[Freeipa-users] Only one AD user can able to login to IPA server
Ben .T.George
bentech4you at gmail.com
Tue Mar 17 10:06:43 UTC 2015
another thing i notice is:
[root at kwtpocpbis01 ~]# kinit admin
Password for admin at SOLARIS.LOCAL:
[root at kwtpocpbis01 ~]# ipa trust-fetch-domains infra.com
ipa: DEBUG: importing all plugin modules in
'/usr/lib/python2.7/site-packages/ipalib/plugins'...
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/automember.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/automount.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/batch.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/config.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/delegation.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/group.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/hbacrule.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvc.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvcgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/hbactest.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/host.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/idrange.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/idviews.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/kerberos.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/krbtpolicy.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/misc.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/netgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/otpconfig.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/otptoken_yubikey.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/passwd.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/permission.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/ping.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/pkinit.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/privilege.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/pwpolicy.py'
ipa: DEBUG: Starting external process
ipa: DEBUG: args='klist' '-V'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=Kerberos 5 version 1.12.2
ipa: DEBUG: stderr=
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/radiusproxy.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/realmdomains.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/role.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/rpcclient.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/selfservice.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/selinuxusermap.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/service.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmd.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmdgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/sudorule.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/user.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/virtual.py'
ipa: DEBUG: Starting external process
ipa: DEBUG: args='keyctl' 'search' '@s' 'user'
'ipa_session_cookie:admin at SOLARIS.LOCAL'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=35095713
ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args='keyctl' 'pipe' '35095713'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=ipa_session=cf8484a2b0ee0f8f3fe2cac8c6ad7570;
Domain=kwtpocpbis01.solaris.local; Path=/ipa; Expires=Tue, 17 Mar 2015
10:23:58 GMT; Secure; HttpOnly
ipa: DEBUG: stderr=
ipa: DEBUG: found session_cookie in persistent storage for principal
'admin at SOLARIS.LOCAL', cookie:
'ipa_session=cf8484a2b0ee0f8f3fe2cac8c6ad7570;
Domain=kwtpocpbis01.solaris.local; Path=/ipa; Expires=Tue, 17 Mar 2015
10:23:58 GMT; Secure; HttpOnly'
ipa: DEBUG: setting session_cookie into context
'ipa_session=cf8484a2b0ee0f8f3fe2cac8c6ad7570;'
ipa: INFO: trying https://kwtpocpbis01.solaris.local/ipa/session/json
ipa: DEBUG: Created connection context.rpcclient
ipa: DEBUG: raw: trust_fetch_domains(u'infra.com', rights=False, all=False,
raw=False, version=u'2.113')
ipa: DEBUG: trust_fetch_domains(u'infra.com', rights=False, all=False,
raw=False, version=u'2.113')
ipa: INFO: Forwarding 'trust_fetch_domains' to json server '
https://kwtpocpbis01.solaris.local/ipa/session/json'
ipa: DEBUG: NSSConnection init kwtpocpbis01.solaris.local
ipa: DEBUG: Connecting: 172.16.107.244:0
ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
Data:
Version: 3 (0x2)
Serial Number: 9 (0x9)
Signature Algorithm:
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: CN=Certificate Authority,O=SOLARIS.LOCAL
Validity:
Not Before: Wed Mar 04 16:08:30 2015 UTC
Not After: Sat Mar 04 16:08:30 2017 UTC
Subject: CN=kwtpocpbis01.solaris.local,O=SOLARIS.LOCAL
Subject Public Key Info:
Public Key Algorithm:
Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
b7:bd:18:57:5f:27:23:87:78:32:51:25:25:2f:32:eb:
b7:d7:7e:3d:91:e0:58:26:24:92:3c:c7:f3:f9:88:b6:
e6:d1:61:b7:d3:f7:30:61:4e:d7:59:70:bd:62:86:a3:
51:ae:8e:ed:bc:7e:df:4d:5f:40:89:82:50:ad:a7:76:
8a:2c:83:a7:51:41:8d:d9:0f:06:6e:f9:a8:f3:7c:38:
bc:af:28:14:cb:d1:ee:49:75:a0:07:c0:45:44:81:b1:
48:3d:ab:be:69:12:d2:e1:07:c7:e8:62:32:ac:88:19:
22:c5:4c:04:f8:b8:c1:57:71:c2:fc:13:fd:51:67:6d:
2a:6a:1e:f6:4a:28:95:b2:90:83:9f:f9:ca:f8:0e:10:
aa:49:a4:00:76:1a:22:16:25:91:f2:d1:c7:f4:23:a5:
da:40:f6:e4:5a:b3:17:56:aa:e3:3c:74:d5:30:85:1c:
54:99:0d:dc:1e:62:46:cf:a9:dc:96:82:06:08:8d:92:
56:5d:02:fe:de:00:f2:5f:c7:07:e3:ee:1c:51:32:73:
f4:5c:94:c1:6d:04:ae:6d:2c:f4:4d:21:c2:da:42:db:
76:fe:f0:01:6d:69:94:25:20:68:54:20:16:be:11:51:
00:3b:2f:d8:e8:5a:6b:b8:91:ec:41:e1:8f:f6:14:eb
Exponent:
65537 (0x10001)
Signed Extensions: (6 total)
Name: Certificate Authority Key Identifier
Critical: False
Key ID:
52:ae:39:5b:0b:ea:85:4d:5e:11:08:7e:55:49:c9:1c:
04:e8:76:ea
Serial Number: None
General Names: [0 total]
Name: Authority Information Access
Critical: False
Authority Information Access: [1 total]
Info [1]:
Method: PKIX Online Certificate Status Protocol
Location: URI: http://ipa-ca.solaris.local/ca/ocsp
Name: Certificate Key Usage
Critical: True
Usages:
Digital Signature
Non-Repudiation
Key Encipherment
Data Encipherment
Name: Extended Key Usage
Critical: False
Usages:
TLS Web Server Authentication Certificate
TLS Web Client Authentication Certificate
Name: CRL Distribution Points
Critical: False
CRL Distribution Points: [1 total]
Point [1]:
General Names: [1 total]
http://ipa-ca.solaris.local/ipa/crl/MasterCRL.bin
Issuer: Directory Name: CN=Certificate Authority,O=ipaca
Reasons: ()
Name: Certificate Subject Key ID
Critical: False
Data:
29:0f:9e:4d:a1:62:bf:ae:67:ca:82:f1:c2:6b:18:20:
fb:40:db:c9
Signature:
Signature Algorithm:
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
b7:76:76:ab:bf:ca:b0:4a:a3:7b:db:a8:fd:b3:15:4f:
b6:6a:28:b5:e9:1b:55:2d:e2:f6:dc:f1:16:ee:4d:8e:
b6:5b:5c:fc:0d:32:5f:07:69:92:92:01:45:f5:c5:e0:
15:b7:30:62:d2:46:c0:d7:2f:74:e8:9a:5c:99:ba:01:
dc:a2:fb:02:f8:3f:31:9f:15:51:87:c0:38:c2:86:5b:
1e:dc:ab:10:a2:93:6b:88:b2:31:35:9d:ac:09:38:1b:
d8:ad:19:67:96:e4:55:8e:f6:9e:e3:99:be:cd:28:16:
69:16:3d:57:b4:23:43:79:f4:22:6d:a7:07:55:59:6e:
a0:b7:23:99:7c:4d:28:55:fb:88:88:e8:24:f0:67:af:
4a:f5:b8:60:b6:d1:5d:42:10:6f:9f:83:c0:9c:db:d2:
12:4d:ac:18:d0:17:c1:e3:77:83:c7:14:13:1f:73:d0:
f3:ee:25:bb:72:cb:6d:bb:da:4b:ca:fc:25:ea:09:0a:
09:5f:6e:51:3d:e2:5e:63:9c:0f:d5:4f:cb:d8:88:be:
4c:e6:b2:05:74:ed:2e:25:72:c4:0a:c7:84:47:97:28:
79:a5:a0:1d:6d:b4:86:55:e7:61:3f:df:db:1c:cc:37:
24:a7:3e:40:35:12:f9:45:08:d6:3f:ca:74:34:51:ee
Fingerprint (MD5):
73:b9:df:20:b1:f5:b7:29:55:de:88:88:9f:8b:ab:e7
Fingerprint (SHA1):
91:83:4b:fa:2f:c0:dc:3e:cc:e4:35:bf:69:f3:db:6c:
7f:ca:1b:21
ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
ipa: DEBUG: cert valid True for
"CN=kwtpocpbis01.solaris.local,O=SOLARIS.LOCAL"
ipa: DEBUG: handshake complete, peer = 172.16.107.244:443
ipa: DEBUG: received Set-Cookie
'ipa_session=cf8484a2b0ee0f8f3fe2cac8c6ad7570;
Domain=kwtpocpbis01.solaris.local; Path=/ipa; Expires=Tue, 17 Mar 2015
10:24:32 GMT; Secure; HttpOnly'
ipa: DEBUG: storing cookie 'ipa_session=cf8484a2b0ee0f8f3fe2cac8c6ad7570;
Domain=kwtpocpbis01.solaris.local; Path=/ipa; Expires=Tue, 17 Mar 2015
10:24:32 GMT; Secure; HttpOnly' for principal admin at SOLARIS.LOCAL
ipa: DEBUG: Starting external process
ipa: DEBUG: args='keyctl' 'search' '@s' 'user'
'ipa_session_cookie:admin at SOLARIS.LOCAL'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=35095713
ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args='keyctl' 'search' '@s' 'user'
'ipa_session_cookie:admin at SOLARIS.LOCAL'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=35095713
ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args='keyctl' 'pupdate' '35095713'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: DEBUG: Destroyed connection context.rpcclient
ipa: ERROR: Insufficient access: CIFS server denied your credentials
and it accepting password for admin and i can able to see tickets:
[root at kwtpocpbis01 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin at SOLARIS.LOCAL
Valid starting Expires Service principal
03/17/2015 13:04:29 03/18/2015 13:04:26 krbtgt/SOLARIS.LOCAL at SOLARIS.LOCAL
On Tue, Mar 17, 2015 at 12:57 PM, Ben .T.George <bentech4you at gmail.com>
wrote:
> HI
>
> i have enabled debug
>
> here is my sssd.conf
>
> [root at kwtpocpbis01 ~]# cat /etc/sssd/sssd.conf
> [domain/solaris.local]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = solaris.local
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = kwtpocpbis01.solaris.local
> chpass_provider = ipa
> ipa_server = kwtpocpbis01.solaris.local
> ipa_server_mode = True
> ldap_tls_cacert = /etc/ipa/ca.crt
> [sssd]
> services = nss, sudo, pam, ssh
> config_file_version = 2
>
> domains = solaris.local
> debug_level = 6
> [nss]
> homedir_substring = /home
> debug_level = 6
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
>
> [ifp]
>
>
> LOGS:
>
> sssd.log:
>
> (Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging
> solaris.local
> (Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging nss
> (Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging
> sudo
> (Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging pam
> (Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging ssh
> (Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging pac
> (Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service nss
> replied to ping
> (Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service sudo
> replied to ping
> (Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service pam
> replied to ping
> (Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service ssh
> replied to ping
> (Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service
> solaris.local replied to ping
> (Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service pac
> replied to ping
>
>
> error_log:
>
> [root at kwtpocpbis01 ~]# tail -f /var/log/httpd/error_log
> [Tue Mar 17 11:26:25.458878 2015] [:error] [pid 15175] ipa: INFO: ***
> PROCESS START ***
> [Tue Mar 17 11:26:25.603536 2015] [:error] [pid 15176] ipa: DEBUG:
> session_auth_duration: 0:20:00
> [Tue Mar 17 11:26:25.609112 2015] [:error] [pid 15176] ipa: DEBUG:
> session_auth_duration: 0:20:00
> [Tue Mar 17 11:26:25.655477 2015] [:error] [pid 15176] ipa: DEBUG:
> Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos'
> [Tue Mar 17 11:26:25.655597 2015] [:error] [pid 15176] ipa: DEBUG:
> session_auth_duration: 0:20:00
> [Tue Mar 17 11:26:25.681652 2015] [:error] [pid 15176] ipa: DEBUG:
> Mounting ipaserver.rpcserver.login_password() at '/session/login_password'
> [Tue Mar 17 11:26:25.681849 2015] [:error] [pid 15176] ipa: DEBUG:
> session_auth_duration: 0:20:00
> [Tue Mar 17 11:26:25.754351 2015] [:error] [pid 15176] ipa: INFO: ***
> PROCESS START ***
> p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute
> [Tue Mar 17 11:26:28.847563 2015] [:warn] [pid 15377] NSSProtocol:
> Unknown protocol 'tlsv1.2' not supported
>
> secure:
> [root at kwtpocpbis01 log]# tail -f secure
> Mar 17 12:35:41 kwtpocpbis01 sshd[15714]: subsystem request for sftp by
> user root
> Mar 17 12:35:44 kwtpocpbis01 sshd[15736]: Accepted password for root from
> 10.18.2.130 port 64141 ssh2
> Mar 17 12:35:44 kwtpocpbis01 sshd[15736]: pam_unix(sshd:session): session
> opened for user root by (uid=0)
> Mar 17 12:35:44 kwtpocpbis01 sshd[15736]: subsystem request for sftp by
> user root
> Mar 17 12:39:12 kwtpocpbis01 sshd[14507]: pam_unix(sshd:session): session
> closed for user root
> Mar 17 12:40:57 kwtpocpbis01 sshd[15816]: Invalid user bobby at infra.com
> from 10.18.2.130
> Mar 17 12:40:57 kwtpocpbis01 sshd[15816]: input_userauth_request: invalid
> user bobby at infra.com [preauth]
> Mar 17 12:41:02 kwtpocpbis01 sshd[15816]: pam_unix(sshd:auth): check pass;
> user unknown
> Mar 17 12:41:02 kwtpocpbis01 sshd[15816]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.18.2.130
> Mar 17 12:41:04 kwtpocpbis01 sshd[15816]: Failed password for invalid user
> bobby at infra.com from 10.18.2.130 port 64470 ssh2
>
> Mar 17 12:44:56 kwtpocpbis01 sshd[15840]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.18.2.130 user=ben at infra.com
> Mar 17 12:44:57 kwtpocpbis01 sshd[15840]: pam_sss(sshd:auth):
> authentication success; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.18.2.130 user=ben at infra.com
> Mar 17 12:44:57 kwtpocpbis01 sshd[15840]: Accepted password for
> ben at infra.com from 10.18.2.130 port 64782 ssh2
> Mar 17 12:44:59 kwtpocpbis01 sshd[15840]: pam_unix(sshd:session): session
> opened for user ben at infra.com by (uid=0)
>
>
>
> On Tue, Mar 17, 2015 at 12:09 PM, Jakub Hrozek <jhrozek at redhat.com> wrote:
>
>> On Tue, Mar 17, 2015 at 11:37:24AM +0300, Ben .T.George wrote:
>> > HI List
>> >
>> > i was following this link :
>> > http://www.freeipa.org/page/Active_Directory_trust_setup#Assumptions
>> > to setup IPA server
>> >
>> > my IPA version is 4.1.2
>> >
>> > every setps in this tutorials was passed without any error
>> >
>> > even "*Allow access for users from AD domain to protected resources*"
>> > went successfully
>> > my current issue is only one user called ben can able to login to ipa
>> > server.please check below:
>> >
>> > [root at kwtpocpbis01 ~]# getent passwd ben at infra.com
>> > ben at infra.com:*:531001104:531001104:ben:/home/infra.com/ben:
>> > [root at kwtpocpbis01 ~]# getent passwd bobby at infra.com
>> > [root at kwtpocpbis01 ~]# getent passwd administrator at infra.com
>> > [root at kwtpocpbis01 ~]#
>> >
>> > the users ben & bobby are on same group (Domain users). but bobby cannot
>> > able to login to IPA and not getting any information while querying
>> > please help me to fix this issue. i don't know where i need to
>> troubleshoot
>> > this issue.
>>
>> Can you increase debug_level in both [nss] and [domain] sections on the
>> server and paste the logs here?
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150317/aee48c48/attachment.htm>
More information about the Freeipa-users
mailing list