[Freeipa-users] AD trust established but users can't login

andrei.brajnicov andrei.brajnicov at gmail.com
Wed Aug 5 13:42:51 UTC 2015 

Hello.

My mission is to install an FreeIPA instance as subdomain of AD, and to 
allow AD users to login to some Linux servers. I Installed and 
configured it, but i meet a problem, AD users are not allowed to login 
to FreeIPA .

A piece of everything:

AD = adexample.com ( 2008R2 )
IPA =ipa.adexample.com

# ipa --version
VERSION: 4.1.0, API_VERSION: 2.112

# sssd --version
1.12.2

# hostname
otp1tst86.ipa.adexample.com

# uname -a
Linux otp1tst86.ipa.adexample.com 3.10.0-229.7.2.el7.x86_64 #1 SMP Tue 
Jun 23 22:06:11 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_1nRCjmt
Default principal: Administrator at ADEXAMPLE.COM

Valid starting       Expires              Service principal
08/05/2015 16:30:32  08/06/2015 02:14:53 
krbtgt/IPA.ADEXAMPLE.COM at ADEXAMPLE.COM
         renew until 08/06/2015 16:14:50
08/05/2015 16:14:53  08/06/2015 02:14:53 krbtgt/ADEXAMPLE.COM at ADEXAMPLE.COM
         renew until 08/06/2015 16:14:50


# cat sssd.conf
[domain/ipa.adexample.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.adexample.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = otp1tst86.ipa.adexample.com
chpass_provider = ipa
ipa_server = otp1tst86.ipa.adexample.com
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
subdomains_provider = ipa
[sssd]
services = nss, sudo, pam, ssh, pac
config_file_version = 2


sudo_provider = ldap
ldap_uri = ldap://otp1tst86.ipa.adexample.com
ldap_sudo_search_base = ou=sudoers,dc=ipa, dc=adexample,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/otp1tst86.ipa.adexample.com
ldap_sasl_realm = IPA.ADEXAMPLE.COM
krb5_server = otp1tst86.ipa.adexample.com

domains = ipa.adexample.com
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]




# egrep "^[^#]" /etc/nsswitch.conf
passwd:     files sss
shadow:     files sss
group:      files sss
hosts:      files dns wins
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss
netgroup:   files sss
publickey:  nisplus
automount:  files sss
aliases:    files nisplus
sudoers: files sss


Here I can see AD users.
# wbinfo -ug
ADEXAMPLE\administrator
ADEXAMPLE\guest
ADEXAMPLE\krbtgt
ADEXAMPLE\abrajnicov
ADEXAMPLE\ipa$
ADEXAMPLE\kuzea
admins
editors
default smb group
ad_admins
ADEXAMPLE\domain computers
ADEXAMPLE\domain controllers
ADEXAMPLE\schema admins
ADEXAMPLE\enterprise admins
ADEXAMPLE\domain admins
ADEXAMPLE\domain users
ADEXAMPLE\domain guests
ADEXAMPLE\group policy creator owners
ADEXAMPLE\read-only domain controllers
ADEXAMPLE\enterprise read-only domain controllers
ADEXAMPLE\dnsupdateproxy


[root at otp1tst86 ~]# id admin at IPA.ADEXAMPLE.COM
uid=1466400000(admin) gid=1466400000(admins) groups=1466400000(admins)
[root at otp1tst86 ~]# id kuzea at ADEXAMPLE.COM
id: kuzea at ADEXAMPLE.COM: no such user

So you can see that AD users is not visible to sssd.




# cat /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = IPA.ADEXAMPLE.COM
  dns_lookup_realm = false
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}

[realms]
  IPA.ADEXAMPLE.COM = {
   kdc = otp1tst86.ipa.adexample.com:88
   master_kdc = otp1tst86.ipa.adexample.com:88
   admin_server = otp1tst86.ipa.adexample.com:749
   default_domain = ipa.adexample.com
   pkinit_anchors = FILE:/etc/ipa/ca.crt
   auth_to_local = 
RULE:[1:$1@$0](^.*@ADEXAMPLE.COM$)s/@ADEXAMPLE.COM/@adexample.com/
   auth_to_local = DEFAULT
}


[domain_realm]
  .ipa.adexample.com = IPA.ADEXAMPLE.COM
  ipa.adexample.com = IPA.ADEXAMPLE.COM
  .adexample.com = ADEXAMPLE.COM
  adexample.com = ADEXAMPLE.COM

[dbmodules]
   IPA.ADEXAMPLE.COM = {
     db_library = ipadb.so
   }


# wbinfo -n 'adexample\Domain Admins'
S-1-5-21-4094320520-3357938610-121029971-512 SID_DOM_GROUP (2)


But when I try to login to a server using ssh I meet these error:
Aug 05 16:40:28 otp1tst86.ipa.adexample.com sshd[3997]: Invalid user 
kuzea at adexample.com from ::1
Aug 05 16:40:28 otp1tst86.ipa.adexample.com sshd[3997]: 
input_userauth_request: invalid user kuzea at adexample.com [preauth]
Aug 05 16:40:34 otp1tst86.ipa.adexample.com sshd[3997]: 
pam_unix(sshd:auth): check pass; user unknown
Aug 05 16:40:34 otp1tst86.ipa.adexample.com sshd[3997]: 
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 
tty=ssh ruser= rhost=localhost
Aug 05 16:40:37 otp1tst86.ipa.adexample.com sshd[3997]: Failed password 
for invalid user kuzea at adexample.com from ::1 port 32809 ssh2


I don't know if these information is sufficient. But I hope that someone 
will help me to troubleshoot the problem.

More information about the Freeipa-users mailing list