[Freeipa-users] Trust Issues W/ Logins on Windows Desktops
Matt Wells
matt.wells at mosaic451.com
Wed Sep 30 18:36:47 UTC 2015
Hi all, I hoped I may glean some brilliance from the group.
I have a Freeipa Server sitting atop a Fedora 21 server. The initial plan
was to replicate users+passwords with Windows 2012R2 server but following
some of the information in the other posts and docs we've moved to a
trust. The trust has been setup using the documentation and in short it's
worked without issue. I'm able to get principles from the Windows realm (
marvel.comics.com). So what I'm attempting and failing to do is
authenticating my IPA users to the Windows 8 desktops. Ideally I don't
want any users in AD, it's simply there to deliver a GPO and in the next
year it will be phased out and we'll be replacing Windows 8 with linux
desktops.
So
marvel.comics.com = windows
dc.comics.com = freeipa
# rpm -qi freeipa-server
Name : freeipa-server
Version : 4.1.4
Release : 1.fc21
Architecture: x86_64
Install Date: Tue 25 Aug 2015 08:17:56 PM UTC
Group : System Environment/Base
Size : 4521059
License : GPLv3+
Signature : RSA/SHA256, Thu 26 Mar 2015 10:58:02 PM UTC, Key ID
89ad4e8795a43f54
Source RPM : freeipa-4.1.4-1.fc21.src.rpm
Build Date : Thu 26 Mar 2015 03:16:19 PM UTC
Build Host : buildhw-07.phx2.fedoraproject.org
[root at freeipaServer slapd-DEV-MOSAIC451-COM]# uname -a
Linux freeipaServer.dc.comics.com 4.1.6-100.fc21.x86_64 #1 SMP Mon Aug 17
22:20:37 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[root at freeipaServer slapd-DEV-MOSAIC451-COM]# cat /etc/redhat-release
Fedora release 21 (Twenty One)
To cut to the chase here's me logging into a Windows 8 desktop system. I
try to login 3 different ways; this system is a member of the marvel
domain. Time is extremely close, close enough that I feel really good
about ruling it out. Any light you all could shed on this would be
outstanding. Thank you all for your time on this, I really appreciate all
the time and effort this team puts into reading these posts.
Username: dc/greenlantern
Password: ************
[root at freeipaServer slapd-DC-COMICS-COM]# tail -f * | egrep --color -i
greenlantern
[30/Sep/2015:17:55:33 +0000] conn=1172 op=46 SRCH
base="dc=dc,dc=comics,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern at dc
)(krbPrincipalName=greenlantern at dc)))" attrs="krbPrincipalName
krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
objectClass"
Username: greenlanter at dc
Password: ************
[30/Sep/2015:17:59:48 +0000] conn=1172 op=86 SRCH
base="dc=dc,dc=comics,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern at dc
)(krbPrincipalName=greenlantern at dc)))" attrs="krbPrincipalName
krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
objectClass"
Username: greenlanter at dc.comics.com
Password: ************
[30/Sep/2015:17:59:35 +0000] conn=1172 op=84 SRCH
base="dc=dc,dc=comics,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern\5C at dc.COMICS.com
@DC.COMICS.COM <http://dc.comics.com/>
)(krbPrincipalName=greenlantern\5C at dc.COMICS.com@DC.COMICS.COM
<http://dc.comics.com/>)))" attrs="krbPrincipalName krbCanonicalName
ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>From what I can tell, everything looks good to wbinfo; we see the domain
and he see's us. In the AD trust I can go under the trust and validate the
trust with no issues.
[root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --online-status
BUILTIN : online
DC : online
MARVEL : online
[root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --domain-info
marvel.comics.com
Name : MARVEL
Alt_Name : marvel.comics.com
SID : S-1-5-21-3495301974-2766379234-3984916731
Active Directory : Yes
Native : Yes
Primary : No
[root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo -n
'MARVEL.COMICS.COM\Domain
Admins'
S-1-5-21-3495301974-2766379234-3984916731-512 SID_DOM_GROUP (2)
[root at freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --domain-info
marvel.comics.com
Name : MARVEL
Alt_Name : marvel.comics.com
SID : S-1-5-21-3495301974-2766379234-3984916731
Active Directory : Yes
Native : Yes
Primary : No
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150930/29923162/attachment.htm>
More information about the Freeipa-users
mailing list