[Freeipa-users] Mapping users from AD to IPA KDC

TomK tk at mdevsys.com
Mon Dec 5 03:23:25 UTC 2016 

On 12/3/2016 12:57 PM, TomK wrote:
> On 12/3/2016 12:33 AM, TomK wrote:
>> On 12/2/2016 8:43 AM, Sumit Bose wrote:
>>> On Fri, Dec 02, 2016 at 08:30:28AM -0500, TomK wrote:
>>>> Hey All,
>>>>
>>>> I've successfully mapped the nixadmins to the external group
>>>> nixadmins_external.  However no users in that group make it over to
>>>> Free IPA
>>>> that I can see.
>>>>
>>>> ipa group-add-member nixadmins_external --external "nixadmins"
>>>>
>>>> Windows AD users, 3 of them, are in the windows AD group nixadmins.
>>>> However
>>>> I can't port them over.
>>>>
>>>> These accounts have UNIX attributes assigned to them.
>>>>
>>>> Question that I have and can't find, should I be seeing these users
>>>> in the
>>>> mapped groups above?  ( ie within the GUI should I see any users
>>>> listed from
>>>> AD DC in nixadmins or nixadmins_external? )
>>>
>>> no, the GUI won't show them. Calling 'id user_from_nixadmins at ad.domain'
>>> should show that nixadmins_external is a member of that group. With
>>> recent version of SSSD 'getent group nixadmins_external' should list the
>>> users from nixadmins as well, older versions might miss them.
>>>
>>> HTH
>>>
>>> bye,
>>> Sumit
>>>
>>>>
>>>> If there is an issue and I'm just not picking it out from the debug
>>>> logs,
>>>> what to look for?  Is there anything more I need to do on the Windows
>>>> side
>>>> that I haven't found on the existing pages?
>>>>
>>>>
>>>> # ipa group-add-member nixadmins_external --external "nixadmins"
>>>> [member user]:
>>>> [member group]:
>>>>   Group name: nixadmins_external
>>>>   Description: NIX Admins External map
>>>>   External member: S-1-5-21-3418825849-1633701630-2291579631-1006
>>>>   Member groups: nixadmins
>>>>   Member of groups: nixadmins
>>>>   Indirect Member groups: nixadmins_external
>>>> -------------------------
>>>> Number of members added 1
>>>> -------------------------
>>>> #
>>>>
>>>>
>>>> # ipa trustdomain-find abc.xyz
>>>>   Domain name: abc.xyz
>>>>   Domain NetBIOS name: ABC
>>>>   Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
>>>>   Domain enabled: True
>>>> ----------------------------
>>>> Number of entries returned 1
>>>> ----------------------------
>>>> #
>>>>
>>>>
>>>> [realms]
>>>>  DOM.ABC.XYZ = {
>>>> .
>>>> .
>>>> .
>>>>   auth_to_local = RULE:[1:$1@$0](^.*@ABC.XYZ$)s/@ABC.XYZ/@abc.xyz/
>>>>   auth_to_local = DEFAULT
>>>> }
>>>>
>>>>
>>>> # ipa trust-fetch-domains abc.xyz
>>>> ----------------------------------------------------------------------------------------
>>>>
>>>>
>>>> List of trust domains successfully refreshed. Use trustdomain-find
>>>> command
>>>> to list them.
>>>> ----------------------------------------------------------------------------------------
>>>>
>>>>
>>>> ----------------------------
>>>> Number of entries returned 0
>>>> ----------------------------
>>>> [root at idmipa01 sssd]# ipa trustdomain-find abc.xyz
>>>>   Domain name: abc.xyz
>>>>   Domain NetBIOS name: ABC
>>>>   Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
>>>>   Domain enabled: True
>>>> ----------------------------
>>>> Number of entries returned 1
>>>> ----------------------------
>>>>
>>>>
>>>> # ipa trust-fetch-domains abc.xyz
>>>> ----------------------------------------------------------------------------------------
>>>>
>>>>
>>>> List of trust domains successfully refreshed. Use trustdomain-find
>>>> command
>>>> to list them.
>>>> ----------------------------------------------------------------------------------------
>>>>
>>>>
>>>> ----------------------------
>>>> Number of entries returned 0
>>>> ----------------------------
>>>> #
>>>>
>>>>
>>>> The following command successfully returns all AD objects under the
>>>> Users
>>>> cn.
>>>>
>>>> # ldapsearch -x -h 192.168.0.3 -D "tom at abc.xyz" -W -b
>>>> "cn=users,dc=abc,dc=xyz" -s sub "(cn=*)" cn mail sn
>>>>
>>>>
>>>> --
>>>> Cheers,
>>>> Tom K.
>>>> -------------------------------------------------------------------------------------
>>>>
>>>>
>>>>
>>>> Living on earth is expensive, but it includes a free trip around the
>>>> sun.
>>>>
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>>
>>
>> Nothing:
>>
>> # id tom at abc.xyz
>> id: tom at abc.xyz: no such user
>> # getent group nixadmins_external
>> # getent group nixadmins
>> nixadmins:*:1746600012:
>> #
>>
>> I'll enable debug logging to determine further.
>>
>
> I'm getting the following in the logs. Not sure why it cannot assign a
> GID (possibly a range mismatch) but my dnaRemainingValues: 99498 and so
> is fine:
>
> [2016/12/03 10:45:44.232656,  3, pid=4792, effective(0, 0), real(0, 0),
> class=winbind]
> ../source3/winbindd/winbindd_allocate_gid.c:45(winbindd_allocate_gid_send)
>   allocate_gid
> [2016/12/03 10:45:44.232689,  1, pid=4792, effective(0, 0), real(0, 0)]
> ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
>        wbint_AllocateGid: struct wbint_AllocateGid
>           in: struct wbint_AllocateGid
> [2016/12/03 10:45:44.233134,  1, pid=4792, effective(0, 0), real(0, 0)]
> ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
>        wbint_AllocateGid: struct wbint_AllocateGid
>           out: struct wbint_AllocateGid
>               gid                      : *
>                   gid                      : 0x0000000000000000 (0)
>               result                   : NT_STATUS_UNSUCCESSFUL
> [2016/12/03 10:45:44.233192,  5, pid=4792, effective(0, 0), real(0, 0),
> class=winbind]
> ../source3/winbindd/winbindd_allocate_gid.c:83(winbindd_allocate_gid_recv)
>   Could not allocate gid: NT_STATUS_UNSUCCESSFUL
> [2016/12/03 10:45:44.233212, 10, pid=4792, effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/winbindd.c:787(wb_request_done)
>   wb_request_done[5125:ALLOCATE_GID]: NT_STATUS_UNSUCCESSFUL
>
> Any hints would be appreciated while I look for a solution on this end.
>

Could not get much from logs and decided to start fresh.  When I run this:

ipa trust-add --type=ad mds.xyz --admin Administrator --password

Trust works fine and id tom at mds.xyz returns a valid result.

However when I run the following on both masters on a fresh new setup:

ipa-adtrust-install --netbios-name=NIX -a "<SECRET>"
ipa trust-add --type=ad "mds.xyz" --trust-secret

and created a trust object in AD DC with the name of NIX and a 
non-transitive trust, the above did NOT work.  I didn't get anything by 
typing id tom at mds.xyz.  (I do not get an option for a Forest Trust as 
the gif on this page suggests: 
https://www.freeipa.org/page/Active_Directory_trust_setup .  Possibly 
it's Server 2012 hence the difference in what's presented to me but 
another reason is that the name I type for the trust can't resolve to an 
IP for now: nix.mds.xyz . So I use NIX to match the bios name used on 
the ipa-adtrust-install command above.  )

I went back to the trust object in AD and set it to Transitive from 
Non-transitive.  And all of a sudden I can resolve the AD ID's on the IP 
Servers and all is working fine.  Great!

I could not follow the section within the online document above for 
setting up forwarders.  I had to delegate nix.mds.xyz from the two AD / 
DNS Clustered Windows Server 2012 servers to the two FreeIPA servers 
(idmipa01, idmipa02) .  I found that the forwarding section doesn't 
quite jive well with delegation in Windows Server 2012.

The remaining questions I need to ask is does the NetBIOS name used on 
the ipa-adtrust-install command above have to match the AD DC Trust 
object name?  Any tie's between the naming of the two?  ( Thinking no 
tie in but not 100% . Seems AD expects a domain that resolves to an IP )

Also, given this setup I have:

1) The two windows servers, winad01, winad02 are both DNS, AD servers 
and are clustered (NLB)

2) Have DNS delegation on nix.mds.xyz so FreeIPA servers will be 
authoritative for that subdomain.

3) AD Trust objects look for a resolvable domain (ie nix.mds.xyz) and 
current version of FreeIPA does not yet resolve nix.mds.xyz to any IP (

4) IPA ipa-adtrust-install only accepts NetBIOS names.

Is it at all possible to setup a non-transitive trust with all that?  ( 
I might just not be seeing the forest through the trees  :) - Pun 
Intended. )   Still new to quite a bit of this so thank you for your 
patience and feedback.

-- 
Cheers,
Tom K.
-------------------------------------------------------------------------------------

Living on earth is expensive, but it includes a free trip around the sun.

More information about the Freeipa-users mailing list