[Freeipa-users] Mapping users from AD to IPA KDC

TomK tk at mdevsys.com
Sat Dec 3 17:57:57 UTC 2016 

On 12/3/2016 12:33 AM, TomK wrote:
> On 12/2/2016 8:43 AM, Sumit Bose wrote:
>> On Fri, Dec 02, 2016 at 08:30:28AM -0500, TomK wrote:
>>> Hey All,
>>>
>>> I've successfully mapped the nixadmins to the external group
>>> nixadmins_external.  However no users in that group make it over to
>>> Free IPA
>>> that I can see.
>>>
>>> ipa group-add-member nixadmins_external --external "nixadmins"
>>>
>>> Windows AD users, 3 of them, are in the windows AD group nixadmins.
>>> However
>>> I can't port them over.
>>>
>>> These accounts have UNIX attributes assigned to them.
>>>
>>> Question that I have and can't find, should I be seeing these users
>>> in the
>>> mapped groups above?  ( ie within the GUI should I see any users
>>> listed from
>>> AD DC in nixadmins or nixadmins_external? )
>>
>> no, the GUI won't show them. Calling 'id user_from_nixadmins at ad.domain'
>> should show that nixadmins_external is a member of that group. With
>> recent version of SSSD 'getent group nixadmins_external' should list the
>> users from nixadmins as well, older versions might miss them.
>>
>> HTH
>>
>> bye,
>> Sumit
>>
>>>
>>> If there is an issue and I'm just not picking it out from the debug
>>> logs,
>>> what to look for?  Is there anything more I need to do on the Windows
>>> side
>>> that I haven't found on the existing pages?
>>>
>>>
>>> # ipa group-add-member nixadmins_external --external "nixadmins"
>>> [member user]:
>>> [member group]:
>>>   Group name: nixadmins_external
>>>   Description: NIX Admins External map
>>>   External member: S-1-5-21-3418825849-1633701630-2291579631-1006
>>>   Member groups: nixadmins
>>>   Member of groups: nixadmins
>>>   Indirect Member groups: nixadmins_external
>>> -------------------------
>>> Number of members added 1
>>> -------------------------
>>> #
>>>
>>>
>>> # ipa trustdomain-find abc.xyz
>>>   Domain name: abc.xyz
>>>   Domain NetBIOS name: ABC
>>>   Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
>>>   Domain enabled: True
>>> ----------------------------
>>> Number of entries returned 1
>>> ----------------------------
>>> #
>>>
>>>
>>> [realms]
>>>  DOM.ABC.XYZ = {
>>> .
>>> .
>>> .
>>>   auth_to_local = RULE:[1:$1@$0](^.*@ABC.XYZ$)s/@ABC.XYZ/@abc.xyz/
>>>   auth_to_local = DEFAULT
>>> }
>>>
>>>
>>> # ipa trust-fetch-domains abc.xyz
>>> ----------------------------------------------------------------------------------------
>>>
>>> List of trust domains successfully refreshed. Use trustdomain-find
>>> command
>>> to list them.
>>> ----------------------------------------------------------------------------------------
>>>
>>> ----------------------------
>>> Number of entries returned 0
>>> ----------------------------
>>> [root at idmipa01 sssd]# ipa trustdomain-find abc.xyz
>>>   Domain name: abc.xyz
>>>   Domain NetBIOS name: ABC
>>>   Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
>>>   Domain enabled: True
>>> ----------------------------
>>> Number of entries returned 1
>>> ----------------------------
>>>
>>>
>>> # ipa trust-fetch-domains abc.xyz
>>> ----------------------------------------------------------------------------------------
>>>
>>> List of trust domains successfully refreshed. Use trustdomain-find
>>> command
>>> to list them.
>>> ----------------------------------------------------------------------------------------
>>>
>>> ----------------------------
>>> Number of entries returned 0
>>> ----------------------------
>>> #
>>>
>>>
>>> The following command successfully returns all AD objects under the
>>> Users
>>> cn.
>>>
>>> # ldapsearch -x -h 192.168.0.3 -D "tom at abc.xyz" -W -b
>>> "cn=users,dc=abc,dc=xyz" -s sub "(cn=*)" cn mail sn
>>>
>>>
>>> --
>>> Cheers,
>>> Tom K.
>>> -------------------------------------------------------------------------------------
>>>
>>>
>>> Living on earth is expensive, but it includes a free trip around the
>>> sun.
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>
>
> Nothing:
>
> # id tom at abc.xyz
> id: tom at abc.xyz: no such user
> # getent group nixadmins_external
> # getent group nixadmins
> nixadmins:*:1746600012:
> #
>
> I'll enable debug logging to determine further.
>

I'm getting the following in the logs. Not sure why it cannot assign a 
GID (possibly a range mismatch) but my dnaRemainingValues: 99498 and so 
is fine:

[2016/12/03 10:45:44.232656,  3, pid=4792, effective(0, 0), real(0, 0), 
class=winbind] 
../source3/winbindd/winbindd_allocate_gid.c:45(winbindd_allocate_gid_send)
   allocate_gid
[2016/12/03 10:45:44.232689,  1, pid=4792, effective(0, 0), real(0, 0)] 
../librpc/ndr/ndr.c:439(ndr_print_function_debug)
        wbint_AllocateGid: struct wbint_AllocateGid
           in: struct wbint_AllocateGid
[2016/12/03 10:45:44.233134,  1, pid=4792, effective(0, 0), real(0, 0)] 
../librpc/ndr/ndr.c:439(ndr_print_function_debug)
        wbint_AllocateGid: struct wbint_AllocateGid
           out: struct wbint_AllocateGid
               gid                      : *
                   gid                      : 0x0000000000000000 (0)
               result                   : NT_STATUS_UNSUCCESSFUL
[2016/12/03 10:45:44.233192,  5, pid=4792, effective(0, 0), real(0, 0), 
class=winbind] 
../source3/winbindd/winbindd_allocate_gid.c:83(winbindd_allocate_gid_recv)
   Could not allocate gid: NT_STATUS_UNSUCCESSFUL
[2016/12/03 10:45:44.233212, 10, pid=4792, effective(0, 0), real(0, 0), 
class=winbind] ../source3/winbindd/winbindd.c:787(wb_request_done)
   wb_request_done[5125:ALLOCATE_GID]: NT_STATUS_UNSUCCESSFUL

Any hints would be appreciated while I look for a solution on this end.

-- 
Cheers,
Tom K.
-------------------------------------------------------------------------------------

Living on earth is expensive, but it includes a free trip around the sun.

More information about the Freeipa-users mailing list