[Freeipa-users] Mapping users from AD to IPA KDC

TomK tk at mdevsys.com
Wed Dec 7 13:17:56 UTC 2016 

On 12/6/2016 11:32 PM, TomK wrote:
> On 12/6/2016 3:37 PM, Alexander Bokovoy wrote:
>> On ti, 06 joulu 2016, TomK wrote:
>>> On 12/5/2016 2:02 AM, Alexander Bokovoy wrote:
>>>> On su, 04 joulu 2016, TomK wrote:
>>>>> Could not get much from logs and decided to start fresh.  When I run
>>>>> this:
>>>>>
>>>>> ipa trust-add --type=ad mds.xyz --admin Administrator --password
>>>>>
>>>>> Trust works fine and id tom at mds.xyz returns a valid result.
>>>>>
>>>>> However when I run the following on both masters on a fresh new setup:
>>>>>
>>>>> ipa-adtrust-install --netbios-name=NIX -a "<SECRET>"
>>>>> ipa trust-add --type=ad "mds.xyz" --trust-secret
>>>>>
>>>>> and created a trust object in AD DC with the name of NIX and a
>>>>> non-transitive trust, the above did NOT work.  I didn't get anything
>>>>> by typing id tom at mds.xyz.  (I do not get an option for a Forest Trust
>>>>> as the gif on this page suggests:
>>>>> https://www.freeipa.org/page/Active_Directory_trust_setup .  Possibly
>>>>> it's Server 2012 hence the difference in what's presented to me but
>>>>> another reason is that the name I type for the trust can't resolve to
>>>>> an IP for now: nix.mds.xyz . So I use NIX to match the bios name used
>>>>> on the ipa-adtrust-install command above.  )
>>>> The shared secret case for one-way trust is known to be broken. When a
>>>> shared half is created on AD side first, it is marked as not yet valid
>>>> by Windows and currently we cannot perform validation of it from IPA
>>>> side. Validating it from AD side is not possible as well as we don't
>>>> provide all interfaces Windows would like to use.
>>>>
>>>> And the fact you cannot see 'Forest Trust' type of the trust says also
>>>> that you have problems with reaching IPA masters from AD DC side for
>>>> probing purposes over CLDAP ping (389/UDP) and then SMB (445/TCP and
>>>> UDP).
>>> Nothing I tried in AD Trust creation allowed me to make one with type
>>> Forest.  Just realm.  I recall I had a trust type of Forest but in
>>> trying various options I lost how I did that.  Or perhaps I hadn't
>>> payed attention and it got created indirectly as part of another
>>> action I took.  The domain functional level I'm using is Windows
>>> Server 2008. Using a lower value for testing.
>> This (inability to chose Forest trust type) simply means AD DC is unable
>> to probe IPA DC. You said below that SMB port towards IPA DC was closed.
>>
>> Also make sure to remove incorrect trust from Windows side. While we are
>> removing a trust object named as our NetBIOS name, it only works for the
>> proper trusted domain/forests, not for wrong 'realm trust' type.
>>
>>>
>>> My IPA version is 4.2 right now.  It came with the CentOS 7.2.
>>> Looking forward to 4.4.  Not sure when you plan to include it as part
>>> of the latest CentOS base.  Indeed some ports were not open (445).
>>> I've adjusted the firewall command accordingly for RHEL 7 / CentOS 7:
>>>
>>> for KEY in $(echo "80/tcp 443/tcp 389/tcp 636/tcp 88/tcp 464/tcp
>>> 53/tcp 135/tcp 138/tcp 139/tcp 445/tcp 1024-1300/tcp 88/udp 464/udp
>>> 53/udp 123/udp 138/udp 139/udp 389/udp 445/udp"); do firewall-cmd
>>> --zone=public --permanent --add-port=$KEY; done
>>>
>>> [root at idmipa01 ~]# firewall-cmd --zone=public --list-all
>>> public (default)
>>>  interfaces:
>>>  sources:
>>>  services: dhcpv6-client ntp ssh
>>>  ports: 443/tcp 80/tcp 464/tcp 138/tcp 88/udp 464/udp 445/tcp 88/tcp
>>> 135/tcp 123/udp 139/tcp 389/tcp 53/tcp 389/udp 1024-1300/tcp 445/udp
>>> 139/udp 138/udp 53/udp 636/tcp
>>>  masquerade: no
>>>  forward-ports:
>>>  icmp-blocks:
>>>  rich rules:
>>>
>>> [root at idmipa01 ~]#
>>>
>>> On Windows Side (The nslookup results were the same before the
>>> firewall change however.):
>> Firewall changes cannot affect DNS as you already had DNS port open.
>>
>>> On the AD side, I added the SRV records for the second AD DC,
>>> manually, since earlier there were no results printed on the AD DC
>>> command line for the second AD DC, when I typed the command
>>> _ldap._tcp.mds.xyz.
>>>
>>> One additional question I had with the setup is in regards to the
>>> failover.  I see the ipa_server entry in /etc/sssd/sssd.conf pointing
>>> to two of the master IPA nodes.  Where can I find the additional
>>> settings that control priority of the listed server or order they are
>>> checked?
>> You need to look at SSSD manual pages: sssd-ipa and sssd-ldap, sections
>> FAILOVER and SERVICE DISCOVER.
>>
>>> What I ran to get the above is:
>>>
>>> 1) ipa-client-install --force-join -p admin -w "<HUSH!>"
>>> --fixed-primary --server=idmipa01.nix.mds.xyz
>>> --server=idmipa02.nix.mds.xyz --domain=nix.mds.xyz
>>> --realm=NIX.MDS.XYZ -U
>>> 2) realm join mds.xyz
>> This is wrong. You have effectively joined this IPA client to AD and IPA
>> at the same time. It should not be done this way (read
>> http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain
>> for details).
>>
>> Instead, you need to identify why the trust does not work properly.
>> Use tcpdump to intercept the traffic between your AD DCs and IPA DCs
>> while establishing the trust.
>>
>> You can send the trace to me off-list.
>>
>>
>>
>
> Ok, let me take these away and get back to you.  ( On realm, thank you.
> Hadn't reviewed the changes it did fully before logging off. )
>

Removed the direct mds.xyz domain directly (my bad).  Currently I get 
this on using MDS.XYZ\tom to login with or tom at MDS.XYZ when trying ssh 
directly.  From command line the user is visible (not enough time to get 
to the rest.  Not sure if the system error breaks this though so want to 
run it by you):

[root at ipaclient01 sssd]# id tom at mds.xyz
uid=155601104(tom at mds.xyz) gid=155601104(tom at mds.xyz) 
groups=155601104(tom at mds.xyz),155600513(domain 
users at mds.xyz),155601107(nixadmins at mds.xyz),1746600039(nixadmins)
[root at ipaclient01 sssd]#

(Wed Dec  7 08:11:59 2016) [sssd[pam]] [pam_check_user_search] (0x0400): 
Returning info for user [tom at mds.xyz]
(Wed Dec  7 08:11:59 2016) [sssd[pam]] [pd_set_primary_name] (0x0400): 
User's primary name is tom at mds.xyz
(Wed Dec  7 08:11:59 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): 
Sending request with the following data:
(Wed Dec  7 08:11:59 2016) [sssd[pam]] [pam_print_data] (0x0100): 
command: PAM_AUTHENTICATE
(Wed Dec  7 08:11:59 2016) [sssd[pam]] [pam_print_data] (0x0100): 
domain: mds.xyz
(Wed Dec  7 08:11:59 2016) [sssd[pam]] [pam_print_data] (0x0100): user: 
tom at mds.xyz
(Wed Dec  7 08:11:59 2016) [sssd[pam]] [pam_print_data] (0x0100): 
service: sshd
(Wed Dec  7 08:11:59 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Wed Dec  7 08:11:59 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: 
not set
(Wed Dec  7 08:11:59 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: 
192.168.0.208
(Wed Dec  7 08:11:59 2016) [sssd[pam]] [pam_print_data] (0x0100): 
authtok type: 1
(Wed Dec  7 08:11:59 2016) [sssd[pam]] [pam_print_data] (0x0100): 
newauthtok type: 0
(Wed Dec  7 08:11:59 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Wed Dec  7 08:11:59 2016) [sssd[pam]] [pam_print_data] (0x0100): 
cli_pid: 6297
(Wed Dec  7 08:11:59 2016) [sssd[pam]] [pam_print_data] (0x0100): logon 
name: MDS.XYZ\tom
(Wed Dec  7 08:11:59 2016) [sssd[pam]] [sbus_add_timeout] (0x2000): 
0x7f7e7ed32700
(Wed Dec  7 08:11:59 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): 
pam_dp_send_req returned 0
(Wed Dec  7 08:11:59 2016) [sssd[pam]] [sbus_remove_timeout] (0x2000): 
0x7f7e7ed32700
(Wed Dec  7 08:11:59 2016) [sssd[pam]] [sbus_dispatch] (0x4000): dbus 
conn: 0x7f7e7ed2e7f0
(Wed Dec  7 08:11:59 2016) [sssd[pam]] [sbus_dispatch] (0x4000): 
Dispatching.
(Wed Dec  7 08:11:59 2016) [sssd[pam]] [pam_dp_process_reply] (0x0200): 
received: [4 (System error)][mds.xyz]
(Wed Dec  7 08:11:59 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply 
called with result [4]: System error.
(Wed Dec  7 08:11:59 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 24
(Wed Dec  7 08:11:59 2016) [sssd[pam]] [reset_idle_timer] (0x4000): Idle 
timer re-set for client [0x7f7e7ed38210][20]
(Wed Dec  7 08:12:04 2016) [sssd[pam]] [pam_initgr_cache_remove] 
(0x2000): [MDS.XYZ\tom] removed from PAM initgroup cache
(Wed Dec  7 08:12:09 2016) [sssd[pam]] [sbus_dispatch] (0x4000): dbus 
conn: 0x7f7e7ed29d00
(Wed Dec  7 08:12:09 2016) [sssd[pam]] [sbus_dispatch] (0x4000): 
Dispatching.
(Wed Dec  7 08:12:09 2016) [sssd[pam]] [sbus_message_handler] (0x2000): 
Received SBUS method org.freedesktop.sssd.service.ping on path 
/org/freedesktop/sssd/service
(Wed Dec  7 08:12:09 2016) [sssd[pam]] [sbus_get_sender_id_send] 
(0x2000): Not a sysbus message, quit






(Wed Dec  7 08:11:15 2016) [sssd[pam]] [pam_check_user_search] (0x0400): 
Returning info for user [tom at mds.xyz]
(Wed Dec  7 08:11:15 2016) [sssd[pam]] [pd_set_primary_name] (0x0400): 
User's primary name is tom at mds.xyz
(Wed Dec  7 08:11:15 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): 
Sending request with the following data:
(Wed Dec  7 08:11:15 2016) [sssd[pam]] [pam_print_data] (0x0100): 
command: PAM_AUTHENTICATE
(Wed Dec  7 08:11:15 2016) [sssd[pam]] [pam_print_data] (0x0100): 
domain: mds.xyz
(Wed Dec  7 08:11:15 2016) [sssd[pam]] [pam_print_data] (0x0100): user: 
tom at mds.xyz
(Wed Dec  7 08:11:15 2016) [sssd[pam]] [pam_print_data] (0x0100): 
service: sshd
(Wed Dec  7 08:11:15 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Wed Dec  7 08:11:15 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: 
not set
(Wed Dec  7 08:11:15 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: 
192.168.0.208
(Wed Dec  7 08:11:15 2016) [sssd[pam]] [pam_print_data] (0x0100): 
authtok type: 1
(Wed Dec  7 08:11:15 2016) [sssd[pam]] [pam_print_data] (0x0100): 
newauthtok type: 0
(Wed Dec  7 08:11:15 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Wed Dec  7 08:11:15 2016) [sssd[pam]] [pam_print_data] (0x0100): 
cli_pid: 6293
(Wed Dec  7 08:11:15 2016) [sssd[pam]] [pam_print_data] (0x0100): logon 
name: tom at mds.xyz
(Wed Dec  7 08:11:15 2016) [sssd[pam]] [sbus_add_timeout] (0x2000): 
0x7f7e7ed34340
(Wed Dec  7 08:11:15 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): 
pam_dp_send_req returned 0
(Wed Dec  7 08:11:15 2016) [sssd[pam]] [sbus_remove_timeout] (0x2000): 
0x7f7e7ed34340
(Wed Dec  7 08:11:15 2016) [sssd[pam]] [sbus_dispatch] (0x4000): dbus 
conn: 0x7f7e7ed2e7f0
(Wed Dec  7 08:11:15 2016) [sssd[pam]] [sbus_dispatch] (0x4000): 
Dispatching.
(Wed Dec  7 08:11:15 2016) [sssd[pam]] [pam_dp_process_reply] (0x0200): 
received: [4 (System error)][mds.xyz]
(Wed Dec  7 08:11:15 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply 
called with result [4]: System error.
(Wed Dec  7 08:11:15 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 24
(Wed Dec  7 08:11:15 2016) [sssd[pam]] [reset_idle_timer] (0x4000): Idle 
timer re-set for client [0x7f7e7ed35900][19]
(Wed Dec  7 08:11:19 2016) [sssd[pam]] [sbus_dispatch] (0x4000): dbus 
conn: 0x7f7e7ed29d00
(Wed Dec  7 08:11:19 2016) [sssd[pam]] [sbus_dispatch] (0x4000): 
Dispatching.
(Wed Dec  7 08:11:19 2016) [sssd[pam]] [sbus_message_handler] (0x2000): 
Received SBUS method org.freedesktop.sssd.service.ping on path 
/org/freedesktop/sssd/service
(Wed Dec  7 08:11:19 2016) [sssd[pam]] [sbus_get_sender_id_send] 
(0x2000): Not a sysbus message, quit
(Wed Dec  7 08:11:20 2016) [sssd[pam]] [pam_initgr_cache_remove] 
(0x2000): [tom at mds.xyz] removed from PAM initgroup cache





-- 
Cheers,
Tom K.
-------------------------------------------------------------------------------------

Living on earth is expensive, but it includes a free trip around the sun.

More information about the Freeipa-users mailing list