[Freeipa-users] New Trust - AD id's not resolving

Dmitri Pal dpal at redhat.com
Fri Mar 13 20:49:14 UTC 2015 

On 03/13/2015 04:19 PM, Gould, Joshua wrote:
> I followed the directions from https://access.redhat.com/solutions/1354543
> pretty much to the letter.
>
> Everything was successful and seems to work well aside from the last step
> of trying to resolve an AD user with the ID command on an IPA client.
>
> [gould at mid-ipa-vp02 ~]$ id farus at test.osuwmc
> id: farus at test.osuwmc: no such user
>
> I enabled debugging in sssd. Here¹s what I saw in the lookup for ³id
> farus at test.osuwmc². It looks like the AD is returning no match when the
> account exists.
>
> (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
> [be_get_account_info] (0x0200): Got request for [0x1001][1][name=farus]
> (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
> [ipa_idmap_check_posix_child] (0x0080): No forest available for domain
> [S-1-5-21-226267946-722566613-1883572810].
> (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
> [ipa_idmap_get_ranges_from_sysdb] (0x0040): ipa_idmap_check_posix_child
> failed.
> (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not add new
> domain for sid [S-1-5-21-226267946-722566613-1883572810]
> (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
> [fo_resolve_service_send] (0x0100): Trying to resolve service 'test.osuwmc'
> (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [resolve_srv_send]
> (0x0200): The status of SRV lookup is resolved
> (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
> [be_resolve_server_process] (0x0200): Found address for server
> svr-addc-vt02.test.osuwmc: [10.80.5.240] TTL 3600
> (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
> [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility
> level to [4]
> (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
> [fo_resolve_service_send] (0x0100): Trying to resolve service 'test.osuwmc'
> (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [resolve_srv_send]
> (0x0200): The status of SRV lookup is resolved
> (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
> [be_resolve_server_process] (0x0200): Found address for server
> svr-addc-vt02.test.osuwmc: [10.80.5.240] TTL 3600
> (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
> [child_sig_handler] (0x0100): child [4587] finished successfully.
> (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
> [sdap_cli_auth_step] (0x0100): expire timeout is 900
> (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [sasl_bind_send]
> (0x0100): Executing sasl bind mech: gssapi, user:
> host/mid-ipa-vp01.unix.test.osuwmc
> (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
> [fo_set_port_status] (0x0100): Marking port 389 of server
> 'svr-addc-vt02.test.osuwmc' as 'working'
> (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
> [set_server_common_status] (0x0100): Marking server
> 'svr-addc-vt02.test.osuwmc' as 'working'
> (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
> [sdap_get_users_done] (0x0040): Failed to retrieve users
> (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
> [ipa_get_ad_acct_ad_part_done] (0x0080): Object not found, ending request
> (Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
> [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
>
> The trust looks good.
>
> [gould at mid-ipa-vp01 ~]$ kinit admin
> Password for admin at UNIX.TEST.OSUWMC:
> [gould at mid-ipa-vp01 ~]$ ipa trust-show
> Realm name: TEST.OSUWMC
>    Realm name: test.osuwmc
>    Domain NetBIOS name: TEST
>    Domain Security Identifier: S-1-5-21-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX
>    Trust direction: Two-way trust
>    Trust type: Active Directory domain
> [gould at mid-ipa-vp01 ~]$
>
>
> Any idea why it can¹t find the match?
>
> Also, we¹re curious why it tries to resolve POSIX when we added the trust
> with --range-type=ipa-ad-trust  and not --range-type=ipa-ad-trust-posix.

I would leave to AD trust gurus to reply to the above.

Here are the upstream pointers may be there is somethign that will give 
you a hint
http://www.freeipa.org/page/Active_Directory_trust_setup

>
> Other question is how do you set or default to a one way trust when
> installing instead of a two way? We know how to modify the trust in IPA
> and AD, but are a bit leery since we¹re not sure what all might break or
> if we¹re modifying all that truly needs to be modified in IPA.

There is no way to turn the trust off in the current version however 
there is no harm in that because IPA users would not be authorized to do 
anything in the AD domain. They can authenticate but can not really do 
anything with any AD resources because those would try to get user 
resolved to SID to check the ACLs and IPA does not have global catalog 
support yet to respond to those queries.

We are working to make one way trusts possible before providing global 
catalog service in IPA.

>
>
>    Joshua
>
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list