[Freeipa-users] Login Troubles with Centos7 and external users (4.2.0-15.0.1.el7.centos.17)

Alexander Bokovoy abokovoy at redhat.com
Thu Aug 4 05:46:51 UTC 2016 

On Wed, 03 Aug 2016, Jake wrote:
>Hello All,
>I'm new to FreeIPA and am having some issues with my endpoints.
>
>First attempts to login as username at legacy.example.org always fail with:
>Logs on client:
>sshd[3771]: Invalid user username at legacy.example.org from 192.168.1.123
>sshd[3771]: input_userauth_request: invalid user username at legacy.example.org [preauth]
>
>[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=username]
>[sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null).
>[sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
>[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success)
>[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for [0x1003][1][name=NOUSER]
>[sssd[be[ipa.example.com]]] [sysdb_get_real_name] (0x0040): sysdb_search_object_by_uuid did not return a single result.
>[sssd[be[ipa.example.com]]] [groups_by_user_done] (0x0040): Failed to canonicalize name, using [NOUSER].
>[sssd[be[ipa.example.com]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request
>[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed
>[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][idnumber=1644425765]
>[sssd[be[ipa.example.com]]] [sdap_get_users_done] (0x0040): Failed to retrieve users
>[sssd[be[ipa.example.com]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request
>[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed
>[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][idnumber=1644425765]
>[sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null).
>[sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
>[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success)
>[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][idnumber=1644425765]
>[sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null).
>[sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
>[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success)
>[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][idnumber=1644425765]
>[sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null).
>[sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
>[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success)
>
>running the command 'getent password username at legacy.example.org' on the ipa server works fine
>
>Logs from server:
>[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=username]
>[sssd[be[ipa.example.com]]] [ipa_srv_ad_acct_lookup_done] (0x0080): Sudomain lookup failed, will try to reset sudomain..
>[sssd[be[ipa.example.com]]] [child_sig_handler] (0x0100): child [26269] finished successfully.
>[sssd[be[ipa.example.com]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'legacy.example.org' as 'neutral'
>[sssd[be[ipa.example.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server '(no name)' as 'neutral'
>[sssd[be[ipa.example.com]]] [ipa_srv_ad_acct_lookup_done] (0x0040): ipa_get_*_acct request failed: [1432158262]: Subdomain is inactive.
>[sssd[be[ipa.example.com]]] [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: 1432158262
>[sssd[be[ipa.example.com]]] [ipa_account_info_error_text] (0x0020): Bug: dp_error is OK on failed request
>[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,1432158262,Account info lookup failed
>
>
>Stuff:
>(4) IPA Masters at ipa.example.com
>(4) root domain controllers in example.com
>(4) child domain controllers in new.example.com
>(4) second domain in legacy.example.org
>
>There is a (1) way trust between ipa.example.com and example.com (forest trust)
>There is a (1) way trust between ipa.example.com and legacy.example.org (forest with single domain)
>There is a (2) way trust between example.com and legacy.example.org (forest transitive trust)
Was the trust between example.com and legacy.example.org established
before establishing trust between IPA and any of those forest roots?

Can you check in the trust properties on AD side for both forest roots,
what is the state of name suffix routing to IPA domain? It should be
enabled for both.

If not, you need to solve conflicts.

There is a documentation reference on Microsoft side how to add
exclusion entries for name routing suffixes. This is the detailed
instruction:
https://msdn.microsoft.com/it-it/library/cc786254%28v=ws.10%29.aspx

For configuration where:
  - AD example.com trusts IPA at ipa.example.com
  - AD example.org trusts AD example.com
  - a trust is tried to be established between ipa.example.com and
    example.org and a conflict is generated in example.org for
    example.com namespace.

A sequence might be like a following one:
   1. Establish trust between example.com and ipa.example.com
   2. Establish trust between example.com and example.org
   3. Now, as Administrator in example.org, do what
https://msdn.microsoft.com/it-it/library/cc786254%28v=ws.10%29.aspx
describes for the trust 'example.com' and add exclusion entry for
ipa.example.com
   4. Establish trust between ipa.example.com and example.org

It is important to add the exclusion entry before step 4 or there will
be conflict recorded which cannot be cleared easily right now due to a
combination of bugs in both IPA and Active Directory.


>
>Users are in legacy.example.org and new.example.com
>User Computers are in new .example.com
>Linux Servers are in ipa.example.com as hostname linux.example.com
>
>Gist for kbr5.conf https://gist.github.com/JakeDEvans/8e787bc5751d3d0e8f3b18943d63f00b
>Gist for sssd.conf https://gist.github.com/JakeDEvans/ed34098b96b6e061095da85e1db58d70
>
>all other configs unmodified.
>
>Also, is it normal that the login is very slow?
>
>Thanks All,
>-Jake
>
>

>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project


-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list