[Freeipa-users] ipa-client login as AD user in trusted domain

Guy Knights guy at bluebatgames.com
Wed Aug 10 21:19:23 UTC 2016 

Ok, I increased the debug level as you recommended and it's given me a lot
of useful info. Before I go any further trying to troubleshoot that mass of
info on this mailing list though, I would like to double check something I
came across. In the debug output I noticed this line:

"No ccache file for user [bobt at ad.bbg.net] found."

I then searched this error and found this thread in which the OP seems to
have basically the same setup as me:

https://lists.fedorahosted.org/pipermail/sssd-users/2013-January/000379.html

I started playing with kinit on the ubuntu machine that I'm trying to log
into, and got this error:

"kinit: Cannot find KDC for realm "AD.BBG.NET" while getting initial
credentials"

After reading through some of the replies on the above thread, I saw a post
that basically says that while the initial user info lookup is via FreeIPA,
to actually authenticate a user the ipa client machine must connect
directly to the AD controller. If this is true, it basically means the
setup I was planning to use (FreeIPA in the cloud replicating/proxying
local AD user accounts) is not going to work as I'd hoped. Could you
confirm if this behaviour is in fact correct?
Thanks,
Guy

On 9 August 2016 at 18:47, Justin Stephenson <jstephen at redhat.com> wrote:

> Hello,
>
> You may need to increase the debug level to 9 and look in the
> sssd_<ipadomain>.log for failures after the failed login attempt - i would
> look in between log messages 'Got request for bobt...' and 'Backend
> returned' messages
>
>     https://fedorahosted.org/sssd/wiki/Troubleshooting
>
> You can also send the debug logs here for review.
>
> Make sure logins and lookups are working on the IPA server first before
> troubleshooting the IPA client.
>
> Kind regards,
>
> Justin Stephenson
> On 08/09/2016 07:32 PM, Guy Knights wrote:
>
> I've set up a freeipa server on a centos 7 machine and have successfully
> configured a 2-way trust between it and our active directory domain
> controller. I've also installed ipa-client on an ubuntu 14.04 machine and
> have run ipa-client-install, which has apparently successfully joined the
> FreeIPA domain.
>
> So far, I can successfully do the following:
>
> 1. Log into the FreeIPA machine with an AD user account.
> 2. Log into the Ubuntu machine with a FreeIPA account.
> 3. Run 'getent passwd <freeipa username>' on the Ubuntu machine and have
> it return the associated FreeIPA user account details (eg.
> "jackt:*:1131000005:1131000005:Jack Test:/home/ipa.bbg.net/jackt:/bin/bash
> ")
> 4. Run 'getent passwd <ad username>' on the Ubuntu machine and have it
> return the associated AD user account details (eg. "
> bobt at ad.bbg.net:*:1946801107:1946801107::/home/ad.bbg.net/bobt:/bin/bash")
>
> What I can't do is log into the Ubuntu machine with the AD user. I'm using
> the following SSH command from the command line on my mac:
>
> ssh -o User=bobt at ad.bbg.net vm1.bbg.com
>
> It asks me for the password, I enter it and it says permissions denied,
> please try again. I set the debug level in SSSD on the ubuntu client to 5
> and this is what shows up in the log during the login attempt:
>
> (Tue Aug  9 16:25:56 2016) [sssd[be[ipa.bbg.net]]] [be_get_account_info]
> (0x0100): Got request for [4097][1][name=bobt]
> (Tue Aug  9 16:25:56 2016) [sssd[be[ipa.bbg.net]]] [acctinfo_callback]
> (0x0100): Request processed. Returned 3,95,Account info lookup failed
> (Tue Aug  9 16:25:57 2016) [sssd[be[ipa.bbg.net]]] [acctinfo_callback]
> (0x0100): Request processed. Returned 0,0,Success
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [be_get_account_info]
> (0x0100): Got request for [3][1][name=bobt]
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [acctinfo_callback]
> (0x0100): Request processed. Returned 3,95,Account info lookup failed
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [be_pam_handler]
> (0x0100): Got request with the following data
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
> (0x0100): command: PAM_AUTHENTICATE
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
> (0x0100): domain: ad.bbg.net
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
> (0x0100): user: bobt at ad.bbg.net
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
> (0x0100): service: sshd
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
> (0x0100): tty: ssh
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
> (0x0100): ruser:
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
> (0x0100): rhost: 192.168.100.157
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
> (0x0100): authtok type: 1
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
> (0x0100): newauthtok type: 0
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
> (0x0100): priv: 1
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
> (0x0100): cli_pid: 16230
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [krb5_auth_send]
> (0x0100): No ccache file for user [bobt at ad.bbg.net] found.
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]]
> [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]]
> [be_resolve_server_process] (0x0200): Found address for server
> dc.ipa.bbg.net: [192.168.100.14] TTL 3600
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]]
> [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>)
> [Success]
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]]
> [be_pam_handler_callback] (0x0100): Sending result [4][ad.bbg.net]
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]]
> [be_pam_handler_callback] (0x0100): Sent result [4][ad.bbg.net]
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [child_sig_handler]
> (0x0100): child [16313] finished successfully.
>
> Can anyone explain why it's saying account info lookup failed when it can
> get the account info fine via getent?
>
> Thanks,
> Guy
>
>
>
>


-- 

*Guy Knights*
Senior Systems Engineer
BlueBat Games Inc.
Ph: 778-379-5120
Email: guy at bluebatgames.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160810/f4ea3e4a/attachment.htm>

More information about the Freeipa-users mailing list