[Freeipa-users] Trust Issues W/ Logins on Windows Desktops

Matt Wells matt.wells at mosaic451.com
Wed Sep 30 18:36:47 UTC 2015 

Hi all, I hoped I may glean some brilliance from the group.
I have a Freeipa Server sitting atop a Fedora 21 server.  The initial plan
was to replicate users+passwords with Windows 2012R2 server but following
some of the information in the other posts and docs we've moved to a
trust.  The trust has been setup using the documentation and in short it's
worked without issue.  I'm able to get principles from the Windows realm (
marvel.comics.com).  So what I'm attempting and failing to do is
authenticating my IPA users to the Windows 8 desktops.  Ideally I don't
want any users in AD, it's simply there to deliver a GPO and in the next
year it will be phased out and we'll be replacing Windows 8 with linux
desktops.

So
marvel.comics.com = windows
dc.comics.com = freeipa

# rpm -qi freeipa-server
Name        : freeipa-server
Version     : 4.1.4
Release     : 1.fc21
Architecture: x86_64
Install Date: Tue 25 Aug 2015 08:17:56 PM UTC
Group       : System Environment/Base
Size        : 4521059
License     : GPLv3+
Signature   : RSA/SHA256, Thu 26 Mar 2015 10:58:02 PM UTC, Key ID
89ad4e8795a43f54
Source RPM  : freeipa-4.1.4-1.fc21.src.rpm
Build Date  : Thu 26 Mar 2015 03:16:19 PM UTC
Build Host  : buildhw-07.phx2.fedoraproject.org
[root at freeipaServer slapd-DEV-MOSAIC451-COM]# uname -a
Linux freeipaServer.dc.comics.com 4.1.6-100.fc21.x86_64 #1 SMP Mon Aug 17
22:20:37 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[root at freeipaServer slapd-DEV-MOSAIC451-COM]# cat /etc/redhat-release
Fedora release 21 (Twenty One)

To cut to the chase here's me logging into a Windows 8 desktop system.  I
try to login 3 different ways; this system is a member of the marvel
domain.  Time is extremely close, close enough that I feel really good
about ruling it out.  Any light you all could shed on this would be
outstanding.  Thank you all for your time on this, I really appreciate all
the time and effort this team puts into reading these posts.

Username: dc/greenlantern
Password: ************

[root at freeipaServer slapd-DC-COMICS-COM]# tail -f * | egrep --color -i
greenlantern
[30/Sep/2015:17:55:33 +0000] conn=1172 op=46 SRCH
base="dc=dc,dc=comics,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern at dc
)(krbPrincipalName=greenlantern at dc)))" attrs="krbPrincipalName
krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
objectClass"

Username: greenlanter at dc
Password: ************


[30/Sep/2015:17:59:48 +0000] conn=1172 op=86 SRCH
base="dc=dc,dc=comics,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern at dc
)(krbPrincipalName=greenlantern at dc)))" attrs="krbPrincipalName
krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
objectClass"


Username: greenlanter at dc.comics.com
Password: ************

[30/Sep/2015:17:59:35 +0000] conn=1172 op=84 SRCH
base="dc=dc,dc=comics,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern\5C at dc.COMICS.com
@DC.COMICS.COM <http://dc.comics.com/>
)(krbPrincipalName=greenlantern\5C at dc.COMICS.com@DC.COMICS.COM
<http://dc.comics.com/>)))" attrs="krbPrincipalName krbCanonicalName
ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
ipaUserAuthType ipatokenRadiusConfigLink objectClass"


>From what I can tell, everything looks good to wbinfo; we see the domain
and he see's us.  In the AD trust I can go under the trust and validate the
trust with no issues.
[root at freeipaServer slapd-MARVEL-COMICS-COM]#  wbinfo --online-status
BUILTIN : online
DC : online
MARVEL : online
[root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --domain-info
marvel.comics.com
Name              : MARVEL
Alt_Name          : marvel.comics.com
SID               : S-1-5-21-3495301974-2766379234-3984916731
Active Directory  : Yes
Native            : Yes
Primary           : No
[root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo -n
'MARVEL.COMICS.COM\Domain
Admins'
S-1-5-21-3495301974-2766379234-3984916731-512 SID_DOM_GROUP (2)
[root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --domain-info
marvel.comics.com
Name              : MARVEL
Alt_Name          : marvel.comics.com
SID               : S-1-5-21-3495301974-2766379234-3984916731
Active Directory  : Yes
Native            : Yes
Primary           : No
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150930/29923162/attachment.htm>

More information about the Freeipa-users mailing list