sure what else I'm missing or have not understood in order to query the
>AD server from the linux IdM server...but it would appear that something is not correctly
>defined in the krb5.conf file found below:
>
>[root at linux ~]# cat /etc/krb5.conf
>includedir /var/lib/sss/pubconf/krb5.include.d/
>
>[logging]
>default = FILE:/var/log/krb5libs.log<FILE:///\\var\log\krb5libs.log>
>kdc = FILE:/var/log/krb5kdc.log<FILE:///\\var\log\krb5kdc.log>
>admin_server = FILE:/var/log/kadmind.log<FILE:///\\var\log\kadmind.log>
>
>[libdefaults]
>default_realm = IPA.CXO.CPQCORP.NET
>dns_lookup_realm = false
>dns_lookup_kdc = true
>rdns = false
>ticket_lifetime = 24h
>forwardable = yes
>default_ccache_name = KEYRING:persistent:%{uid}
>
>[realms]
>IPA.CXO.CPQCORP.NET = {
>  kdc = linux.ipa.cxo.cpqcorp.net:88
>  master_kdc = linux.ipa.cxo.cpqcorp.net:88
>  admin_server = linux.ipa.cxo.cpqcorp.net:749
>  default_domain = ipa.cxo.cpqcorp.net
>  pkinit_anchors = FILE:/etc/ipa/ca.crt<FILE:///\\etc\ipa\ca.crt>
>  auth_to_local = RULE:[1:$1@$0](^.*@OSN.CXO.CPQCORP.NET$)s/@OSN.CXO.CPQCORP.NET/@osn.cxo.cpqcorp.net/<mailto:%5e.*@OSN.CXO.CPQCORP.NET$)s/@OSN.CXO.CPQCORP.NET/@osn.cxo.cpqcorp.net/> auth_to_local = DEFAULT
>}
>
>OSN.CXO.CPQCORP.NET = {
>  kdc = win2008.osn.cxo.cpqcorp.net
>  master_kdc = win2008.osn.cxo.cpqcorp.net
>  admin_sever = win2008.osn.cxo.cpqcorp.net
>  }
>
>[domain_realm]
>.ipa.cxo.cpqcorp.net = IPA.CXO.CPQCORP.NET
>ipa.cxo.cpqcorp.net = IPA.CXO.CPQCORP.NET
>.osn.cxo.cpqcorp.net = OSN.CXO.CPQCORP.NET
>osn.cxo.cpqcorp.net = OSN.CXO.CPQCORP.NET
>
>[dbmodules]
>  IPA.CXO.CPQCORP.NET = {
>    db_library = ipadb.so
>  }
>
>
>
>Any help greatly appreciated.
>
>Al
>
>Al Licause
>CSC Americas BCS Technical Specialist
>HP Customer Support Center
>Hours 5am-2pm Pacific time USA
>Manager: mark.bailey at hp.com<mailto:mark.bailey at hp.com>
>
>
>
>
>
>
>
>--
>
>Thank you,
>
>Dmitri Pal
>
>
>
>Sr. Engineering Manager IdM portfolio
>
>Red Hat, Inc.



>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go To http://freeipa.org for more info on the project

>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go To http://freeipa.org for more info on the project


-- 
/ Alexander Bokovoy




More information about the Freeipa-users mailing list