[Freeipa-users] AD trust relationship is established, but IPA cannot see AD users

Alexander Bokovoy abokovoy at redhat.com
Mon Mar 2 20:17:24 UTC 2015 

On Mon, 02 Mar 2015, Guertin, David S. wrote:
>I'm trying to set up a trust relationship between IPA and our Active
>Directory environment so that our AD users can log in to our Linux
>machines. The two-way trust relationship appears to be set up
>correctly, with no errors reported, and everything looking normal in
>the GUI and the CLI. For example:
>
>
># klist
>Ticket cache: FILE:/tmp/krb5cc_0
>Default principal: admin at CSNS.MIDDLEBURY.EDU
>
>Valid starting     Expires            Service principal
>03/02/15 10:13:40  03/03/15 10:13:10  krbtgt/CSNS.MIDDLEBURY.EDU at CSNS.MIDDLEBURY.EDU
>03/02/15 10:15:13  03/03/15 10:13:10  host/ipa1.csns.middlebury.edu at CSNS.MIDDLEBURY.EDU
>03/02/15 10:15:35  03/03/15 10:13:10  krbtgt/MIDDLEBURY.EDU at CSNS.MIDDLEBURY.EDU
>03/02/15 10:15:46  03/02/15 20:15:46  host/ad1.middlebury.edu at MIDDLEBURY.EDU
>03/02/15 10:56:55  03/03/15 10:13:10  HTTP/ipa1.csns.middlebury.edu at CSNS.MIDDLEBURY.EDU
>
>In this case, middlebury.edu is our AD domain, and csns.middlebury.edu
>is our new IPA domain, set up as a subdomain.
>
>
>I have created IPA and AD groups for AD users, and set them up
>according the documentation:
>
>
>ipa group-add --desc='AD users external map' ad_users_external --external
>
>ipa group-add --desc='AD users' ad_users
>
>ipa group-add-member ad_users_external --external "<AD DOMAIN>\IPA group"
>
>ipa group-add-member ad_users --groups ad_users_external
>
>
>So now the AD group "IPA group" is a member of the IPA group
>ad_users_external , which is in turn a member of ad_users.
>
>
>I would expect that any AD users I put into the group "IPA group"
>should show up as valid users in IPA, but they don't. And when I try to
>add an AD user directly into the ad_users_external group, it is added
>without error (and the correct SID shows up), but the user still can't
>log in.
Lets separate issues.

1. Adding AD user to "IPA group" in AD.
   Did you re-login as that user on Windows side and then tried to logon
   to IPA server?

2. What do SSSD logs say about the login attempt? You need to set
   debug_level = 10 in [domain/..], [nss] and [pam] sections of
   /etc/sssd/sssd.conf and restart sssd. 

>And if root tries to su to the user, it also fails:
>
>su: user testuser does not exist
>
>
>I would expect the user to show up. What have I missed?
If 'su' says that user does not exist, it means SSSD does not see the
user as existing. There may be multiple reasons for that, sssd logs
should tell exactly what has happened. You can try 'id testuser' to
reduce use case for sssd logs.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list