[Freeipa-users] Filter/Block/Limit Interaction with Multiple Domain Controllers
Alexander Bokovoy
abokovoy at redhat.com
Tue Mar 10 14:50:38 UTC 2015
On Tue, 10 Mar 2015, Traiano Welcome wrote:
>Hi Alexander
>
>
>On Tue, Mar 10, 2015 at 12:08 PM, Alexander Bokovoy <abokovoy at redhat.com> wrote:
>> On Tue, 10 Mar 2015, Traiano Welcome wrote:
>>>
>>> However, I'm still not able to authenticate via the ssh->sssd path (I
>>> cn get kerberos tickets for ad users via cli though), so I think that
>>> incorrect dc discovery is not really the issue here. Instead, it seem
>>> the ldap query against the discovered AD domain controller is failing
>>> with some kid of policy related error:
>>>
>>> Here's a snippet what we're seeing in the IPA master sssd logs during
>>> an a client connection attempt:
>>>
>>> ---
>>> .
>>> .
>>> .
>>> (Tue Mar 10 09:48:05 2015) [sssd[be[idmdc2.com]]] [sasl_bind_send]
>>> (0x0100): Executing sasl bind mech: gssapi, user:
>>> host/lolospr-idm-mstr.idmdc2.com
>>> (Tue Mar 10 09:48:06 2015) [sssd[be[idmdc2.com]]] [sasl_bind_send]
>>> (0x0020): ldap_sasl_bind failed (-2)[Local error]
>>> (Tue Mar 10 09:48:06 2015) [sssd[be[idmdc2.com]]] [sasl_bind_send]
>>> (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI
>>> Error: Unspecified GSS failure. Minor code may provide more
>>> information (KDC policy rejects request)]
>>
>> When AD says "KDC policy rejects request" it means that trust is not
>> working well -- AD DC was unable to complete trust validation when it
>> was established. See another emails around the trust last week or so,
>> they have details on how to debug this.
>
>This is probably the case, however, I'd like to drill down further to
>see exactly what part of the trust is broken, because it seems the
>trust was established without error (using "ipa trust-add"), and I
>seem to be able to get trust information with " ipa trust-show":
In FreeIPA 3.3 we don't check the error code of validation process. We
do in FreeIPA 4.1 so you need to use debug info in
/var/log/httpd/error_log to find out -- like I wrote in other threads.
>
>Re-adding the trusts:
>
>---
>[root at loldc2-idm-mstr ~]# ipa trust-add --type=ad lol.com --admin
>admin --password
>Active directory domain administrator's password:
>------------------------------------------
>Re-established trust to domain "lol.com"
>------------------------------------------
> Realm name: lol.com
> Domain NetBIOS name: LOL
> Domain Security Identifier: S-1-5-21-4090660947-345563186-3527492641
> SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
>S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
>S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15,
> S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
> SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
>S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
>S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15,
> S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
> Trust direction: Two-way trust
> Trust type: Active Directory domain
> Trust status: Established and verified
>[root at loldc2-idm-mstr ~]#
>---
>
>
>Using trust show:
>
>---
>[root at loldc2-idm-mstr sssd]# ipa trust-show
>Realm name: LOL.COM
> Realm name: lol.com
> Domain NetBIOS name: LOL
> Domain Security Identifier: S-1-5-21-4090660947-345563186-3527492641
> Trust direction: Two-way trust
> Trust type: Active Directory domain
>---
>
>I can see that not all is well with the trusts because when I test
>with wbinfo, I get this:
>
>---
>[root at loldc2-idm-mstr ~]# wbinfo --verbose -n 'LOL\Domain Admins'
>failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
>Could not lookup name LOL\Domain Admins
>---
>
>Looking at the samba logs with debug turned up, I get something
>potentially enlightening in the message "NT_STATUS_ACCESS_DENIED" ...
>However, the question is to pinpoint if this is due to an AD-side
>policy issue, or due to some weirdness on the IPA end of things:
>
>
>---
>.
>.
>.
>
>[2015/03/10 17:02:46.934072, 3, pid=6917, effective(0, 0), real(0, 0),
>class=winbind]
>../source3/winbindd/winbindd_lookupname.c:69(winbindd_lookupname_send)
> lookupname LOL\Domain Admins
>[2015/03/10 17:02:46.934190, 1, pid=6917, effective(0, 0), real(0, 0)]
>../librpc/ndr/ndr.c:333(ndr_print_function_debug)
> wbint_LookupName: struct wbint_LookupName
> in: struct wbint_LookupName
> domain : *
> domain : 'LOL'
> name : *
> name : 'DOMAIN ADMINS'
> flags : 0x00000000 (0)
>[2015/03/10 17:02:46.934532, 50, pid=6917, effective(0, 0), real(0, 0)]
>../lib/util/tevent_debug.c:63(samba_tevent_debug)
> samba_tevent: Schedule immediate event "tevent_req_trigger": 0x7facefb10430
>[2015/03/10 17:02:46.934696, 50, pid=6917, effective(0, 0), real(0, 0)]
>../lib/util/tevent_debug.c:63(samba_tevent_debug)
> samba_tevent: Run immediate event "tevent_req_trigger": 0x7facefb10430
>[2015/03/10 17:02:46.934812, 1, pid=6917, effective(0, 0), real(0, 0)]
>../librpc/ndr/ndr.c:333(ndr_print_function_debug)
> wbint_LookupName: struct wbint_LookupName
> out: struct wbint_LookupName
> type : *
> type : SID_NAME_USE_NONE (0)
> sid : *
> sid : S-0-0
> result : NT_STATUS_ACCESS_DENIED
>[2015/03/10 17:02:46.935174, 5, pid=6917, effective(0, 0), real(0, 0),
>class=winbind]
>../source3/winbindd/winbindd_lookupname.c:104(winbindd_lookupname_recv)
> Could not convert sid S-0-0: NT_STATUS_ACCESS_DENIED
>[2015/03/10 17:02:46.935281, 10, pid=6917, effective(0, 0), real(0, 0),
>class=winbind] ../source3/winbindd/winbindd.c:755(wb_request_done)
> wb_request_done[8382:LOOKUPNAME]: NT_STATUS_ACCESS_DENIED
>
>---
>
>
>(I can also kinit directly from the cli on the master using an AD user
>and get a ticker from the Active Directory kdc, which is confusing
>because it implies trust relationship working !):
>
>---
>
>[root at loldc2-idm-mstr samba]# kinit traiano at LOL.COM
>Password for traiano at LOL.COM:
>[root at loldc2-idm-mstr samba]#
>[root at loldc2-idm-mstr samba]# klist
>Ticket cache: KEYRING:persistent:0:krb_ccache_Hrq3EtZ
>Default principal: traiano at LOL.COM
>
>Valid starting Expires Service principal
>03/10/2015 17:21:49 03/11/2015 03:21:49 krbtgt/LOL.COM at LOL.COM
> renew until 03/11/2015 17:21:45
>[root at loldc2-idm-mstr samba]#
>
>---
>
>So the question is: Are there further diagnostics I can do to drill
>down further into how/where trust is broken, and what the
>NT_STATUS_ACCESS_DENIED from the dc is being triggered in response to?
Follow the procedure in
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Debugging_trust
and see logs in error_log.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list