[Freeipa-users] User AD can not Login Client Linux

Lukas Slebodnik lslebodn at redhat.com
Fri Aug 28 06:44:41 UTC 2015 

On (23/08/15 17:53), alireza baghery wrote:
>Hi i install Centos 7.1 (IDM Server)
>and integrate with Windows SERVER 2008 R2 Trust
>USER AD can not Login on client (OLE 6.6) but User create idm can login
>
>name IDM SERVER= ipasrv.l.infotechpsp.net
>domain Windows = infotechpsp.net
>
>i execute [ kinit abagheri at infotechpsp.net] on IDM Server
>and klist and show keytab abagheri
>but execute     kvno abagher at INFOTECHPSP.NET
>get ERROR kvno Server not found in kerberos database
>please help me and thank you
>
>KLIST
>================================
>
>Valid starting     Expires            Service principal
>08/23/15 17:09:53  08/24/15 03:11:34  krbtgt/INFOTECHPSP.NET at INFOTECHPSP.NET
>        renew until 08/24/15 17:09:53
>
>=====================================
>
>Tail LOG /var/log/sssd/ssd_l.infotechpsp.net debug_level = 6
>=====================================
>[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
>[(objectclass=*)][].
>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]]
>[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
>set
>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [sdap_kinit_send]
>(0x0400): Attempting kinit (default, host/ussd7.l.infotechpsp.net,
>L.INFOTECHPSP.NET, 86400)
>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]]
>[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [resolve_srv_send]
>(0x0200): The status of SRV lookup is resolved
>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]]
>[be_resolve_server_process] (0x0200): Found address for server
>ipasrv.l.infotechpsp.net: [10.30.160.19] TTL 1200
>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]]
>[set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child
>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]]
>[write_pipe_handler] (0x0400): All data has been sent!
>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]]
>[read_pipe_handler] (0x0400): EOF received, client finished
>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]]
>[sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/
>ccache_L.INFOTECHPSP.NET], expired on [1440420165]
>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]]
>[sdap_cli_auth_step] (0x0100): expire timeout is 900
>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [sasl_bind_send]
>(0x0100): Executing sasl bind mech: GSSAPI, user: host/
>ussd7.l.infotechpsp.net
>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]]
>[child_sig_handler] (0x0100): child [13370] finished successfully.
>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]]
>[fo_set_port_status] (0x0100): Marking port 389 of server '
>ipasrv.l.infotechpsp.net' as 'working'
>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]]
>[set_server_common_status] (0x0100): Marking server '
>ipasrv.l.infotechpsp.net' as 'working'
>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]]
>[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
>[objectclass=ipaNTTrustedDomain][cn=trusts,dc=l,dc=infotechpsp,dc=net].
>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]] [be_run_online_cb]
>(0x0080): Going online. Running callbacks.
>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]]
>[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
>set
>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]]
>[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
>[objectclass=ipaIDRange][cn=ranges,cn=etc,dc=l,dc=infotechpsp,dc=net].
>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]]
>[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
>set
>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]]
>[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
>[objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=l,dc=infotechpsp,dc=net].
>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]]
>[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
>set
>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]]
>[get_subdomains_callback] (0x0400): Backend returned: (0, 0, <NULL>)
>[Success]
>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]]
>[be_get_account_info] (0x0100): Got request for [4097][1][name=abagheri]
>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]]
>[ipa_s2n_exop_send] (0x0400): Executing extended operation
>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]]
>[ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Operations
>error(1), (null)
There seems to be a problem on server side.
It's is a very likely bug in sssd on FreeIPA server.

Some AD related fixes are included in latest update in el7.1
(1.12.2-58.el7_1.14)

If it does not help please try to upgrade to the latest upstream version
of sssd[1]. I hope it will help otherwise we will need to see log files
from IPA server.

LS

[1] https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12/

More information about the Freeipa-users mailing list