<div dir="ltr">Hmm, ok. In that case, I guess I need to rethink my setup. Thanks again for all your help!<div><br></div><div>Kind regards,<br><div>Guy</div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 10 August 2016 at 14:46, Justin Stephenson <span dir="ltr"><<a href="mailto:jstephen@redhat.com" target="_blank">jstephen@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
On 08/10/2016 05:19 PM, Guy Knights wrote:<br>
<blockquote type="cite">
<div dir="ltr">Ok, I increased the debug level as you recommended
and it's given me a lot of useful info. Before I go any further
trying to troubleshoot that mass of info on this mailing list
though, I would like to double check something I came across. In
the debug output I noticed this line:
<div>
<div>
<p><span>"No ccache file for user [<a href="mailto:bobt@ad.bbg.net" target="_blank">bobt@ad.bbg.net</a>]
found."</span></p>
</div>
</div>
</div>
</blockquote></span>
I would not dwell much on this error message, I see the same error
from the krb5_auth_prepare_ccache_name function when I successfully
logged in as an AD user on my IPA client(I suspect the ccache gets
created shortly after). Higher debug logs means there will be a lot
of log messages that look like errors but may not be.<span class=""><br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<p>I then searched this error and found this thread
in which the OP seems to have basically the same setup as
me:</p>
<p><a href="https://lists.fedorahosted.org/pipermail/sssd-users/2013-January/000379.html" target="_blank">https://lists.fedorahosted.<wbr>org/pipermail/sssd-users/2013-<wbr>January/000379.html</a><br>
</p>
<p>I started playing with kinit on the ubuntu
machine that I'm trying to log into, and got this error:</p>
<p>"kinit: Cannot find KDC for realm "<a href="http://AD.BBG.NET" target="_blank">AD.BBG.NET</a>"
while getting initial credentials"<br>
</p>
<p>After reading through some of the replies on the
above thread, I saw a post that basically says that while
the initial user info lookup is via FreeIPA, to actually
authenticate a user the ipa client machine must connect
directly to the AD controller. If this is true, it
basically means the setup I was planning to use (FreeIPA
in the cloud replicating/proxying local AD user accounts)
is not going to work as I'd hoped. Could you confirm if
this behaviour is in fact correct?</p>
</div>
</div>
</div>
</blockquote></span>
Yes, the IPA client at some points needs to communicate directly
with AD for kerberos communication - you should see this in
/var/log/sssd/krb5_child.log<br>
<br>
This is explained better than I could here:<br>
<blockquote>
<h2>The anatomy of a trusted identity lookup</h2>
</blockquote>
<blockquote><a href="https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/" target="_blank">https://jhrozek.wordpress.com/<wbr>2015/08/19/performance-tuning-<wbr>sssd-for-large-ipa-ad-trust-<wbr>deployments/</a><br>
</blockquote>
<br>
Kind regards,<br>
Justin Stephenson<div><div class="h5"><br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>Thanks,<br>
Guy</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 9 August 2016 at 18:47, Justin
Stephenson <span dir="ltr"><<a href="mailto:jstephen@redhat.com" target="_blank">jstephen@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hello,</p>
<p>You may need to increase the debug level to 9 and look
in the sssd_<ipadomain>.log for failures after the
failed login attempt - i would look in between log
messages 'Got request for bobt...' and 'Backend
returned' messages<br>
</p>
<p> <a href="https://fedorahosted.org/sssd/wiki/Troubleshooting" target="_blank">https://fedorahosted.org/sssd/<wbr>wiki/Troubleshooting</a></p>
<p>You can also send the debug logs here for review.</p>
<p>Make sure logins and lookups are working on the IPA
server first before troubleshooting the IPA client.<br>
</p>
<p>Kind regards,</p>
<p>Justin Stephenson<br>
</p>
<div>
<div>
<div>On 08/09/2016 07:32 PM, Guy Knights wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I've set up a freeipa server on a
centos 7 machine and have successfully configured
a 2-way trust between it and our active directory
domain controller. I've also installed ipa-client
on an ubuntu 14.04 machine and have run
ipa-client-install, which has apparently
successfully joined the FreeIPA domain.<br>
<div><br>
</div>
<div>So far, I can successfully do the following:</div>
<div><br>
</div>
<div>1. Log into the FreeIPA machine with an AD
user account.</div>
<div>2. Log into the Ubuntu machine with a FreeIPA
account.</div>
<div>3. Run 'getent passwd <freeipa
username>' on the Ubuntu machine and have it
return the associated FreeIPA user account
details (eg. "jackt:*:1131000005:1131000005<wbr>:Jack
Test:/home/<a href="http://ipa.bbg.net/jackt:/bin/bash" target="_blank">ipa.bbg.net/jackt:/<wbr>bin/bash</a>")</div>
<div>4. Run 'getent passwd <ad username>' on
the Ubuntu machine and have it return the
associated AD user account details (eg. "<a href="mailto:bobt@ad.bbg.net:*:1946801107:1946801107::/home/" target="_blank">bobt@ad.bbg.net:*:1946801107:<wbr>1946801107::/home/</a><a href="http://ad.bbg.net/bobt:/bin/bash" target="_blank">ad.bbg.net/b<wbr>obt:/bin/bash</a>")</div>
<div><br>
</div>
<div>What I can't do is log into the Ubuntu
machine with the AD user. I'm using the
following SSH command from the command line on
my mac:</div>
<div><br>
</div>
<div>ssh -o User=<a href="mailto:bobt@ad.bbg.net" target="_blank">bobt@ad.bbg.net</a>
<a href="http://vm1.bbg.com" target="_blank">vm1.bbg.com</a></div>
<div><br>
</div>
<div>It asks me for the password, I enter it and
it says permissions denied, please try again. I
set the debug level in SSSD on the ubuntu client
to 5 and this is what shows up in the log during
the login attempt:</div>
<div><br>
</div>
(Tue Aug 9 16:25:56 2016) [sssd[be[<a href="http://ipa.bbg.net" target="_blank">ipa.bbg.net</a>]]]
[be_get_account_info] (0x0100): Got request for
[4097][1][name=bobt]<br>
(Tue Aug 9 16:25:56 2016) [sssd[be[<a href="http://ipa.bbg.net" target="_blank">ipa.bbg.net</a>]]]
[acctinfo_callback] (0x0100): Request processed.
Returned 3,95,Account info lookup failed<br>
(Tue Aug 9 16:25:57 2016) [sssd[be[<a href="http://ipa.bbg.net" target="_blank">ipa.bbg.net</a>]]]
[acctinfo_callback] (0x0100): Request processed.
Returned 0,0,Success<br>
(Tue Aug 9 16:27:54 2016) [sssd[be[<a href="http://ipa.bbg.net" target="_blank">ipa.bbg.net</a>]]]
[be_get_account_info] (0x0100): Got request for
[3][1][name=bobt]<br>
(Tue Aug 9 16:27:54 2016) [sssd[be[<a href="http://ipa.bbg.net" target="_blank">ipa.bbg.net</a>]]]
[acctinfo_callback] (0x0100): Request processed.
Returned 3,95,Account info lookup failed<br>
(Tue Aug 9 16:27:54 2016) [sssd[be[<a href="http://ipa.bbg.net" target="_blank">ipa.bbg.net</a>]]]
[be_pam_handler] (0x0100): Got request with the
following data<br>
(Tue Aug 9 16:27:54 2016) [sssd[be[<a href="http://ipa.bbg.net" target="_blank">ipa.bbg.net</a>]]]
[pam_print_data] (0x0100): command:
PAM_AUTHENTICATE<br>
(Tue Aug 9 16:27:54 2016) [sssd[be[<a href="http://ipa.bbg.net" target="_blank">ipa.bbg.net</a>]]]
[pam_print_data] (0x0100): domain: <a href="http://ad.bbg.net" target="_blank">ad.bbg.net</a><br>
(Tue Aug 9 16:27:54 2016) [sssd[be[<a href="http://ipa.bbg.net" target="_blank">ipa.bbg.net</a>]]]
[pam_print_data] (0x0100): user: <a href="mailto:bobt@ad.bbg.net" target="_blank">bobt@ad.bbg.net</a><br>
(Tue Aug 9 16:27:54 2016) [sssd[be[<a href="http://ipa.bbg.net" target="_blank">ipa.bbg.net</a>]]]
[pam_print_data] (0x0100): service: sshd<br>
(Tue Aug 9 16:27:54 2016) [sssd[be[<a href="http://ipa.bbg.net" target="_blank">ipa.bbg.net</a>]]]
[pam_print_data] (0x0100): tty: ssh<br>
(Tue Aug 9 16:27:54 2016) [sssd[be[<a href="http://ipa.bbg.net" target="_blank">ipa.bbg.net</a>]]]
[pam_print_data] (0x0100): ruser:<br>
(Tue Aug 9 16:27:54 2016) [sssd[be[<a href="http://ipa.bbg.net" target="_blank">ipa.bbg.net</a>]]]
[pam_print_data] (0x0100): rhost: 192.168.100.157<br>
(Tue Aug 9 16:27:54 2016) [sssd[be[<a href="http://ipa.bbg.net" target="_blank">ipa.bbg.net</a>]]]
[pam_print_data] (0x0100): authtok type: 1<br>
(Tue Aug 9 16:27:54 2016) [sssd[be[<a href="http://ipa.bbg.net" target="_blank">ipa.bbg.net</a>]]]
[pam_print_data] (0x0100): newauthtok type: 0<br>
(Tue Aug 9 16:27:54 2016) [sssd[be[<a href="http://ipa.bbg.net" target="_blank">ipa.bbg.net</a>]]]
[pam_print_data] (0x0100): priv: 1<br>
(Tue Aug 9 16:27:54 2016) [sssd[be[<a href="http://ipa.bbg.net" target="_blank">ipa.bbg.net</a>]]]
[pam_print_data] (0x0100): cli_pid: 16230<br>
(Tue Aug 9 16:27:54 2016) [sssd[be[<a href="http://ipa.bbg.net" target="_blank">ipa.bbg.net</a>]]]
[krb5_auth_send] (0x0100): No ccache file for user
[<a href="mailto:bobt@ad.bbg.net" target="_blank">bobt@ad.bbg.net</a>]
found.<br>
(Tue Aug 9 16:27:54 2016) [sssd[be[<a href="http://ipa.bbg.net" target="_blank">ipa.bbg.net</a>]]]
[fo_resolve_service_send] (0x0100): Trying to
resolve service 'IPA'<br>
(Tue Aug 9 16:27:54 2016) [sssd[be[<a href="http://ipa.bbg.net" target="_blank">ipa.bbg.net</a>]]]
[be_resolve_server_process] (0x0200): Found
address for server <a href="http://dc.ipa.bbg.net" target="_blank">dc.ipa.bbg.net</a>:
[192.168.100.14] TTL 3600<br>
(Tue Aug 9 16:27:54 2016) [sssd[be[<a href="http://ipa.bbg.net" target="_blank">ipa.bbg.net</a>]]]
[be_pam_handler_callback] (0x0100): Backend
returned: (0, 4, <NULL>) [Success]<br>
(Tue Aug 9 16:27:54 2016) [sssd[be[<a href="http://ipa.bbg.net" target="_blank">ipa.bbg.net</a>]]]
[be_pam_handler_callback] (0x0100): Sending result
[4][<a href="http://ad.bbg.net" target="_blank">ad.bbg.net</a>]<br>
(Tue Aug 9 16:27:54 2016) [sssd[be[<a href="http://ipa.bbg.net" target="_blank">ipa.bbg.net</a>]]]
[be_pam_handler_callback] (0x0100): Sent result
[4][<a href="http://ad.bbg.net" target="_blank">ad.bbg.net</a>]<br>
(Tue Aug 9 16:27:54 2016) [sssd[be[<a href="http://ipa.bbg.net" target="_blank">ipa.bbg.net</a>]]]
[child_sig_handler] (0x0100): child [16313]
finished successfully.
<div><br>
</div>
<div>Can anyone explain why it's saying account
info lookup failed when it can get the account
info fine via getent?</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Guy</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div style="font-size:small"><img src="http://www.bluebatgames.com/wp-content/uploads/2015/10/gt-novo-1-t.png"><br>
</div>
</div>
</div>
<blockquote style="margin:0 0 0 40px;border:none;padding:0px"><b style="font-size:small">
<div style="text-align:left"><b>Guy Knights</b></div>
</b><span style="font-size:small">
<div style="text-align:left">Senior Systems Engineer</div>
</span><span style="font-size:small">
<div style="text-align:left">BlueBat Games Inc.</div>
</span><span style="font-size:small">
<div style="text-align:left">Ph: <a href="tel:778-379-5120" value="+17783795120" target="_blank">778-379-5120</a></div>
</span>
<div>
<div>
<div style="text-align:left;font-size:small">Email: <a href="mailto:guy@bluebatgames.com" target="_blank">guy@bluebatgames.com</a></div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div style="font-size:small"><img src="http://www.bluebatgames.com/wp-content/uploads/2015/10/gt-novo-1-t.png"><br></div></div></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><b style="font-size:small"><div style="text-align:left"><b>Guy Knights</b></div></b><span style="font-size:small"><div style="text-align:left">Senior Systems Engineer</div></span><span style="font-size:small"><div style="text-align:left">BlueBat Games Inc.</div></span><span style="font-size:small"><div style="text-align:left">Ph: 778-379-5120</div></span><div><div><div style="text-align:left;font-size:small">Email: <a href="mailto:guy@bluebatgames.com" target="_blank">guy@bluebatgames.com</a></div></div></div></blockquote></div></div>
</div>