[Freeipa-users] Troubleshooting SSO
Gould, Joshua
Joshua.Gould at osumc.edu
Mon Mar 30 15:04:58 UTC 2015
Sorry I mis-read your question!
We’re trying SSO from the test domain conroller via ssh (putty) to the
test IPA server.
Unix.test.osuwmc is the IPA realm.
Test.osuwmc is the AD realm.
IPA server is RHEL 7.1
Windows AD DC is Windows Server 2008 R2
They have a two way trust and we’re mapping SID’s. Since most of our SID’s
are in the 300,000, we chose to add 1M to each SID to make mapping them
easy.
Right now I have the allow-all rule configured to allow everyone in on
every service to every host, just to rule that out.
# ipa trust-show
Realm name: TEST.OSUWMC
Realm name: test.osuwmc
Domain NetBIOS name: TEST
Domain Security Identifier: S-1-5-21-226267946-722566613-1883572810
Trust direction: Two-way trust
Trust type: Active Directory domain
# ipa idrange-find --all
----------------
2 ranges matched
----------------
dn: cn=TEST.OSUWMC_id_range,cn=ranges,cn=etc,dc=unix,dc=test,dc=osuwmc
Range name: TEST.OSUWMC_id_range
First Posix ID of the range: 1000000
Number of IDs in the range: 900000
First RID of the corresponding RID range: 0
Domain SID of the trusted domain: S-1-5-21-226267946-722566613-1883572810
Range type: Active Directory domain range
iparangetyperaw: ipa-ad-trust
objectclass: ipatrustedaddomainrange, ipaIDrange
dn:
cn=UNIX.TEST.OSUWMC_id_range,cn=ranges,cn=etc,dc=unix,dc=test,dc=osuwmc
Range name: UNIX.TEST.OSUWMC_id_range
First Posix ID of the range: 233600000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
iparangetyperaw: ipa-local
objectclass: top, ipaIDrange, ipaDomainIDRange
----------------------------
Number of entries returned 2
----------------------------
# # id adm-faru03 at test.osuwmc
uid=1398410(adm-faru03 at test.osuwmc) gid=1398410(adm-faru03 at test.osuwmc)
groups=1398410(adm-faru03 at test.osuwmc), 233600008(citrix_users)
#
On 3/30/15, 10:55 AM, "Jan Pazdziora" <jpazdziora at redhat.com> wrote:
>On Mon, Mar 30, 2015 at 10:50:11AM -0400, Gould, Joshua wrote:
>> It¹s actually my IPA server which is also a client, so both are 7.1. My
>> memory is fuzzy as far as the client on the server. Isn¹t it setup
>>already
>> as part of the server install?
>
>So you are logging in from the server to the server? But you have
>
> Connection from 10.80.5.239 port 52982 on 10.127.26.73 port 22
> debug1: Client protocol version 2.0; client software version
>PuTTY_Release_0.64
>
>in the log -- different IP addresses, and the client looks like Putty,
>which would mean you try to log in from a Windows machine ...
>
>So that test.osuwmc realm -- is that your IPA server's realm, or AD
>realm?
>
>--
>Jan Pazdziora
>Principal Software Engineer, Identity Management Engineering, Red Hat
More information about the Freeipa-users
mailing list