[Freeipa-users] Trust Issues W/ Logins on Windows Desktops
Alexander Bokovoy
abokovoy at redhat.com
Fri Oct 2 13:43:00 UTC 2015
On Fri, 02 Oct 2015, Simo Sorce wrote:
>On 02/10/15 04:06, Alexander Bokovoy wrote:
>>On Thu, 01 Oct 2015, Simo Sorce wrote:
>>>On 01/10/15 03:15, Petr Spacek wrote:
>>>>On 30.9.2015 20:36, Matt Wells wrote:
>>>>>Hi all, I hoped I may glean some brilliance from the group.
>>>>>I have a Freeipa Server sitting atop a Fedora 21 server. The
>>>>>initial plan
>>>>>was to replicate users+passwords with Windows 2012R2 server but
>>>>>following
>>>>>some of the information in the other posts and docs we've moved to a
>>>>>trust. The trust has been setup using the documentation and in
>>>>>short it's
>>>>>worked without issue. I'm able to get principles from the Windows
>>>>>realm (
>>>>>marvel.comics.com). So what I'm attempting and failing to do is
>>>>>authenticating my IPA users to the Windows 8 desktops. Ideally I don't
>>>>>want any users in AD, it's simply there to deliver a GPO and in the
>>>>>next
>>>>>year it will be phased out and we'll be replacing Windows 8 with linux
>>>>>desktops.
>>>>>
>>>>>So
>>>>>marvel.comics.com = windows
>>>>>dc.comics.com = freeipa
>>>>>
>>>>># rpm -qi freeipa-server
>>>>>Name : freeipa-server
>>>>>Version : 4.1.4
>>>>>Release : 1.fc21
>>>>>Architecture: x86_64
>>>>>Install Date: Tue 25 Aug 2015 08:17:56 PM UTC
>>>>>Group : System Environment/Base
>>>>>Size : 4521059
>>>>>License : GPLv3+
>>>>>Signature : RSA/SHA256, Thu 26 Mar 2015 10:58:02 PM UTC, Key ID
>>>>>89ad4e8795a43f54
>>>>>Source RPM : freeipa-4.1.4-1.fc21.src.rpm
>>>>>Build Date : Thu 26 Mar 2015 03:16:19 PM UTC
>>>>>Build Host : buildhw-07.phx2.fedoraproject.org
>>>>>[root at freeipaServer slapd-DEV-MOSAIC451-COM]# uname -a
>>>>>Linux freeipaServer.dc.comics.com 4.1.6-100.fc21.x86_64 #1 SMP Mon
>>>>>Aug 17
>>>>>22:20:37 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
>>>>>[root at freeipaServer slapd-DEV-MOSAIC451-COM]# cat /etc/redhat-release
>>>>>Fedora release 21 (Twenty One)
>>>>>
>>>>>To cut to the chase here's me logging into a Windows 8 desktop
>>>>>system. I
>>>>>try to login 3 different ways; this system is a member of the marvel
>>>>>domain. Time is extremely close, close enough that I feel really good
>>>>>about ruling it out. Any light you all could shed on this would be
>>>>>outstanding. Thank you all for your time on this, I really
>>>>>appreciate all
>>>>>the time and effort this team puts into reading these posts.
>>>>>
>>>>>Username: dc/greenlantern
>>>>>Password: ************
>>>>>
>>>>>[root at freeipaServer slapd-DC-COMICS-COM]# tail -f * | egrep --color -i
>>>>>greenlantern
>>>>>[30/Sep/2015:17:55:33 +0000] conn=1172 op=46 SRCH
>>>>>base="dc=dc,dc=comics,dc=com" scope=2
>>>>>filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern at dc
>>>>>
>>>>>)(krbPrincipalName=greenlantern at dc)))" attrs="krbPrincipalName
>>>>>krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
>>>>>krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
>>>>>krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
>>>>>krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
>>>>>krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
>>>>>krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
>>>>>passwordHistory ipaKrbAuthzData ipaUserAuthType
>>>>>ipatokenRadiusConfigLink
>>>>>objectClass"
>>>>>
>>>>>Username: greenlanter at dc
>>>>>Password: ************
>>>>>
>>>>>
>>>>>[30/Sep/2015:17:59:48 +0000] conn=1172 op=86 SRCH
>>>>>base="dc=dc,dc=comics,dc=com" scope=2
>>>>>filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern at dc
>>>>>
>>>>>)(krbPrincipalName=greenlantern at dc)))" attrs="krbPrincipalName
>>>>>krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
>>>>>krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
>>>>>krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
>>>>>krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
>>>>>krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
>>>>>krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
>>>>>passwordHistory ipaKrbAuthzData ipaUserAuthType
>>>>>ipatokenRadiusConfigLink
>>>>>objectClass"
>>>>>
>>>>>
>>>>>Username: greenlanter at dc.comics.com
>>>>>Password: ************
>>>>>
>>>>>[30/Sep/2015:17:59:35 +0000] conn=1172 op=84 SRCH
>>>>>base="dc=dc,dc=comics,dc=com" scope=2
>>>>>filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern\5C at dc.COMICS.com
>>>>>
>>>>>@DC.COMICS.COM <http://dc.comics.com/>
>>>>>)(krbPrincipalName=greenlantern\5C at dc.COMICS.com@DC.COMICS.COM
>>>>><http://dc.comics.com/>)))" attrs="krbPrincipalName krbCanonicalName
>>>>>ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
>>>>>krbTicketPolicyReference
>>>>>krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
>>>>>krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
>>>>>krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
>>>>>krbExtraData
>>>>>krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
>>>>>krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
>>>>>ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>>>>>
>>>>>
>>>>>>From what I can tell, everything looks good to wbinfo; we see the
>>>>>>domain
>>>>>and he see's us. In the AD trust I can go under the trust and
>>>>>validate the
>>>>>trust with no issues.
>>>>>[root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --online-status
>>>>>BUILTIN : online
>>>>>DC : online
>>>>>MARVEL : online
>>>>>[root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --domain-info
>>>>>marvel.comics.com
>>>>>Name : MARVEL
>>>>>Alt_Name : marvel.comics.com
>>>>>SID : S-1-5-21-3495301974-2766379234-3984916731
>>>>>Active Directory : Yes
>>>>>Native : Yes
>>>>>Primary : No
>>>>>[root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo -n
>>>>>'MARVEL.COMICS.COM\Domain
>>>>>Admins'
>>>>>S-1-5-21-3495301974-2766379234-3984916731-512 SID_DOM_GROUP (2)
>>>>>[root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --domain-info
>>>>>marvel.comics.com
>>>>>Name : MARVEL
>>>>>Alt_Name : marvel.comics.com
>>>>>SID : S-1-5-21-3495301974-2766379234-3984916731
>>>>>Active Directory : Yes
>>>>>Native : Yes
>>>>>Primary : No
>>>>
>>>>Unfortunately you will not be able to log into Windows workstations
>>>>using IPA
>>>>users because FreeIPA is (at the moment) missing Global Catalog
>>>>component
>>>>which prevents Windows from working with IPA users.
>>>>
>>>>It should work the other way around, but there is nothing you can do
>>>>at the
>>>>moment to make it working with IPA users in Windows. Global Catalog
>>>>is several
>>>>months away in the best case.
>>>
>>>This is not entirely true.
>>>There is no way to add IPA SIDs to the relevant authorization groups
>>>using the GUI tools in AD, but technically you can do that using
>>>command line tools and pasting in SIDs directly.
>>>Authentication would be possible then, however Windows clients will
>>>never be able to resolve SID to Names, so looking at file permissions
>>>you will not be able to see user names, but only SIDs for IPA users.
>>>Some tools that may depend on SID->Name translation may also fail in
>>>unexpected ways.
>>practically, you will not be able to login into Windows workstations
>>because login screen will have to do Name->SID translation which it
>>wouldn't be able to do.
>
>I do not think this is really true, I tested a while back that the PAC
>is used for Name -> SID of the logging in user, but I do not know if
>all versions of Windows will work flawlessly this way.
At least Windows Server 2012 does following when I try to login
interactively as EXAMPLE\admin (IPA admin) or admin at EXAMPLE.COM:
16:34:20.903405 IP (tos 0x2,ECT(0), ttl 128, id 18136, offset 0, flags [DF], proto TCP (6), length 52)
wdc.adx.test.63757 > m1.example.com.kerberos: Flags [SEW], cksum 0xe350 (correct), seq 713019514, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:34:20.903539 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
m1.example.com.kerberos > wdc.adx.test.63757: Flags [S.], cksum 0x76c6 (incorrect -> 0xb654), seq 1716548939, ack 713019515, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
16:34:20.903674 IP (tos 0x0, ttl 128, id 18137, offset 0, flags [DF], proto TCP (6), length 40)
wdc.adx.test.63757 > m1.example.com.kerberos: Flags [.], cksum 0x6837 (correct), seq 1, ack 1, win 256, length 0
16:34:20.903788 IP (tos 0x0, ttl 128, id 18138, offset 0, flags [DF], proto TCP (6), length 259)
wdc.adx.test.63757 > m1.example.com.kerberos: Flags [P.], cksum 0xe08f (correct), seq 1:220, ack 1, win 256, length 219
16:34:20.903821 IP (tos 0x0, ttl 64, id 40856, offset 0, flags [DF], proto TCP (6), length 40)
m1.example.com.kerberos > wdc.adx.test.63757: Flags [.], cksum 0x76ba (incorrect -> 0x676f), seq 1, ack 220, win 237, length 0
16:34:20.904727 IP (tos 0x0, ttl 64, id 40857, offset 0, flags [DF] proto TCP (6), length 202)
m1.example.com.kerberos > wdc.adx.test.63757: Flags [P.], cksum 0x775c (incorrect -> 0x89b3), seq 1:163, ack 220, win 237, length 162
16:34:20.904778 IP (tos 0x0, ttl 64, id 40858, offset 0, flags [DF], proto TCP (6), length 40)
m1.example.com.kerberos > wdc.adx.test.63757: Flags [F.], cksum 0x76ba (incorrect -> 0x66cc), seq 163, ack 220, win 237, length 0
16:34:20.904917 IP (tos 0x0, ttl 128, id 18139, offset 0, flags [DF], proto TCP (6), length 40)
wdc.adx.test.63757 > m1.example.com.kerberos: Flags [.], cksum 0x66b9 (correct), seq 220, ack 164, win 256, length 0
16:34:20.905073 IP (tos 0x0, ttl 128, id 18140, offset 0, flags [DF], proto TCP (6), length 40)
wdc.adx.test.63757 > m1.example.com.kerberos: Flags [F.], cksum 0x66b8 (correct), seq 220, ack 164, win 256, length 0
16:34:20.905133 IP (tos 0x0, ttl 64, id 33156, offset 0, flags [DF], proto TCP (6), length 40)
m1.example.com.kerberos > wdc.adx.test.63757: Flags [.], cksum 0x66cb (correct), seq 164, ack 221, win 237, length 0
16:34:20.906033 IP (tos 0x0, ttl 128, id 18141, offset 0, flags [none], proto UDP (17), length 217)
wdc.adx.test.50485 > m1.example.com.ldap: [udp sum ok] UDP, length 189
16:34:20.906434 IP (tos 0x0, ttl 64, id 64131, offset 0, flags [DF], proto UDP (17), length 190)
m1.example.com.ldap > wdc.adx.test.50485: [bad udp cksum 0x775b -> 0xa778!] UDP, length 162
E.g. it tried to talk to IPA KDC and when failed, it did CLDAP ping to
pick up information about IPA domain.
KDC log has following:
Oct 02 13:33:41 m1.example.com krb5kdc[924](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) 192.168.122.235: CLIENT_NOT_FOUND: admin at EXAMPLE for krbtgt/EXAMPLE at EXAMPLE, Client not found in Kerberos database
Oct 02 13:33:41 m1.example.com krb5kdc[924](info): closing down fd 12
Oct 02 13:34:20 m1.example.com krb5kdc[924](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) 192.168.122.235: CLIENT_NOT_FOUND: admin at EXAMPLE for krbtgt/EXAMPLE at EXAMPLE, Client not found in Kerberos database
Oct 02 13:34:20 m1.example.com krb5kdc[924](info): closing down fd 12
Oct 02 13:35:08 m1.example.com krb5kdc[924](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) 192.168.122.235: CLIENT_NOT_FOUND: admin\@EXAMPLE.COM at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Client not found in Kerberos database
Oct 02 13:35:08 m1.example.com krb5kdc[924](info): closing down fd 12
This is something more reasonable -- e.g. our DAL driver doesn't support
domain flat name as a realm and doesn't support proper handling of
enterprise principals. This is something I have patches for to cover
trusted forests' realms but not our own. Maybe this is worth to
investigate first.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list