[Freeipa-users] wbinfo cannot pull Active Directory domain users
Alexander Bokovoy
abokovoy at redhat.com
Fri Jul 10 19:50:22 UTC 2015
On Fri, 10 Jul 2015, Angelo Pantano wrote:
>I am using sssd and from ipa clients the authentication is not working
>(works fine if I ssh on the ipa-server). I thought it could be due to the
>external groups being empty and not mapping the AD users.
>
>Anyway this is the krb5.conf on the ipa client:
>
>#File modified by ipa-client-install
>
>includedir /var/lib/sss/pubconf/krb5.include.d/
>
>[libdefaults]
> default_realm = IPA.TWEEK
> dns_lookup_realm = true
> dns_lookup_kdc = true
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
> udp_preference_limit = 0
> default_ccache_name = KEYRING:persistent:%{uid}
>
>[realms]
> IPA.TWEEK = {
> kdc = centos.ipa.tweek:88
> master_kdc = centos.ipa.tweek:88
> admin_server = centos.ipa.tweek:749
> default_domain = ipa.tweek
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> auth_to_local = RULE:[1:$1@$0](^.*@AD.TWEEK$)s/@AD.TWEEK/@ad.tweek/
> auth_to_local = DEFAULT
> }
> AD.TWEEK = {
> kdc = centos.ipa.tweek:88
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> }
Why did you override AD.TWEEK KDC to point to FreeIPA?
Remove AD.TWEEK stanza completely. You have 'dns_lookup_realm' and
'dns_lookup_kdc' to allow automatic discovery via DNS SRV records.
>
>[domain_realm]
> .ipa.tweek = IPA.TWEEK
> ipa.tweek = IPA.TWEEK
> .ad.tweek = AD.TWEEK
> ad.tweek = AD.TWEEK
>
>
>and this is the error I see in krb5_child.log
>
>(Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [main] (0x0400):
>Will perform online auth
>(Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [get_and_save_tgt]
>(0x0400): Attempting kinit for realm [AD.TWEEK]
>(Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [get_and_save_tgt]
>(0x0020): 996: [-1765328378][Client 'freeipa at AD.TWEEK' not found in
>Kerberos database]
>(Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [map_krb5_error]
>(0x0020): 1065: [-1765328378][Client 'freeipa at AD.TWEEK' not found in
>Kerberos database]
>
>
>also
>
># kinit freeipa at AD.TWEEK
>kinit: Cannot find KDC for realm "AD.TWEEK" while getting initial
>credentials
>
>any idea what's the problem? It seems kerberos cannot find users in the AD
>subdomain
>
>
>this is my sssd.conf
>
>[domain/ipa.tweek]
>debug_level = 6
>cache_credentials = True
>krb5_store_password_if_offline = True
>ipa_domain = ipa.tweek
>id_provider = ipa
>auth_provider = ipa
>ldap_tls_cacert = /etc/ipa/ca.crt
>ipa_hostname = someaddress_here
>chpass_provider = ipa
>ipa_server = _srv_, centos.ipa.tweek
>dns_discovery_domain = ipa.tweek
>cn=ad_admins_external,cn=groups,cn=accounts,dc=ipa,dc=tweek
>subdomains_provider = ipa
>[sssd]
>services = nss, pam, pac, ssh
>config_file_version = 2
>debud_level = 6
>domains = ipa.tweek
>
>On Fri, Jul 10, 2015 at 12:29 PM, Alexander Bokovoy <abokovoy at redhat.com>
>wrote:
>
>> On Fri, 10 Jul 2015, Angelo Pantano wrote:
>>
>>> I have a freeipa server trusting an active directory domain, if I ssh to
>>> the ipa server everything works, but if I try to ssh on an ipa client the
>>> authentication fails.
>>>
>>> I noticed on the server that the wbinfo -n 'AD\Domain Users' is failing:
>>>
>>> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
>>>
>>> Also in the logs I see:
>>>
>>> log.winbindd-dc-connect: get_sorted_dc_list: attempting lookup for name
>>> ad.local (sitename NULL)
>>>
>>> everything else works though, I can getent users and group just fine.
>>>
>>> Can you please help me?
>>>
>> We don't use wbinfo and don't recommend it with FreeIPA AD trusts -- at
>> least with Fedora 18+ and RHEL7+. When your FreeIPA server is deployed
>> on those platforms, SSSD is used to resolve users, not winbindd.
>> Winbindd is only used to manage forest topology.
>>
>>
>>
>> --
>> / Alexander Bokovoy
>>
>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list