[Freeipa-users] ipa-client login as AD user in trusted domain

Justin Stephenson jstephen at redhat.com
Wed Aug 10 21:46:14 UTC 2016 

On 08/10/2016 05:19 PM, Guy Knights wrote:
> Ok, I increased the debug level as you recommended and it's given me a 
> lot of useful info. Before I go any further trying to troubleshoot 
> that mass of info on this mailing list though, I would like to double 
> check something I came across. In the debug output I noticed this line:
>
> "No ccache file for user [bobt at ad.bbg.net <mailto:bobt at ad.bbg.net>] 
> found."
>
I would not dwell much on this error message, I see the same error from 
the krb5_auth_prepare_ccache_name function when I successfully logged in 
as an AD user on my IPA client(I suspect the ccache gets created shortly 
after). Higher debug logs means there will be a lot of log messages that 
look like errors but may not be.
>
> I then searched this error and found this thread in which the OP seems 
> to have basically the same setup as me:
>
> https://lists.fedorahosted.org/pipermail/sssd-users/2013-January/000379.html
>
> I started playing with kinit on the ubuntu machine that I'm trying to 
> log into, and got this error:
>
> "kinit: Cannot find KDC for realm "AD.BBG.NET <http://AD.BBG.NET>" 
> while getting initial credentials"
>
> After reading through some of the replies on the above thread, I saw a 
> post that basically says that while the initial user info lookup is 
> via FreeIPA, to actually authenticate a user the ipa client machine 
> must connect directly to the AD controller. If this is true, it 
> basically means the setup I was planning to use (FreeIPA in the cloud 
> replicating/proxying local AD user accounts) is not going to work as 
> I'd hoped. Could you confirm if this behaviour is in fact correct?
>
Yes, the IPA client at some points needs to communicate directly with AD 
for kerberos communication - you should see this in 
/var/log/sssd/krb5_child.log

This is explained better than I could here:


        The anatomy of a trusted identity lookup

    https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/


Kind regards,
Justin Stephenson
> Thanks,
> Guy
>
> On 9 August 2016 at 18:47, Justin Stephenson <jstephen at redhat.com 
> <mailto:jstephen at redhat.com>> wrote:
>
>     Hello,
>
>     You may need to increase the debug level to 9 and look in the
>     sssd_<ipadomain>.log for failures after the failed login attempt -
>     i would look in between log messages 'Got request for bobt...' and
>     'Backend returned' messages
>
>     https://fedorahosted.org/sssd/wiki/Troubleshooting
>     <https://fedorahosted.org/sssd/wiki/Troubleshooting>
>
>     You can also send the debug logs here for review.
>
>     Make sure logins and lookups are working on the IPA server first
>     before troubleshooting the IPA client.
>
>     Kind regards,
>
>     Justin Stephenson
>
>     On 08/09/2016 07:32 PM, Guy Knights wrote:
>>     I've set up a freeipa server on a centos 7 machine and have
>>     successfully configured a 2-way trust between it and our active
>>     directory domain controller. I've also installed ipa-client on an
>>     ubuntu 14.04 machine and have run ipa-client-install, which has
>>     apparently successfully joined the FreeIPA domain.
>>
>>     So far, I can successfully do the following:
>>
>>     1. Log into the FreeIPA machine with an AD user account.
>>     2. Log into the Ubuntu machine with a FreeIPA account.
>>     3. Run 'getent passwd <freeipa username>' on the Ubuntu machine
>>     and have it return the associated FreeIPA user account details
>>     (eg. "jackt:*:1131000005:1131000005:Jack
>>     Test:/home/ipa.bbg.net/jackt:/bin/bash
>>     <http://ipa.bbg.net/jackt:/bin/bash>")
>>     4. Run 'getent passwd <ad username>' on the Ubuntu machine and
>>     have it return the associated AD user account details (eg.
>>     "bobt at ad.bbg.net:*:1946801107:1946801107::/home/
>>     <mailto:bobt at ad.bbg.net:*:1946801107:1946801107::/home/>ad.bbg.net/bobt:/bin/bash
>>     <http://ad.bbg.net/bobt:/bin/bash>")
>>
>>     What I can't do is log into the Ubuntu machine with the AD user.
>>     I'm using the following SSH command from the command line on my mac:
>>
>>     ssh -o User=bobt at ad.bbg.net <mailto:bobt at ad.bbg.net> vm1.bbg.com
>>     <http://vm1.bbg.com>
>>
>>     It asks me for the password, I enter it and it says permissions
>>     denied, please try again. I set the debug level in SSSD on the
>>     ubuntu client to 5 and this is what shows up in the log during
>>     the login attempt:
>>
>>     (Tue Aug  9 16:25:56 2016) [sssd[be[ipa.bbg.net
>>     <http://ipa.bbg.net>]]] [be_get_account_info] (0x0100): Got
>>     request for [4097][1][name=bobt]
>>     (Tue Aug  9 16:25:56 2016) [sssd[be[ipa.bbg.net
>>     <http://ipa.bbg.net>]]] [acctinfo_callback] (0x0100): Request
>>     processed. Returned 3,95,Account info lookup failed
>>     (Tue Aug  9 16:25:57 2016) [sssd[be[ipa.bbg.net
>>     <http://ipa.bbg.net>]]] [acctinfo_callback] (0x0100): Request
>>     processed. Returned 0,0,Success
>>     (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
>>     <http://ipa.bbg.net>]]] [be_get_account_info] (0x0100): Got
>>     request for [3][1][name=bobt]
>>     (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
>>     <http://ipa.bbg.net>]]] [acctinfo_callback] (0x0100): Request
>>     processed. Returned 3,95,Account info lookup failed
>>     (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
>>     <http://ipa.bbg.net>]]] [be_pam_handler] (0x0100): Got request
>>     with the following data
>>     (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
>>     <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): command:
>>     PAM_AUTHENTICATE
>>     (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
>>     <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): domain:
>>     ad.bbg.net <http://ad.bbg.net>
>>     (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
>>     <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): user:
>>     bobt at ad.bbg.net <mailto:bobt at ad.bbg.net>
>>     (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
>>     <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): service: sshd
>>     (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
>>     <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): tty: ssh
>>     (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
>>     <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): ruser:
>>     (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
>>     <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): rhost:
>>     192.168.100.157
>>     (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
>>     <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): authtok type: 1
>>     (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
>>     <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): newauthtok type: 0
>>     (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
>>     <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): priv: 1
>>     (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
>>     <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): cli_pid: 16230
>>     (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
>>     <http://ipa.bbg.net>]]] [krb5_auth_send] (0x0100): No ccache file
>>     for user [bobt at ad.bbg.net <mailto:bobt at ad.bbg.net>] found.
>>     (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
>>     <http://ipa.bbg.net>]]] [fo_resolve_service_send] (0x0100):
>>     Trying to resolve service 'IPA'
>>     (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
>>     <http://ipa.bbg.net>]]] [be_resolve_server_process] (0x0200):
>>     Found address for server dc.ipa.bbg.net <http://dc.ipa.bbg.net>:
>>     [192.168.100.14] TTL 3600
>>     (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
>>     <http://ipa.bbg.net>]]] [be_pam_handler_callback] (0x0100):
>>     Backend returned: (0, 4, <NULL>) [Success]
>>     (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
>>     <http://ipa.bbg.net>]]] [be_pam_handler_callback] (0x0100):
>>     Sending result [4][ad.bbg.net <http://ad.bbg.net>]
>>     (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
>>     <http://ipa.bbg.net>]]] [be_pam_handler_callback] (0x0100): Sent
>>     result [4][ad.bbg.net <http://ad.bbg.net>]
>>     (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
>>     <http://ipa.bbg.net>]]] [child_sig_handler] (0x0100): child
>>     [16313] finished successfully.
>>
>>     Can anyone explain why it's saying account info lookup failed
>>     when it can get the account info fine via getent?
>>
>>     Thanks,
>>     Guy
>>
>>
>
>
>
>
> -- 
>
>     *
>     *Guy Knights*
>     *
>     Senior Systems Engineer
>     BlueBat Games Inc.
>     Ph: 778-379-5120
>     Email: guy at bluebatgames.com <mailto:guy at bluebatgames.com>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160810/56c4b3cd/attachment.htm>

More information about the Freeipa-users mailing list