[Freeipa-users] Only one AD user can able to login to IPA server
Ben .T.George
bentech4you at gmail.com
Tue Mar 17 10:09:05 UTC 2015
i tried to establish trust again and got below output. Is this the expected
one. i can see " Insufficient access: CIFS server denied your credentials"
here too.
[root at kwtpocpbis01 ~]# ipa trust-add --type=ad infra.com --admin
Administrator --password
ipa: DEBUG: importing all plugin modules in
'/usr/lib/python2.7/site-packages/ipalib/plugins'...
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/automember.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/automount.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/batch.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/config.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/delegation.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/group.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/hbacrule.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvc.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvcgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/hbactest.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/host.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/idrange.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/idviews.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/kerberos.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/krbtpolicy.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/misc.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/netgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/otpconfig.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/otptoken_yubikey.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/passwd.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/permission.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/ping.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/pkinit.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/privilege.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/pwpolicy.py'
ipa: DEBUG: Starting external process
ipa: DEBUG: args='klist' '-V'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=Kerberos 5 version 1.12.2
ipa: DEBUG: stderr=
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/radiusproxy.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/realmdomains.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/role.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/rpcclient.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/selfservice.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/selinuxusermap.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/service.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmd.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmdgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/sudorule.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/user.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/virtual.py'
ipa: DEBUG: Starting external process
ipa: DEBUG: args='keyctl' 'search' '@s' 'user'
'ipa_session_cookie:admin at SOLARIS.LOCAL'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=35095713
ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args='keyctl' 'pipe' '35095713'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=ipa_session=cf8484a2b0ee0f8f3fe2cac8c6ad7570;
Domain=kwtpocpbis01.solaris.local; Path=/ipa; Expires=Tue, 17 Mar 2015
10:24:32 GMT; Secure; HttpOnly
ipa: DEBUG: stderr=
ipa: DEBUG: found session_cookie in persistent storage for principal
'admin at SOLARIS.LOCAL', cookie:
'ipa_session=cf8484a2b0ee0f8f3fe2cac8c6ad7570;
Domain=kwtpocpbis01.solaris.local; Path=/ipa; Expires=Tue, 17 Mar 2015
10:24:32 GMT; Secure; HttpOnly'
ipa: DEBUG: setting session_cookie into context
'ipa_session=cf8484a2b0ee0f8f3fe2cac8c6ad7570;'
ipa: INFO: trying https://kwtpocpbis01.solaris.local/ipa/session/json
ipa: DEBUG: Created connection context.rpcclient
Active Directory domain administrator's password:
ipa: DEBUG: raw: trust_add(u'infra.com', trust_type=u'ad',
realm_admin=u'Administrator', realm_passwd=u'********', all=False,
raw=False, version=u'2.113')
ipa: DEBUG: trust_add(u'infra.com', trust_type=u'ad',
realm_admin=u'Administrator', realm_passwd=u'********', all=False,
raw=False, version=u'2.113')
ipa: INFO: Forwarding 'trust_add' to json server '
https://kwtpocpbis01.solaris.local/ipa/session/json'
ipa: DEBUG: NSSConnection init kwtpocpbis01.solaris.local
ipa: DEBUG: Connecting: 172.16.107.244:0
ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
Data:
Version: 3 (0x2)
Serial Number: 9 (0x9)
Signature Algorithm:
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: CN=Certificate Authority,O=SOLARIS.LOCAL
Validity:
Not Before: Wed Mar 04 16:08:30 2015 UTC
Not After: Sat Mar 04 16:08:30 2017 UTC
Subject: CN=kwtpocpbis01.solaris.local,O=SOLARIS.LOCAL
Subject Public Key Info:
Public Key Algorithm:
Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
b7:bd:18:57:5f:27:23:87:78:32:51:25:25:2f:32:eb:
b7:d7:7e:3d:91:e0:58:26:24:92:3c:c7:f3:f9:88:b6:
e6:d1:61:b7:d3:f7:30:61:4e:d7:59:70:bd:62:86:a3:
51:ae:8e:ed:bc:7e:df:4d:5f:40:89:82:50:ad:a7:76:
8a:2c:83:a7:51:41:8d:d9:0f:06:6e:f9:a8:f3:7c:38:
bc:af:28:14:cb:d1:ee:49:75:a0:07:c0:45:44:81:b1:
48:3d:ab:be:69:12:d2:e1:07:c7:e8:62:32:ac:88:19:
22:c5:4c:04:f8:b8:c1:57:71:c2:fc:13:fd:51:67:6d:
2a:6a:1e:f6:4a:28:95:b2:90:83:9f:f9:ca:f8:0e:10:
aa:49:a4:00:76:1a:22:16:25:91:f2:d1:c7:f4:23:a5:
da:40:f6:e4:5a:b3:17:56:aa:e3:3c:74:d5:30:85:1c:
54:99:0d:dc:1e:62:46:cf:a9:dc:96:82:06:08:8d:92:
56:5d:02:fe:de:00:f2:5f:c7:07:e3:ee:1c:51:32:73:
f4:5c:94:c1:6d:04:ae:6d:2c:f4:4d:21:c2:da:42:db:
76:fe:f0:01:6d:69:94:25:20:68:54:20:16:be:11:51:
00:3b:2f:d8:e8:5a:6b:b8:91:ec:41:e1:8f:f6:14:eb
Exponent:
65537 (0x10001)
Signed Extensions: (6 total)
Name: Certificate Authority Key Identifier
Critical: False
Key ID:
52:ae:39:5b:0b:ea:85:4d:5e:11:08:7e:55:49:c9:1c:
04:e8:76:ea
Serial Number: None
General Names: [0 total]
Name: Authority Information Access
Critical: False
Authority Information Access: [1 total]
Info [1]:
Method: PKIX Online Certificate Status Protocol
Location: URI: http://ipa-ca.solaris.local/ca/ocsp
Name: Certificate Key Usage
Critical: True
Usages:
Digital Signature
Non-Repudiation
Key Encipherment
Data Encipherment
Name: Extended Key Usage
Critical: False
Usages:
TLS Web Server Authentication Certificate
TLS Web Client Authentication Certificate
Name: CRL Distribution Points
Critical: False
CRL Distribution Points: [1 total]
Point [1]:
General Names: [1 total]
http://ipa-ca.solaris.local/ipa/crl/MasterCRL.bin
Issuer: Directory Name: CN=Certificate Authority,O=ipaca
Reasons: ()
Name: Certificate Subject Key ID
Critical: False
Data:
29:0f:9e:4d:a1:62:bf:ae:67:ca:82:f1:c2:6b:18:20:
fb:40:db:c9
Signature:
Signature Algorithm:
Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
b7:76:76:ab:bf:ca:b0:4a:a3:7b:db:a8:fd:b3:15:4f:
b6:6a:28:b5:e9:1b:55:2d:e2:f6:dc:f1:16:ee:4d:8e:
b6:5b:5c:fc:0d:32:5f:07:69:92:92:01:45:f5:c5:e0:
15:b7:30:62:d2:46:c0:d7:2f:74:e8:9a:5c:99:ba:01:
dc:a2:fb:02:f8:3f:31:9f:15:51:87:c0:38:c2:86:5b:
1e:dc:ab:10:a2:93:6b:88:b2:31:35:9d:ac:09:38:1b:
d8:ad:19:67:96:e4:55:8e:f6:9e:e3:99:be:cd:28:16:
69:16:3d:57:b4:23:43:79:f4:22:6d:a7:07:55:59:6e:
a0:b7:23:99:7c:4d:28:55:fb:88:88:e8:24:f0:67:af:
4a:f5:b8:60:b6:d1:5d:42:10:6f:9f:83:c0:9c:db:d2:
12:4d:ac:18:d0:17:c1:e3:77:83:c7:14:13:1f:73:d0:
f3:ee:25:bb:72:cb:6d:bb:da:4b:ca:fc:25:ea:09:0a:
09:5f:6e:51:3d:e2:5e:63:9c:0f:d5:4f:cb:d8:88:be:
4c:e6:b2:05:74:ed:2e:25:72:c4:0a:c7:84:47:97:28:
79:a5:a0:1d:6d:b4:86:55:e7:61:3f:df:db:1c:cc:37:
24:a7:3e:40:35:12:f9:45:08:d6:3f:ca:74:34:51:ee
Fingerprint (MD5):
73:b9:df:20:b1:f5:b7:29:55:de:88:88:9f:8b:ab:e7
Fingerprint (SHA1):
91:83:4b:fa:2f:c0:dc:3e:cc:e4:35:bf:69:f3:db:6c:
7f:ca:1b:21
ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
ipa: DEBUG: cert valid True for
"CN=kwtpocpbis01.solaris.local,O=SOLARIS.LOCAL"
ipa: DEBUG: handshake complete, peer = 172.16.107.244:443
ipa: DEBUG: received Set-Cookie
'ipa_session=cf8484a2b0ee0f8f3fe2cac8c6ad7570;
Domain=kwtpocpbis01.solaris.local; Path=/ipa; Expires=Tue, 17 Mar 2015
10:27:04 GMT; Secure; HttpOnly'
ipa: DEBUG: storing cookie 'ipa_session=cf8484a2b0ee0f8f3fe2cac8c6ad7570;
Domain=kwtpocpbis01.solaris.local; Path=/ipa; Expires=Tue, 17 Mar 2015
10:27:04 GMT; Secure; HttpOnly' for principal admin at SOLARIS.LOCAL
ipa: DEBUG: Starting external process
ipa: DEBUG: args='keyctl' 'search' '@s' 'user'
'ipa_session_cookie:admin at SOLARIS.LOCAL'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=35095713
ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args='keyctl' 'search' '@s' 'user'
'ipa_session_cookie:admin at SOLARIS.LOCAL'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=35095713
ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args='keyctl' 'pupdate' '35095713'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: DEBUG: Destroyed connection context.rpcclient
ipa: ERROR: Insufficient access: CIFS server denied your credentials
On Tue, Mar 17, 2015 at 1:06 PM, Ben .T.George <bentech4you at gmail.com>
wrote:
> another thing i notice is:
>
> [root at kwtpocpbis01 ~]# kinit admin
> Password for admin at SOLARIS.LOCAL:
> [root at kwtpocpbis01 ~]# ipa trust-fetch-domains infra.com
> ipa: DEBUG: importing all plugin modules in
> '/usr/lib/python2.7/site-packages/ipalib/plugins'...
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/automember.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/automount.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/batch.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/config.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/delegation.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/group.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacrule.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvc.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvcgroup.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/hbactest.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/host.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/idrange.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/idviews.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/kerberos.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/krbtpolicy.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/misc.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/netgroup.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/otpconfig.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/otptoken_yubikey.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/passwd.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/permission.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/ping.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/pkinit.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/privilege.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/pwpolicy.py'
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='klist' '-V'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=Kerberos 5 version 1.12.2
>
> ipa: DEBUG: stderr=
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/radiusproxy.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/realmdomains.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/role.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/rpcclient.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/selfservice.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/selinuxusermap.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/service.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmd.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmdgroup.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/sudorule.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/user.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/virtual.py'
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='keyctl' 'search' '@s' 'user'
> 'ipa_session_cookie:admin at SOLARIS.LOCAL'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=35095713
>
> ipa: DEBUG: stderr=
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='keyctl' 'pipe' '35095713'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=ipa_session=cf8484a2b0ee0f8f3fe2cac8c6ad7570;
> Domain=kwtpocpbis01.solaris.local; Path=/ipa; Expires=Tue, 17 Mar 2015
> 10:23:58 GMT; Secure; HttpOnly
> ipa: DEBUG: stderr=
> ipa: DEBUG: found session_cookie in persistent storage for principal
> 'admin at SOLARIS.LOCAL', cookie:
> 'ipa_session=cf8484a2b0ee0f8f3fe2cac8c6ad7570;
> Domain=kwtpocpbis01.solaris.local; Path=/ipa; Expires=Tue, 17 Mar 2015
> 10:23:58 GMT; Secure; HttpOnly'
> ipa: DEBUG: setting session_cookie into context
> 'ipa_session=cf8484a2b0ee0f8f3fe2cac8c6ad7570;'
> ipa: INFO: trying https://kwtpocpbis01.solaris.local/ipa/session/json
> ipa: DEBUG: Created connection context.rpcclient
> ipa: DEBUG: raw: trust_fetch_domains(u'infra.com', rights=False,
> all=False, raw=False, version=u'2.113')
> ipa: DEBUG: trust_fetch_domains(u'infra.com', rights=False, all=False,
> raw=False, version=u'2.113')
> ipa: INFO: Forwarding 'trust_fetch_domains' to json server '
> https://kwtpocpbis01.solaris.local/ipa/session/json'
> ipa: DEBUG: NSSConnection init kwtpocpbis01.solaris.local
> ipa: DEBUG: Connecting: 172.16.107.244:0
> ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
> Data:
> Version: 3 (0x2)
> Serial Number: 9 (0x9)
> Signature Algorithm:
> Algorithm: PKCS #1 SHA-256 With RSA Encryption
> Issuer: CN=Certificate Authority,O=SOLARIS.LOCAL
> Validity:
> Not Before: Wed Mar 04 16:08:30 2015 UTC
> Not After: Sat Mar 04 16:08:30 2017 UTC
> Subject: CN=kwtpocpbis01.solaris.local,O=SOLARIS.LOCAL
> Subject Public Key Info:
> Public Key Algorithm:
> Algorithm: PKCS #1 RSA Encryption
> RSA Public Key:
> Modulus:
> b7:bd:18:57:5f:27:23:87:78:32:51:25:25:2f:32:eb:
> b7:d7:7e:3d:91:e0:58:26:24:92:3c:c7:f3:f9:88:b6:
> e6:d1:61:b7:d3:f7:30:61:4e:d7:59:70:bd:62:86:a3:
> 51:ae:8e:ed:bc:7e:df:4d:5f:40:89:82:50:ad:a7:76:
> 8a:2c:83:a7:51:41:8d:d9:0f:06:6e:f9:a8:f3:7c:38:
> bc:af:28:14:cb:d1:ee:49:75:a0:07:c0:45:44:81:b1:
> 48:3d:ab:be:69:12:d2:e1:07:c7:e8:62:32:ac:88:19:
> 22:c5:4c:04:f8:b8:c1:57:71:c2:fc:13:fd:51:67:6d:
> 2a:6a:1e:f6:4a:28:95:b2:90:83:9f:f9:ca:f8:0e:10:
> aa:49:a4:00:76:1a:22:16:25:91:f2:d1:c7:f4:23:a5:
> da:40:f6:e4:5a:b3:17:56:aa:e3:3c:74:d5:30:85:1c:
> 54:99:0d:dc:1e:62:46:cf:a9:dc:96:82:06:08:8d:92:
> 56:5d:02:fe:de:00:f2:5f:c7:07:e3:ee:1c:51:32:73:
> f4:5c:94:c1:6d:04:ae:6d:2c:f4:4d:21:c2:da:42:db:
> 76:fe:f0:01:6d:69:94:25:20:68:54:20:16:be:11:51:
> 00:3b:2f:d8:e8:5a:6b:b8:91:ec:41:e1:8f:f6:14:eb
> Exponent:
> 65537 (0x10001)
> Signed Extensions: (6 total)
> Name: Certificate Authority Key Identifier
> Critical: False
> Key ID:
> 52:ae:39:5b:0b:ea:85:4d:5e:11:08:7e:55:49:c9:1c:
> 04:e8:76:ea
> Serial Number: None
> General Names: [0 total]
>
> Name: Authority Information Access
> Critical: False
> Authority Information Access: [1 total]
> Info [1]:
> Method: PKIX Online Certificate Status Protocol
> Location: URI: http://ipa-ca.solaris.local/ca/ocsp
>
> Name: Certificate Key Usage
> Critical: True
> Usages:
> Digital Signature
> Non-Repudiation
> Key Encipherment
> Data Encipherment
>
> Name: Extended Key Usage
> Critical: False
> Usages:
> TLS Web Server Authentication Certificate
> TLS Web Client Authentication Certificate
>
> Name: CRL Distribution Points
> Critical: False
> CRL Distribution Points: [1 total]
> Point [1]:
> General Names: [1 total]
> http://ipa-ca.solaris.local/ipa/crl/MasterCRL.bin
> Issuer: Directory Name: CN=Certificate Authority,O=ipaca
> Reasons: ()
>
> Name: Certificate Subject Key ID
> Critical: False
> Data:
> 29:0f:9e:4d:a1:62:bf:ae:67:ca:82:f1:c2:6b:18:20:
> fb:40:db:c9
>
> Signature:
> Signature Algorithm:
> Algorithm: PKCS #1 SHA-256 With RSA Encryption
> Signature:
> b7:76:76:ab:bf:ca:b0:4a:a3:7b:db:a8:fd:b3:15:4f:
> b6:6a:28:b5:e9:1b:55:2d:e2:f6:dc:f1:16:ee:4d:8e:
> b6:5b:5c:fc:0d:32:5f:07:69:92:92:01:45:f5:c5:e0:
> 15:b7:30:62:d2:46:c0:d7:2f:74:e8:9a:5c:99:ba:01:
> dc:a2:fb:02:f8:3f:31:9f:15:51:87:c0:38:c2:86:5b:
> 1e:dc:ab:10:a2:93:6b:88:b2:31:35:9d:ac:09:38:1b:
> d8:ad:19:67:96:e4:55:8e:f6:9e:e3:99:be:cd:28:16:
> 69:16:3d:57:b4:23:43:79:f4:22:6d:a7:07:55:59:6e:
> a0:b7:23:99:7c:4d:28:55:fb:88:88:e8:24:f0:67:af:
> 4a:f5:b8:60:b6:d1:5d:42:10:6f:9f:83:c0:9c:db:d2:
> 12:4d:ac:18:d0:17:c1:e3:77:83:c7:14:13:1f:73:d0:
> f3:ee:25:bb:72:cb:6d:bb:da:4b:ca:fc:25:ea:09:0a:
> 09:5f:6e:51:3d:e2:5e:63:9c:0f:d5:4f:cb:d8:88:be:
> 4c:e6:b2:05:74:ed:2e:25:72:c4:0a:c7:84:47:97:28:
> 79:a5:a0:1d:6d:b4:86:55:e7:61:3f:df:db:1c:cc:37:
> 24:a7:3e:40:35:12:f9:45:08:d6:3f:ca:74:34:51:ee
> Fingerprint (MD5):
> 73:b9:df:20:b1:f5:b7:29:55:de:88:88:9f:8b:ab:e7
> Fingerprint (SHA1):
> 91:83:4b:fa:2f:c0:dc:3e:cc:e4:35:bf:69:f3:db:6c:
> 7f:ca:1b:21
> ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
> ipa: DEBUG: cert valid True for
> "CN=kwtpocpbis01.solaris.local,O=SOLARIS.LOCAL"
> ipa: DEBUG: handshake complete, peer = 172.16.107.244:443
> ipa: DEBUG: received Set-Cookie
> 'ipa_session=cf8484a2b0ee0f8f3fe2cac8c6ad7570;
> Domain=kwtpocpbis01.solaris.local; Path=/ipa; Expires=Tue, 17 Mar 2015
> 10:24:32 GMT; Secure; HttpOnly'
> ipa: DEBUG: storing cookie 'ipa_session=cf8484a2b0ee0f8f3fe2cac8c6ad7570;
> Domain=kwtpocpbis01.solaris.local; Path=/ipa; Expires=Tue, 17 Mar 2015
> 10:24:32 GMT; Secure; HttpOnly' for principal admin at SOLARIS.LOCAL
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='keyctl' 'search' '@s' 'user'
> 'ipa_session_cookie:admin at SOLARIS.LOCAL'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=35095713
>
> ipa: DEBUG: stderr=
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='keyctl' 'search' '@s' 'user'
> 'ipa_session_cookie:admin at SOLARIS.LOCAL'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=35095713
>
> ipa: DEBUG: stderr=
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args='keyctl' 'pupdate' '35095713'
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=
> ipa: DEBUG: Destroyed connection context.rpcclient
> ipa: ERROR: Insufficient access: CIFS server denied your credentials
>
>
>
> and it accepting password for admin and i can able to see tickets:
>
> [root at kwtpocpbis01 ~]# klist
> Ticket cache: KEYRING:persistent:0:0
> Default principal: admin at SOLARIS.LOCAL
>
> Valid starting Expires Service principal
> 03/17/2015 13:04:29 03/18/2015 13:04:26
> krbtgt/SOLARIS.LOCAL at SOLARIS.LOCAL
>
>
>
> On Tue, Mar 17, 2015 at 12:57 PM, Ben .T.George <bentech4you at gmail.com>
> wrote:
>
>> HI
>>
>> i have enabled debug
>>
>> here is my sssd.conf
>>
>> [root at kwtpocpbis01 ~]# cat /etc/sssd/sssd.conf
>> [domain/solaris.local]
>>
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> ipa_domain = solaris.local
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ipa_hostname = kwtpocpbis01.solaris.local
>> chpass_provider = ipa
>> ipa_server = kwtpocpbis01.solaris.local
>> ipa_server_mode = True
>> ldap_tls_cacert = /etc/ipa/ca.crt
>> [sssd]
>> services = nss, sudo, pam, ssh
>> config_file_version = 2
>>
>> domains = solaris.local
>> debug_level = 6
>> [nss]
>> homedir_substring = /home
>> debug_level = 6
>>
>> [pam]
>>
>> [sudo]
>>
>> [autofs]
>>
>> [ssh]
>>
>> [pac]
>>
>> [ifp]
>>
>>
>> LOGS:
>>
>> sssd.log:
>>
>> (Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging
>> solaris.local
>> (Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging
>> nss
>> (Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging
>> sudo
>> (Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging
>> pam
>> (Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging
>> ssh
>> (Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging
>> pac
>> (Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service nss
>> replied to ping
>> (Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service sudo
>> replied to ping
>> (Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service pam
>> replied to ping
>> (Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service ssh
>> replied to ping
>> (Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service
>> solaris.local replied to ping
>> (Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service pac
>> replied to ping
>>
>>
>> error_log:
>>
>> [root at kwtpocpbis01 ~]# tail -f /var/log/httpd/error_log
>> [Tue Mar 17 11:26:25.458878 2015] [:error] [pid 15175] ipa: INFO: ***
>> PROCESS START ***
>> [Tue Mar 17 11:26:25.603536 2015] [:error] [pid 15176] ipa: DEBUG:
>> session_auth_duration: 0:20:00
>> [Tue Mar 17 11:26:25.609112 2015] [:error] [pid 15176] ipa: DEBUG:
>> session_auth_duration: 0:20:00
>> [Tue Mar 17 11:26:25.655477 2015] [:error] [pid 15176] ipa: DEBUG:
>> Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos'
>> [Tue Mar 17 11:26:25.655597 2015] [:error] [pid 15176] ipa: DEBUG:
>> session_auth_duration: 0:20:00
>> [Tue Mar 17 11:26:25.681652 2015] [:error] [pid 15176] ipa: DEBUG:
>> Mounting ipaserver.rpcserver.login_password() at '/session/login_password'
>> [Tue Mar 17 11:26:25.681849 2015] [:error] [pid 15176] ipa: DEBUG:
>> session_auth_duration: 0:20:00
>> [Tue Mar 17 11:26:25.754351 2015] [:error] [pid 15176] ipa: INFO: ***
>> PROCESS START ***
>> p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute
>> [Tue Mar 17 11:26:28.847563 2015] [:warn] [pid 15377] NSSProtocol:
>> Unknown protocol 'tlsv1.2' not supported
>>
>> secure:
>> [root at kwtpocpbis01 log]# tail -f secure
>> Mar 17 12:35:41 kwtpocpbis01 sshd[15714]: subsystem request for sftp by
>> user root
>> Mar 17 12:35:44 kwtpocpbis01 sshd[15736]: Accepted password for root from
>> 10.18.2.130 port 64141 ssh2
>> Mar 17 12:35:44 kwtpocpbis01 sshd[15736]: pam_unix(sshd:session): session
>> opened for user root by (uid=0)
>> Mar 17 12:35:44 kwtpocpbis01 sshd[15736]: subsystem request for sftp by
>> user root
>> Mar 17 12:39:12 kwtpocpbis01 sshd[14507]: pam_unix(sshd:session): session
>> closed for user root
>> Mar 17 12:40:57 kwtpocpbis01 sshd[15816]: Invalid user bobby at infra.com
>> from 10.18.2.130
>> Mar 17 12:40:57 kwtpocpbis01 sshd[15816]: input_userauth_request: invalid
>> user bobby at infra.com [preauth]
>> Mar 17 12:41:02 kwtpocpbis01 sshd[15816]: pam_unix(sshd:auth): check
>> pass; user unknown
>> Mar 17 12:41:02 kwtpocpbis01 sshd[15816]: pam_unix(sshd:auth):
>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
>> rhost=10.18.2.130
>> Mar 17 12:41:04 kwtpocpbis01 sshd[15816]: Failed password for invalid
>> user bobby at infra.com from 10.18.2.130 port 64470 ssh2
>>
>> Mar 17 12:44:56 kwtpocpbis01 sshd[15840]: pam_unix(sshd:auth):
>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
>> rhost=10.18.2.130 user=ben at infra.com
>> Mar 17 12:44:57 kwtpocpbis01 sshd[15840]: pam_sss(sshd:auth):
>> authentication success; logname= uid=0 euid=0 tty=ssh ruser=
>> rhost=10.18.2.130 user=ben at infra.com
>> Mar 17 12:44:57 kwtpocpbis01 sshd[15840]: Accepted password for
>> ben at infra.com from 10.18.2.130 port 64782 ssh2
>> Mar 17 12:44:59 kwtpocpbis01 sshd[15840]: pam_unix(sshd:session): session
>> opened for user ben at infra.com by (uid=0)
>>
>>
>>
>> On Tue, Mar 17, 2015 at 12:09 PM, Jakub Hrozek <jhrozek at redhat.com>
>> wrote:
>>
>>> On Tue, Mar 17, 2015 at 11:37:24AM +0300, Ben .T.George wrote:
>>> > HI List
>>> >
>>> > i was following this link :
>>> > http://www.freeipa.org/page/Active_Directory_trust_setup#Assumptions
>>> > to setup IPA server
>>> >
>>> > my IPA version is 4.1.2
>>> >
>>> > every setps in this tutorials was passed without any error
>>> >
>>> > even "*Allow access for users from AD domain to protected resources*"
>>> > went successfully
>>> > my current issue is only one user called ben can able to login to ipa
>>> > server.please check below:
>>> >
>>> > [root at kwtpocpbis01 ~]# getent passwd ben at infra.com
>>> > ben at infra.com:*:531001104:531001104:ben:/home/infra.com/ben:
>>> > [root at kwtpocpbis01 ~]# getent passwd bobby at infra.com
>>> > [root at kwtpocpbis01 ~]# getent passwd administrator at infra.com
>>> > [root at kwtpocpbis01 ~]#
>>> >
>>> > the users ben & bobby are on same group (Domain users). but bobby
>>> cannot
>>> > able to login to IPA and not getting any information while querying
>>> > please help me to fix this issue. i don't know where i need to
>>> troubleshoot
>>> > this issue.
>>>
>>> Can you increase debug_level in both [nss] and [domain] sections on the
>>> server and paste the logs here?
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150317/c33bca77/attachment.htm>
More information about the Freeipa-users
mailing list