[Freeipa-users] wbinfo cannot pull Active Directory domain users
Alexander Bokovoy
abokovoy at redhat.com
Fri Jul 10 19:48:58 UTC 2015
On Fri, 10 Jul 2015, Angelo Pantano wrote:
>and this is the error I see in krb5_child.log
>
>(Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [main] (0x0400):
>Will perform online auth
>(Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [get_and_save_tgt]
>(0x0400): Attempting kinit for realm [AD.TWEEK]
>(Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [get_and_save_tgt]
>(0x0020): 996: [-1765328378][Client 'freeipa at AD.TWEEK' not found in
>Kerberos database]
>(Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [map_krb5_error]
>(0x0020): 1065: [-1765328378][Client 'freeipa at AD.TWEEK' not found in
>Kerberos database]
>
>
>also
>
># kinit freeipa at AD.TWEEK
>kinit: Cannot find KDC for realm "AD.TWEEK" while getting initial
>credentials
>
>any idea what's the problem? It seems kerberos cannot find users in the AD
>subdomain
Run
KRB5_TRACE=/dev/stderr kinit freeipa at AD.TWEEK
to see what Kerberos library tries to connect to.
If AD.TWEEK is your Active Directory's domain realm, then according to
your krb5.conf it should be discovered via SRV records and appropriate
AD DC would be contacted.
This is first part to solve. The rest (sssd output above) is due to SSSD
not being able to find out proper AD DC to talk to and thus talks to IPA
DC which doesn't know this principal and errors out.
>this is my sssd.conf
>
>[domain/ipa.tweek]
>debug_level = 6
>cache_credentials = True
>krb5_store_password_if_offline = True
>ipa_domain = ipa.tweek
>id_provider = ipa
>auth_provider = ipa
>ldap_tls_cacert = /etc/ipa/ca.crt
>ipa_hostname = someaddress_here
>chpass_provider = ipa
>ipa_server = _srv_, centos.ipa.tweek
>dns_discovery_domain = ipa.tweek
>cn=ad_admins_external,cn=groups,cn=accounts,dc=ipa,dc=tweek
^^ what is this?
>subdomains_provider = ipa
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list