[Freeipa-users] Login Troubles with Centos7 and external users (4.2.0-15.0.1.el7.centos.17)
Jake
freeipa at jacobdevans.com
Wed Aug 3 18:14:43 UTC 2016
Hello All,
I'm new to FreeIPA and am having some issues with my endpoints.
First attempts to login as username at legacy.example.org always fail with:
Logs on client:
sshd[3771]: Invalid user username at legacy.example.org from 192.168.1.123
sshd[3771]: input_userauth_request: invalid user username at legacy.example.org [preauth]
[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=username]
[sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null).
[sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success)
[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for [0x1003][1][name=NOUSER]
[sssd[be[ipa.example.com]]] [sysdb_get_real_name] (0x0040): sysdb_search_object_by_uuid did not return a single result.
[sssd[be[ipa.example.com]]] [groups_by_user_done] (0x0040): Failed to canonicalize name, using [NOUSER].
[sssd[be[ipa.example.com]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request
[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed
[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][idnumber=1644425765]
[sssd[be[ipa.example.com]]] [sdap_get_users_done] (0x0040): Failed to retrieve users
[sssd[be[ipa.example.com]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request
[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed
[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][idnumber=1644425765]
[sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null).
[sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success)
[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][idnumber=1644425765]
[sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null).
[sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success)
[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][idnumber=1644425765]
[sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null).
[sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success)
running the command 'getent password username at legacy.example.org' on the ipa server works fine
Logs from server:
[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=username]
[sssd[be[ipa.example.com]]] [ipa_srv_ad_acct_lookup_done] (0x0080): Sudomain lookup failed, will try to reset sudomain..
[sssd[be[ipa.example.com]]] [child_sig_handler] (0x0100): child [26269] finished successfully.
[sssd[be[ipa.example.com]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'legacy.example.org' as 'neutral'
[sssd[be[ipa.example.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server '(no name)' as 'neutral'
[sssd[be[ipa.example.com]]] [ipa_srv_ad_acct_lookup_done] (0x0040): ipa_get_*_acct request failed: [1432158262]: Subdomain is inactive.
[sssd[be[ipa.example.com]]] [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: 1432158262
[sssd[be[ipa.example.com]]] [ipa_account_info_error_text] (0x0020): Bug: dp_error is OK on failed request
[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,1432158262,Account info lookup failed
Stuff:
(4) IPA Masters at ipa.example.com
(4) root domain controllers in example.com
(4) child domain controllers in new.example.com
(4) second domain in legacy.example.org
There is a (1) way trust between ipa.example.com and example.com (forest trust)
There is a (1) way trust between ipa.example.com and legacy.example.org (forest with single domain)
There is a (2) way trust between example.com and legacy.example.org (forest transitive trust)
Users are in legacy.example.org and new.example.com
User Computers are in new .example.com
Linux Servers are in ipa.example.com as hostname linux.example.com
Gist for kbr5.conf https://gist.github.com/JakeDEvans/8e787bc5751d3d0e8f3b18943d63f00b
Gist for sssd.conf https://gist.github.com/JakeDEvans/ed34098b96b6e061095da85e1db58d70
all other configs unmodified.
Also, is it normal that the login is very slow?
Thanks All,
-Jake
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160803/0fa8e130/attachment.htm>
More information about the Freeipa-users
mailing list