[Freeipa-users] ipa-client login as AD user in trusted domain

Guy Knights guy at bluebatgames.com
Wed Aug 10 22:00:28 UTC 2016 

Hmm, ok. In that case, I guess I need to rethink my setup. Thanks again for
all your help!

Kind regards,
Guy

On 10 August 2016 at 14:46, Justin Stephenson <jstephen at redhat.com> wrote:

> On 08/10/2016 05:19 PM, Guy Knights wrote:
>
> Ok, I increased the debug level as you recommended and it's given me a lot
> of useful info. Before I go any further trying to troubleshoot that mass of
> info on this mailing list though, I would like to double check something I
> came across. In the debug output I noticed this line:
>
> "No ccache file for user [bobt at ad.bbg.net] found."
>
> I would not dwell much on this error message, I see the same error from
> the krb5_auth_prepare_ccache_name function when I successfully logged in as
> an AD user on my IPA client(I suspect the ccache gets created shortly
> after). Higher debug logs means there will be a lot of log messages that
> look like errors but may not be.
>
> I then searched this error and found this thread in which the OP seems to
> have basically the same setup as me:
>
> https://lists.fedorahosted.org/pipermail/sssd-users/2013-
> January/000379.html
>
> I started playing with kinit on the ubuntu machine that I'm trying to log
> into, and got this error:
>
> "kinit: Cannot find KDC for realm "AD.BBG.NET" while getting initial
> credentials"
>
> After reading through some of the replies on the above thread, I saw a
> post that basically says that while the initial user info lookup is via
> FreeIPA, to actually authenticate a user the ipa client machine must
> connect directly to the AD controller. If this is true, it basically means
> the setup I was planning to use (FreeIPA in the cloud replicating/proxying
> local AD user accounts) is not going to work as I'd hoped. Could you
> confirm if this behaviour is in fact correct?
>
> Yes, the IPA client at some points needs to communicate directly with AD
> for kerberos communication - you should see this in
> /var/log/sssd/krb5_child.log
>
> This is explained better than I could here:
>
> The anatomy of a trusted identity lookup
>
> https://jhrozek.wordpress.com/2015/08/19/performance-tuning-
> sssd-for-large-ipa-ad-trust-deployments/
>
>
> Kind regards,
> Justin Stephenson
>
> Thanks,
> Guy
>
> On 9 August 2016 at 18:47, Justin Stephenson <jstephen at redhat.com> wrote:
>
>> Hello,
>>
>> You may need to increase the debug level to 9 and look in the
>> sssd_<ipadomain>.log for failures after the failed login attempt - i would
>> look in between log messages 'Got request for bobt...' and 'Backend
>> returned' messages
>>
>>     https://fedorahosted.org/sssd/wiki/Troubleshooting
>>
>> You can also send the debug logs here for review.
>>
>> Make sure logins and lookups are working on the IPA server first before
>> troubleshooting the IPA client.
>>
>> Kind regards,
>>
>> Justin Stephenson
>> On 08/09/2016 07:32 PM, Guy Knights wrote:
>>
>> I've set up a freeipa server on a centos 7 machine and have successfully
>> configured a 2-way trust between it and our active directory domain
>> controller. I've also installed ipa-client on an ubuntu 14.04 machine and
>> have run ipa-client-install, which has apparently successfully joined the
>> FreeIPA domain.
>>
>> So far, I can successfully do the following:
>>
>> 1. Log into the FreeIPA machine with an AD user account.
>> 2. Log into the Ubuntu machine with a FreeIPA account.
>> 3. Run 'getent passwd <freeipa username>' on the Ubuntu machine and have
>> it return the associated FreeIPA user account details (eg.
>> "jackt:*:1131000005:1131000005:Jack Test:/home/ipa.bbg.net/jackt:/
>> bin/bash")
>> 4. Run 'getent passwd <ad username>' on the Ubuntu machine and have it
>> return the associated AD user account details (eg. "
>> bobt at ad.bbg.net:*:1946801107:1946801107::/home/ad.bbg.net/bobt:/bin/bash
>> ")
>>
>> What I can't do is log into the Ubuntu machine with the AD user. I'm
>> using the following SSH command from the command line on my mac:
>>
>> ssh -o User=bobt at ad.bbg.net vm1.bbg.com
>>
>> It asks me for the password, I enter it and it says permissions denied,
>> please try again. I set the debug level in SSSD on the ubuntu client to 5
>> and this is what shows up in the log during the login attempt:
>>
>> (Tue Aug  9 16:25:56 2016) [sssd[be[ipa.bbg.net]]] [be_get_account_info]
>> (0x0100): Got request for [4097][1][name=bobt]
>> (Tue Aug  9 16:25:56 2016) [sssd[be[ipa.bbg.net]]] [acctinfo_callback]
>> (0x0100): Request processed. Returned 3,95,Account info lookup failed
>> (Tue Aug  9 16:25:57 2016) [sssd[be[ipa.bbg.net]]] [acctinfo_callback]
>> (0x0100): Request processed. Returned 0,0,Success
>> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [be_get_account_info]
>> (0x0100): Got request for [3][1][name=bobt]
>> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [acctinfo_callback]
>> (0x0100): Request processed. Returned 3,95,Account info lookup failed
>> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [be_pam_handler]
>> (0x0100): Got request with the following data
>> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
>> (0x0100): command: PAM_AUTHENTICATE
>> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
>> (0x0100): domain: ad.bbg.net
>> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
>> (0x0100): user: bobt at ad.bbg.net
>> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
>> (0x0100): service: sshd
>> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
>> (0x0100): tty: ssh
>> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
>> (0x0100): ruser:
>> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
>> (0x0100): rhost: 192.168.100.157
>> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
>> (0x0100): authtok type: 1
>> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
>> (0x0100): newauthtok type: 0
>> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
>> (0x0100): priv: 1
>> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
>> (0x0100): cli_pid: 16230
>> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [krb5_auth_send]
>> (0x0100): No ccache file for user [bobt at ad.bbg.net] found.
>> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]]
>> [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
>> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]]
>> [be_resolve_server_process] (0x0200): Found address for server
>> dc.ipa.bbg.net: [192.168.100.14] TTL 3600
>> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]]
>> [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>)
>> [Success]
>> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]]
>> [be_pam_handler_callback] (0x0100): Sending result [4][ad.bbg.net]
>> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]]
>> [be_pam_handler_callback] (0x0100): Sent result [4][ad.bbg.net]
>> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [child_sig_handler]
>> (0x0100): child [16313] finished successfully.
>>
>> Can anyone explain why it's saying account info lookup failed when it can
>> get the account info fine via getent?
>>
>> Thanks,
>> Guy
>>
>>
>>
>>
>
>
> --
>
> * Guy Knights *
> Senior Systems Engineer
> BlueBat Games Inc.
> Ph: 778-379-5120
> Email: guy at bluebatgames.com
>
>
>


-- 

*Guy Knights*
Senior Systems Engineer
BlueBat Games Inc.
Ph: 778-379-5120
Email: guy at bluebatgames.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160810/5b9f5f89/attachment.htm>

More information about the Freeipa-users mailing list