[Freeipa-users] wbinfo cannot pull Active Directory domain users

Angelo Pantano ghilteras at gmail.com
Fri Jul 10 19:42:43 UTC 2015 

I am using sssd and from ipa clients the authentication is not working
(works fine if I ssh on the ipa-server). I thought it could be due to the
external groups being empty and not mapping the AD users.

Anyway this is the krb5.conf on the ipa client:

#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = IPA.TWEEK
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}

[realms]
  IPA.TWEEK = {
    kdc = centos.ipa.tweek:88
    master_kdc = centos.ipa.tweek:88
    admin_server = centos.ipa.tweek:749
    default_domain = ipa.tweek
    pkinit_anchors = FILE:/etc/ipa/ca.crt
    auth_to_local = RULE:[1:$1@$0](^.*@AD.TWEEK$)s/@AD.TWEEK/@ad.tweek/
    auth_to_local = DEFAULT
  }
  AD.TWEEK = {
    kdc = centos.ipa.tweek:88
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .ipa.tweek = IPA.TWEEK
  ipa.tweek = IPA.TWEEK
  .ad.tweek = AD.TWEEK
  ad.tweek = AD.TWEEK


and this is the error I see in krb5_child.log

(Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [main] (0x0400):
Will perform online auth
(Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [get_and_save_tgt]
(0x0400): Attempting kinit for realm [AD.TWEEK]
(Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [get_and_save_tgt]
(0x0020): 996: [-1765328378][Client 'freeipa at AD.TWEEK' not found in
Kerberos database]
(Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [map_krb5_error]
(0x0020): 1065: [-1765328378][Client 'freeipa at AD.TWEEK' not found in
Kerberos database]


also

# kinit freeipa at AD.TWEEK
kinit: Cannot find KDC for realm "AD.TWEEK" while getting initial
credentials

any idea what's the problem? It seems kerberos cannot find users in the AD
subdomain


this is my sssd.conf

[domain/ipa.tweek]
debug_level = 6
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.tweek
id_provider = ipa
auth_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = someaddress_here
chpass_provider = ipa
ipa_server = _srv_, centos.ipa.tweek
dns_discovery_domain = ipa.tweek
cn=ad_admins_external,cn=groups,cn=accounts,dc=ipa,dc=tweek
subdomains_provider = ipa
[sssd]
services = nss, pam, pac, ssh
config_file_version = 2
debud_level = 6
domains = ipa.tweek

On Fri, Jul 10, 2015 at 12:29 PM, Alexander Bokovoy <abokovoy at redhat.com>
wrote:

> On Fri, 10 Jul 2015, Angelo Pantano wrote:
>
>> I have a freeipa server trusting an active directory domain, if I ssh to
>> the ipa server everything works, but if I try to ssh on an ipa client the
>> authentication fails.
>>
>> I noticed on the server that the wbinfo -n 'AD\Domain Users' is failing:
>>
>> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
>>
>> Also in the logs I see:
>>
>> log.winbindd-dc-connect:  get_sorted_dc_list: attempting lookup for name
>> ad.local (sitename NULL)
>>
>> everything else works though, I can getent users and group just fine.
>>
>> Can you please help me?
>>
> We don't use wbinfo and don't recommend it with FreeIPA AD trusts -- at
> least with Fedora 18+ and RHEL7+. When your FreeIPA server is deployed
> on those platforms, SSSD is used to resolve users, not winbindd.
> Winbindd is only used to manage forest topology.
>
>
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150710/f29fb3c9/attachment.htm>

More information about the Freeipa-users mailing list