[Freeipa-users] wbinfo cannot pull Active Directory domain users
Alexander Bokovoy
abokovoy at redhat.com
Fri Jul 10 21:04:13 UTC 2015
On Fri, 10 Jul 2015, Angelo Pantano wrote:
>I removed the stanza, but anyway I found one problem was the DNS. I needed
>to setup the nameserver in resolv.conf with the ip of the ipa server. I can
>kinit now but ssh is still failing, connection gets closed instead of
>letting me in:
>
>secure.log says:
>
>Jul 10 13:19:01 ip-10-237-186-172 sshd[5581]: pam_unix(sshd:auth):
>authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
>rhost=10.61.205.107 user=apantano at ad.tweek
>Jul 10 13:19:02 ip-10-237-186-172 sshd[5581]: pam_sss(sshd:auth):
>authentication success; logname= uid=0 euid=0 tty=ssh ruser=
>rhost=10.61.205.107 user=apantano at ad.tweek
>Jul 10 13:19:22 ip-10-237-186-172 sshd[5581]: pam_ldap: ldap_starttls_s:
>Can't contact LDAP server
>Jul 10 13:19:22 ip-10-237-186-172 sshd[5581]: Failed password for
>apantano at ad.tweek from 10.61.205.107 port 61833 ssh2
>Jul 10 13:19:22 ip-10-237-186-172 sshd[5581]: fatal: Access denied for user
>apantano at ad.tweek by PAM account configuration [preauth]
>
>That's odd in so many ways, I got both a failure from pam_unix and a
>success from pam_sss...
That's how it should be, it is a _stack_ of authentication modules.
pam_unix doesn't know anything beyond /etc/passwd and /etc/shadow.
I don't understand *why* do you have pam_ldap configured. You only need
pam_sss, remove pam_ldap, this is definitely not a default
configuration.
>
>
>On Fri, Jul 10, 2015 at 12:50 PM, Alexander Bokovoy <abokovoy at redhat.com>
>wrote:
>
>> On Fri, 10 Jul 2015, Angelo Pantano wrote:
>>
>>> I am using sssd and from ipa clients the authentication is not working
>>> (works fine if I ssh on the ipa-server). I thought it could be due to the
>>> external groups being empty and not mapping the AD users.
>>>
>>> Anyway this is the krb5.conf on the ipa client:
>>>
>>> #File modified by ipa-client-install
>>>
>>> includedir /var/lib/sss/pubconf/krb5.include.d/
>>>
>>> [libdefaults]
>>> default_realm = IPA.TWEEK
>>> dns_lookup_realm = true
>>> dns_lookup_kdc = true
>>> rdns = false
>>> ticket_lifetime = 24h
>>> forwardable = yes
>>> udp_preference_limit = 0
>>> default_ccache_name = KEYRING:persistent:%{uid}
>>>
>>> [realms]
>>> IPA.TWEEK = {
>>> kdc = centos.ipa.tweek:88
>>> master_kdc = centos.ipa.tweek:88
>>> admin_server = centos.ipa.tweek:749
>>> default_domain = ipa.tweek
>>> pkinit_anchors = FILE:/etc/ipa/ca.crt
>>> auth_to_local = RULE:[1:$1@$0](^.*@AD.TWEEK$)s/@AD.TWEEK/@ad.tweek/
>>> auth_to_local = DEFAULT
>>> }
>>> AD.TWEEK = {
>>> kdc = centos.ipa.tweek:88
>>> pkinit_anchors = FILE:/etc/ipa/ca.crt
>>> }
>>>
>> Why did you override AD.TWEEK KDC to point to FreeIPA?
>>
>> Remove AD.TWEEK stanza completely. You have 'dns_lookup_realm' and
>> 'dns_lookup_kdc' to allow automatic discovery via DNS SRV records.
>>
>>
>>
>>> [domain_realm]
>>> .ipa.tweek = IPA.TWEEK
>>> ipa.tweek = IPA.TWEEK
>>> .ad.tweek = AD.TWEEK
>>> ad.tweek = AD.TWEEK
>>>
>>>
>>> and this is the error I see in krb5_child.log
>>>
>>> (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [main] (0x0400):
>>> Will perform online auth
>>> (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [get_and_save_tgt]
>>> (0x0400): Attempting kinit for realm [AD.TWEEK]
>>> (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [get_and_save_tgt]
>>> (0x0020): 996: [-1765328378][Client 'freeipa at AD.TWEEK' not found in
>>> Kerberos database]
>>> (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [map_krb5_error]
>>> (0x0020): 1065: [-1765328378][Client 'freeipa at AD.TWEEK' not found in
>>> Kerberos database]
>>>
>>>
>>> also
>>>
>>> # kinit freeipa at AD.TWEEK
>>> kinit: Cannot find KDC for realm "AD.TWEEK" while getting initial
>>> credentials
>>>
>>> any idea what's the problem? It seems kerberos cannot find users in the AD
>>> subdomain
>>>
>>>
>>> this is my sssd.conf
>>>
>>> [domain/ipa.tweek]
>>> debug_level = 6
>>> cache_credentials = True
>>> krb5_store_password_if_offline = True
>>> ipa_domain = ipa.tweek
>>> id_provider = ipa
>>> auth_provider = ipa
>>> ldap_tls_cacert = /etc/ipa/ca.crt
>>> ipa_hostname = someaddress_here
>>> chpass_provider = ipa
>>> ipa_server = _srv_, centos.ipa.tweek
>>> dns_discovery_domain = ipa.tweek
>>> cn=ad_admins_external,cn=groups,cn=accounts,dc=ipa,dc=tweek
>>> subdomains_provider = ipa
>>> [sssd]
>>> services = nss, pam, pac, ssh
>>> config_file_version = 2
>>> debud_level = 6
>>> domains = ipa.tweek
>>>
>>> On Fri, Jul 10, 2015 at 12:29 PM, Alexander Bokovoy <abokovoy at redhat.com>
>>> wrote:
>>>
>>> On Fri, 10 Jul 2015, Angelo Pantano wrote:
>>>>
>>>> I have a freeipa server trusting an active directory domain, if I ssh to
>>>>> the ipa server everything works, but if I try to ssh on an ipa client
>>>>> the
>>>>> authentication fails.
>>>>>
>>>>> I noticed on the server that the wbinfo -n 'AD\Domain Users' is failing:
>>>>>
>>>>> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
>>>>>
>>>>> Also in the logs I see:
>>>>>
>>>>> log.winbindd-dc-connect: get_sorted_dc_list: attempting lookup for name
>>>>> ad.local (sitename NULL)
>>>>>
>>>>> everything else works though, I can getent users and group just fine.
>>>>>
>>>>> Can you please help me?
>>>>>
>>>>> We don't use wbinfo and don't recommend it with FreeIPA AD trusts -- at
>>>> least with Fedora 18+ and RHEL7+. When your FreeIPA server is deployed
>>>> on those platforms, SSSD is used to resolve users, not winbindd.
>>>> Winbindd is only used to manage forest topology.
>>>>
>>>>
>>>>
>>>> --
>>>> / Alexander Bokovoy
>>>>
>>>>
>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>
>>
>> --
>> / Alexander Bokovoy
>>
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list