[Freeipa-users] User AD can not Login Client Linux
Lukas Slebodnik
lslebodn at redhat.com
Wed Sep 2 07:15:22 UTC 2015
On (28/08/15 08:44), Lukas Slebodnik wrote:
>On (23/08/15 17:53), alireza baghery wrote:
>>Hi i install Centos 7.1 (IDM Server)
>>and integrate with Windows SERVER 2008 R2 Trust
>>USER AD can not Login on client (OLE 6.6) but User create idm can login
>>
>>name IDM SERVER= ipasrv.l.infotechpsp.net
>>domain Windows = infotechpsp.net
>>
>>i execute [ kinit abagheri at infotechpsp.net] on IDM Server
>>and klist and show keytab abagheri
>>but execute kvno abagher at INFOTECHPSP.NET
>>get ERROR kvno Server not found in kerberos database
>>please help me and thank you
>>
>>KLIST
>>================================
>>
>>Valid starting Expires Service principal
>>08/23/15 17:09:53 08/24/15 03:11:34 krbtgt/INFOTECHPSP.NET at INFOTECHPSP.NET
>> renew until 08/24/15 17:09:53
>>
>>=====================================
>>
>>Tail LOG /var/log/sssd/ssd_l.infotechpsp.net debug_level = 6
>>=====================================
>>[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
>>[(objectclass=*)][].
>>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]]
>>[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
>>set
>>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [sdap_kinit_send]
>>(0x0400): Attempting kinit (default, host/ussd7.l.infotechpsp.net,
>>L.INFOTECHPSP.NET, 86400)
>>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]]
>>[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
>>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [resolve_srv_send]
>>(0x0200): The status of SRV lookup is resolved
>>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]]
>>[be_resolve_server_process] (0x0200): Found address for server
>>ipasrv.l.infotechpsp.net: [10.30.160.19] TTL 1200
>>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]]
>>[set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child
>>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]]
>>[write_pipe_handler] (0x0400): All data has been sent!
>>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]]
>>[read_pipe_handler] (0x0400): EOF received, client finished
>>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]]
>>[sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/
>>ccache_L.INFOTECHPSP.NET], expired on [1440420165]
>>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]]
>>[sdap_cli_auth_step] (0x0100): expire timeout is 900
>>(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [sasl_bind_send]
>>(0x0100): Executing sasl bind mech: GSSAPI, user: host/
>>ussd7.l.infotechpsp.net
>>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]]
>>[child_sig_handler] (0x0100): child [13370] finished successfully.
>>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]]
>>[fo_set_port_status] (0x0100): Marking port 389 of server '
>>ipasrv.l.infotechpsp.net' as 'working'
>>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]]
>>[set_server_common_status] (0x0100): Marking server '
>>ipasrv.l.infotechpsp.net' as 'working'
>>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]]
>>[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
>>[objectclass=ipaNTTrustedDomain][cn=trusts,dc=l,dc=infotechpsp,dc=net].
>>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]] [be_run_online_cb]
>>(0x0080): Going online. Running callbacks.
>>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]]
>>[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
>>set
>>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]]
>>[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
>>[objectclass=ipaIDRange][cn=ranges,cn=etc,dc=l,dc=infotechpsp,dc=net].
>>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]]
>>[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
>>set
>>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]]
>>[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
>>[objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=l,dc=infotechpsp,dc=net].
>>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]]
>>[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
>>set
>>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]]
>>[get_subdomains_callback] (0x0400): Backend returned: (0, 0, <NULL>)
>>[Success]
>>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]]
>>[be_get_account_info] (0x0100): Got request for [4097][1][name=abagheri]
>>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]]
>>[ipa_s2n_exop_send] (0x0400): Executing extended operation
>>(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]]
>>[ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Operations
>>error(1), (null)
>There seems to be a problem on server side.
>It's is a very likely bug in sssd on FreeIPA server.
>
>Some AD related fixes are included in latest update in el7.1
>(1.12.2-58.el7_1.14)
>
>If it does not help please try to upgrade to the latest upstream version
>of sssd[1]. I hope it will help otherwise we will need to see log files
>from IPA server.
>
>LS
>
>[1] https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12/
>
Did it help to upgrade sssd?
LS
More information about the Freeipa-users
mailing list