[Freeipa-users] FreeIPA ActiveDirectory Integration, Fedora and Windows 2008 R2 AD: "ipa: ERROR: an internal error has occurred"
Traiano Welcome
traiano at gmail.com
Sat Sep 13 15:42:35 UTC 2014
Hi
I've managed to get trusts working with CentOS 7 as an IdM server, Win2K8R2
AD DC and CentOS6.5 as a client, using the exact same series of steps as in
the documentation. Attached is the process I used.
I'll continue testing RHEL7 and Fedora 20.1 and submit a bug report if
necessary.
Thanks for the assistance all!!
Traiano
On Sat, Sep 13, 2014 at 12:07 AM, Alexander Bokovoy <abokovoy at redhat.com>
wrote:
> On Fri, 12 Sep 2014, Traiano Welcome wrote:
>
>> Hi List
>>
>>
>> I'm following the guide at
>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Assumptions , this
>> time with Fedora 20.1.
>>
>>
>> Everything proceeds smoothly until I try to establish trust with the AD
>> domain controller, at which point IPA crashes:
>>
>> ---
>> [root at idm001 ~]# ipa trust-add --type=ad mhatest.local --admin
>> Administrator --password
>> Active directory domain administrator's password:
>> ipa: ERROR: an internal error has occurred
>> [root at idm001 ~]#
>> ---
>>
>> I've attached the exact, step by step process I used to arrive at this
>> point. Attached also are the debug logs (as per the debugging guidelines).
>>
> Looks like you have connectivity problems (or firewall?):
> finddcs: Found matching DC 172.16.107.109 with server_type=0x000031fd
> [Fri Sep 12 23:30:00.471404 2014] [:error] [pid 3876] ipa: ERROR: LDAP
> error when connecting to KWTTSTADDC002: {'desc': "Can't contact LDAP
> server"}
>
> Anyway, please file a bug for Fedora and attach the logs there, we'll
> try to improve error messaging here.
>
>
>>
>> Many thanks in advance for any insight I could use to understand and fix
>> this issue! I am also moving on to re/testing the same process on
>> CentOS 7, CentOS 6.5 to rule out the possibility of subtle variations in
>> package version bugs (or basically net any that might exist :-p)
>>
> Yep.
>
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140913/d5d09278/attachment.htm>
-------------- next part --------------
1. AD DC Details
- Provides DNS via Windows DNS Server for MHATEST.LOCAL, ENGENEON.LOCAL, LINUX.MHATEST.LOCAL
- Win2K8 R2 Enterprise (VM running on Hyper-V)
- DNS hostname: kwttstaddc001.mhatest.local
- IP Address: 172.16.107.109
2. IdM Server Details
- CentOS Linux release 7.0.1406 (Core)
- DNS hostname: idm003.engeneon.local
- IP Address: 172.16.107.106
3. Linux Client machine:
- 172.16.104.145 ronin.engeneon.local ronin
- CentOS6.5
Summary:
- IPA server IP address: 172.16.107.106
- IPA server hostname: idm003.engeneon.local
- IPA domain: ipa_domain engeneon.local
- IPA NetBIOS: ENGENEON
- IPA Kerberos realm, IPA_DOMAIN, is equal to IPA domain: ENGENEON.LOCAL
- AD DC IP address: ad_ip_address: 172.16.107.109
- AD DC hostname: ad_hostname: kwttstaddc001.mhatest.local
- AD domain: ad_domain: MHATEST.LOCAL
- AD NetBIOS: ad_netbios: MHATEST
- AD admins group SID: <fillmein>
4. Windows 2008 R2 AD DC Configuration Settings (172.16.107.109)
Printout summary from the "DCPROMO" configuration wizard:
- Configure this server as the first Active Directory domain controller in a new forest.
- The new domain name is "MHATEST.LOCAL". This is also the name of the new forest.
- The NetBIOS name of the domain is "MHATEST".
- Forest Functional Level: Windows Server 2008 R2
- Domain Functional Level: Windows Server 2008 R2
- Site: Default-First-Site-Name
- Additional Options:
Read-only domain controller: "No"
Global catalog: Yes
DNS Server: Yes
- Create DNS Delegation: No
- Database folder: C:\Windows\NTDS
- Log file folder: C:\Windows\NTDS
- SYSVOL folder: C:\Windows\SYSVOL
- The DNS Server service will be installed on this computer.
- The DNS Server service will be configured on this computer.
- This computer will be configured to use this DNS server as its preferred DNS server.
- The password of the new domain Administrator will be the same as the password of the local Administrator of this computer.
A second AD integrated zone was created on the AD server for the IPA domain:
Name: ENGENEON.LOCAL
Type: Active Directory-Integrated Primary
Lookup type: Forward
5. IDM Server Configuration Sequence:
- Guide #1 (IPA Setup) http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Assumptions
- Guide #2 (AD setup) http://stef.thewalter.net/2012/08/how-to-create-active-directory-domain.html
- Guide #3 (NOT USED IN THIS SEQUENCE!!): Mark Heslin's guide: "Integrating OSE for IdMfor RHEL 1.0"
5.1 Installing the IPA server (CentOS 7, on VMware ESXI 5.5):
[done] yum update -y
Setup the local caching name-server:
[DONE] yum install caching-nameserver
[DONE] configure forwarders in /etc/named.conf: forwarders { 172.16.107.109; /* ... or the address of your ISP DNS server */ };
Zone configuration on the IPA server:
---
zone "mhatest.local" {
type stub;
masters { 172.16.107.109; };
};
zone "engeneon.local" {
type stub;
masters { 172.16.107.109; };
};
---
- Testing that the IPA server can use the local caching dns servicet to resolve the test AD domain:
---
[root at idm001 ~]# dig +short soa mhatest.local @127.0.0.1
Times out!!! SERVFAIL
---
[DONE] yum install -y "*ipa-server" "*ipa-server-trust-ad" samba4-winbind-clients samba4-winbind samba4-client bind bind-dyndb-ldap
[DONE] Configure hostname and /etc/hosts:
---
[root at idm001 ~]# cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
172.16.107.108 idm001.engeneon.local idm001
[root at idm001 ~]# hostname
idm001.engeneon.local
---
[DONE] Install the IPA server:
ipa-server-install -a XXXXXXXXX -p XXXXXXXXX --domain=engeneon.local --realm=ENGENEON.LOCAL --setup-dns --no-forwarders -U
---
<trimmed for brevity>
.
.
.
[9/11]: restarting named
[10/11]: configuring named to start on boot
[11/11]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files
Restarting the web server
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
---
[DONE] Verify IPA users available to IPA Services:
---
[root at idm001 ~]# id admin
uid=392600000(admin) gid=392600000(admins) groups=392600000(admins)
[root at idm001 ~]# getent passwd admin
admin:*:392600000:392600000:Administrator:/home/admin:/bin/bash
[root at idm001 ~]#
---
[] Configure IPA for Cross-Realm Trusts:
ipa-adtrust-install --netbios-name=ENGENEON -a XXXXXXXXX
Output:
---
[root at idm001 ~]# ipa-adtrust-install --netbios-name=ENGENEON -a XXXXXXXXX
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the FreeIPA Server.
This includes:
* Configure Samba
* Add trust related objects to FreeIPA LDAP server
To accept the default shown in brackets, press the Enter key.
WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing samba configuration.
Do you wish to continue? [no]: yes
WARNING: 3 existing users or groups do not have a SID identifier assigned.
Installer can run a task to have ipa-sidgen Directory Server plugin generate
the SID identifier for all these users. Please note, the in case of a high
number of users and groups, the operation might lead to high replication
traffic and performance degradation. Refer to ipa-adtrust-install(1) man page
for details.
Do you want to run the ipa-sidgen task? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Done configuring CIFS.
=============================================================================
Setup complete
You must make sure these network ports are open:
TCP Ports:
* 138: netbios-dgm
* 139: netbios-ssn
* 445: microsoft-ds
UDP Ports:
* 138: netbios-dgm
* 139: netbios-ssn
* 389: (C)LDAP
* 445: microsoft-ds
Additionally you have to make sure the FreeIPA LDAP server is not reachable
by any domain controller in the Active Directory domain by closing down
the following ports for these servers:
TCP Ports:
* 389, 636: LDAP/LDAPS
You may want to choose to REJECT the network packets instead of DROPing
them to avoid timeouts on the AD domain controllers.
=============================================================================
[DONE] Open the firewall Wide:
---
[root at idm001 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root at idm001 ~]#
---
[DONE] Check TimeZone Settings on both the AD server and the IPA server:
idm001.engeneon.net:
---
[root at idm001 ~]# date
Fri Sep 12 21:10:56 AST 2014
---
kwttstaddc002.mhatest.local:
---
PS C:\Users\Administrator> date
Friday, September 12, 2014 9:10:33 PM
---
5. DNS Configuration: (The scenario here is "domains are parallel")
- AD DNS Zone : mhatest.local
- IPA DNS Zone : engeneon.local
5.1 Configure conditional forwarder for IPA domain (engeneon.local):
dnscmd 127.0.0.1 /ZoneAdd engeneon.local /Forwarder 172.16.107.108
Output:
---
PS C:\Users\Administrator> dnscmd 127.0.0.1 /ZoneAdd engeneon.local /Forwarder 172.16.107.108
DNS Server 127.0.0.1 created zone engeneon.local:
Command completed successfully.
---
5.2 On IPA server, add conditional forwarder for AD domain:
ipa dnszone-add mhatest.local --name-server=kwttstaddc002.mhatest.local --admin-email='hostmaster at mhatest.local' --force --forwarder=172.16.107.109 --forward-policy=only --ip-address=172.16.107.109
Output:
---
[root at idm001 ~]# ipa dnszone-add mhatest.local --name-server=KWTTSTADDC002.mhatest.local --admin-email='hostmaster at mhatest.local' --force --forwarder=172.16.107.109 --forward-policy=only --ip-address=172.16.107.109
Zone name: mhatest.local
Authoritative nameserver: kwttstaddc002.mhatest.local
Administrator e-mail address: hostmaster.mhatest.local.
SOA serial: 1410546132
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant ENGENEON.LOCAL krb5-self * A; grant ENGENEON.LOCAL krb5-self * AAAA; grant ENGENEON.LOCAL krb5-self * SSHFP;
Active zone: TRUE
Dynamic update: FALSE
Allow query: any;
Allow transfer: none;
Zone forwarders: 172.16.107.109
Forward policy: only
[root at idm001 ~]#
---
- Dig tests:
---
[root at idm001 ~]# dig +short SRV _ldap._tcp.engeneon.local
0 100 389 idm001.engeneon.local.
---
---
[root at idm001 ~]# dig +short SRV _ldap._tcp.mhatest.local
0 100 389 kwttstaddc002.mhatest.local.
---
6.Establish and verify cross-realm trust:
ipa trust-add --type=ad mhatest.local --admin Administrator --password
Output:
---
[root at idm003 ~]# ipa trust-add --type=ad mhatest.local --admin Administrator --password
Active directory domain administrator's password:
------------------------------------------------------
Added Active Directory trust for realm "MHATEST.LOCAL"
------------------------------------------------------
Realm name: MHATEST.LOCAL
Domain NetBIOS name: MHATEST
Domain Security Identifier: S-1-5-21-3779563847-208264455-1888173826
SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11,
S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11,
S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
Trust direction: Two-way trust
Trust type: Active Directory domain
Trust status: Established and verified
[root at idm003 ~]#
---
7. Test if we can pull a list of trusted domains:
ipa trustdomain-find "mhatest.local"
---
[root at idm003 ~]# ipa trustdomain-find "mhatest.local"
Domain name: MHATEST.LOCAL
Domain NetBIOS name: MHATEST
Domain Security Identifier: S-1-5-21-3779563847-208264455-1888173826
Domain enabled: True
----------------------------
Number of entries returned 1
----------------------------
[root at idm003 ~]#
---
8. Modify /etc/krb5.conf
[realms]
ENGENEON.LOCAL = {
kdc = idm003.engeneon.local:88
master_kdc = idm003.engeneon.local:88
admin_server = idm003.engeneon.local:749
default_domain = engeneon.local
pkinit_anchors = FILE:/etc/ipa/ca.crt
auth_to_local = RULE:[1:$1@$0](^.*@AD_DOMAIN$)s/@AD_DOMAIN/@ad_domain/
auth_to_local = DEFAULT
}
---
[root at idm003 ~]# service krb5kdc restart
Redirecting to /bin/systemctl restart krb5kdc.service
[root at idm003 ~]# service sssd restart
Redirecting to /bin/systemctl restart sssd.service
[root at idm003 ~]#
---
9. Allow access for users from AD domain to protected resources:
ipa group-add --desc='mhatest.local admins external map' ad_admins_external --external
ipa group-add --desc='mhatest.local admins' ad_admins
ipa group-add-member ad_admins_external --external 'MHATEST\Domain Admins'
Output:
---
[root at idm003 ~]# ipa group-add --desc='mhatest.local admins external map' ad_admins_external --external
--------------------------------
Added group "ad_admins_external"
--------------------------------
Group name: ad_admins_external
Description: mhatest.local admins external map
[root at idm003 ~]#
[root at idm003 ~]#
[root at idm003 ~]#
[root at idm003 ~]# ipa group-add --desc='mhatest.local admins' ad_admins
-----------------------
Added group "ad_admins"
-----------------------
Group name: ad_admins
Description: mhatest.local admins
GID: 563000004
[root at idm003 ~]#
[root at idm003 ~]# ipa group-add-member ad_admins_external --external 'MHATEST\Domain Admins'
[member user]:
[member group]:
Group name: ad_admins_external
Description: mhatest.local admins external map
External member: S-1-5-21-3779563847-208264455-1888173826-512
-------------------------
Number of members added 1
-------------------------
[root at idm003 ~]#
---
[root at idm003 ~]# ipa group-add-member ad_admins --groups ad_admins_external
Group name: ad_admins
Description: mhatest.local admins
GID: 563000004
Member groups: ad_admins_external
-------------------------
Number of members added 1
-------------------------
[root at idm003 ~]#
---
9. Testing Cross Realm Trust:
- Create a user in AD:
- SSH in to the IPA server using user at mhatest.local
REsult: Works fine :-)
---
-sh-4.2$
-sh-4.2$ klist
Ticket cache: KEYRING:persistent:734001104:krb_ccache_EIBqyEC
Default principal: welcomet at MHATEST.LOCAL
Valid starting Expires Service principal
09/13/2014 01:02:19 09/13/2014 11:02:19 krbtgt/MHATEST.LOCAL at MHATEST.LOCAL
renew until 09/14/2014 01:02:19
-sh-4.2$
-sh-4.2$
-sh-4.2$ id
uid=734001104(welcomet at mhatest.local) gid=734001104(welcomet at mhatest.local) groups=734001104(welcomet at mhatest.local),734000513(domain users at mhatest.local) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.2$
-sh-4.2$
---
10. Enroll another linux host as a client to the IPA server:
- CentOS 6.5
ipa-client-install --enable-dns-updates --ssh-trust-dns --mkhomedir
----
[root at ronin ~]# ipa-client-install --enable-dns-updates --ssh-trust-dns --mkhomedir
Discovery was successful!
Hostname: ronin.engeneon.local
Realm: ENGENEON.LOCAL
DNS Domain: engeneon.local
IPA Server: idm003.engeneon.local
BaseDN: dc=engeneon,dc=local
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin at ENGENEON.LOCAL:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=ENGENEON.LOCAL
Issuer: CN=Certificate Authority,O=ENGENEON.LOCAL
Valid From: Fri Sep 12 21:35:22 2014 UTC
Valid Until: Tue Sep 12 21:35:22 2034 UTC
Enrolled in IPA realm ENGENEON.LOCAL
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm ENGENEON.LOCAL
trying https://idm003.engeneon.local/ipa/xml
Forwarding 'env' to server u'https://idm003.engeneon.local/ipa/xml'
DNS server record set to: ronin.engeneon.local -> 172.16.104.145
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to server u'https://idm003.engeneon.local/ipa/xml'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.
[root at ronin ~]#
----
Check we can get KRB5 tickets:
---
[root at ronin ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin at ENGENEON.LOCAL
Valid starting Expires Service principal
09/13/14 01:09:17 09/14/14 01:09:13 krbtgt/ENGENEON.LOCAL at ENGENEON.LOCAL
[root at ronin ~]#
---
Check the user id :
---
-sh-4.1$ getent passwd welcomet at mhatest.local
welcomet at mhatest.local:*:734001104:734001104:Traiano TG. Welcome:/home/MHATEST.LOCAL/welcomet:
-sh-4.1$
---
Corresponsing traces from the krbkdc.log on the IPA server side:
---
Sep 13 01:37:09 idm003.engeneon.local krb5kdc[19829](info): TGS_REQ (4 etypes {18 17 16 23}) 172.16.104.145: ISSUE: authtime 1410561429, etypes {rep=18 tkt=18 ses=18}, welcomet at MHATEST.LOCAL for host/ronin.engeneon.local at ENGENEON.LOCAL
Sep 13 01:37:09 idm003.engeneon.local krb5kdc[19829](info): closing down fd 12
---
More information about the Freeipa-users
mailing list