[Freeipa-users] New Trust - AD id's not resolving

Fri Mar 13 20:19:23 UTC 2015

I followed the directions from https://access.redhat.com/solutions/1354543
pretty much to the letter.

Everything was successful and seems to work well aside from the last step
of trying to resolve an AD user with the ID command on an IPA client.

[gould at mid-ipa-vp02 ~]$ id farus at test.osuwmc
id: farus at test.osuwmc: no such user

I enabled debugging in sssd. Here¹s what I saw in the lookup for ³id
farus at test.osuwmc². It looks like the AD is returning no match when the
account exists.

(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[be_get_account_info] (0x0200): Got request for [0x1001][1][name=farus]
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[ipa_idmap_check_posix_child] (0x0080): No forest available for domain
[S-1-5-21-226267946-722566613-1883572810].
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[ipa_idmap_get_ranges_from_sysdb] (0x0040): ipa_idmap_check_posix_child
failed.
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not add new
domain for sid [S-1-5-21-226267946-722566613-1883572810]
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'test.osuwmc'
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [resolve_srv_send]
(0x0200): The status of SRV lookup is resolved
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[be_resolve_server_process] (0x0200): Found address for server
svr-addc-vt02.test.osuwmc: [10.80.5.240] TTL 3600
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility
level to [4]
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'test.osuwmc'
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [resolve_srv_send]
(0x0200): The status of SRV lookup is resolved
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[be_resolve_server_process] (0x0200): Found address for server
svr-addc-vt02.test.osuwmc: [10.80.5.240] TTL 3600
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[child_sig_handler] (0x0100): child [4587] finished successfully.
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[sdap_cli_auth_step] (0x0100): expire timeout is 900
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [sasl_bind_send]
(0x0100): Executing sasl bind mech: gssapi, user:
host/mid-ipa-vp01.unix.test.osuwmc
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[fo_set_port_status] (0x0100): Marking port 389 of server
'svr-addc-vt02.test.osuwmc' as 'working'
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[set_server_common_status] (0x0100): Marking server
'svr-addc-vt02.test.osuwmc' as 'working'
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[sdap_get_users_done] (0x0040): Failed to retrieve users
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[ipa_get_ad_acct_ad_part_done] (0x0080): Object not found, ending request
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success

The trust looks good.

[gould at mid-ipa-vp01 ~]$ kinit admin
Password for admin at UNIX.TEST.OSUWMC:
[gould at mid-ipa-vp01 ~]$ ipa trust-show
Realm name: TEST.OSUWMC
  Realm name: test.osuwmc
  Domain NetBIOS name: TEST
  Domain Security Identifier: S-1-5-21-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX
  Trust direction: Two-way trust
  Trust type: Active Directory domain
[gould at mid-ipa-vp01 ~]$

Any idea why it can¹t find the match?

Also, we¹re curious why it tries to resolve POSIX when we added the trust
with --range-type=ipa-ad-trust  and not --range-type=ipa-ad-trust-posix.

Other question is how do you set or default to a one way trust when
installing instead of a two way? We know how to modify the trust in IPA
and AD, but are a bit leery since we¹re not sure what all might break or
if we¹re modifying all that truly needs to be modified in IPA.

  Joshua