On Mon, Jul 24, 2017 at 9:25 AM, Jakub Hrozek <jhro...@redhat.com> wrote:
> On Mon, Jul 24, 2017 at 09:05:59AM -0400, Jason Beck wrote: > > On Jul 24, 2017 4:14 AM, "Jakub Hrozek via FreeIPA-users" < > > freeipa-users@lists.fedorahosted.org> wrote: > > > > > On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via FreeIPA-users > > > wrote: > > > > I have been trying to reliably get an AD trust setup for a few weeks > and > > > no > > > > matter what I try, when I goto add AD users to an external group in > > > > FreeIPA, I get: > > > > > > > > "trusted domain object not found" > > > > > > > > Googling around tends to always yield the same suggestions: > > > > > > > > 1) Check time sync > > > > 2) Check DNS > > > > 3) Check firewall > > > > > > > > I have done all of this ad nauseam in several different environments > with > > > > several different versions of FreeIPA and Windows servers. I have > > > gotten a > > > > setup to work maybe 2% of the time out of hundreds of attempts. > > > > > > > > I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the COPR > repo). > > > I > > > > am trying to establish trust with a mixed Windows 2012 & 2008 > forest. I > > > > have tried both one and two way trusts. Everything seems to work > fine up > > > > until I try to add AD users to FreeIPA. > > > > > > > > I have verified all of the requisite DNS records exist and return the > > > > proper information on both sides, there are no firewalls between any > of > > > the > > > > hosts, and the AD servers and FreeIPA servers are synchronized by the > > > same > > > > NTP servers. > > > > > > > > What could I possibly be missing? > > > > > > Can you resolve the object you're trying to add with sssd? > > > > > > e.g. id foo@windows.domain > > > _______________________________________________ > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > > To unsubscribe send an email to freeipa-users-leave@lists. > fedorahosted.org > > > > > > No. I can login via Kerberos, kinit user@ad.domain. But neither id > > user@ad.domain nor getent passwd user@ad.domain are successful. > > Then please follow > https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html > Jakub, Thank you for the support thus far. I have followed some suggestions in the sssd troubleshooting link you provided. I am seeing these errors whenever I try to perform an operation that would lookup an AD user, e.g. id user@ad.domain. I am performing the user lookups on the primary IPA server itself. *sssd.conf:* [domain/ipa.domain] debug_level = 10 cache_credentials = True enumerate = False krb5_store_password_if_offline = True ipa_domain = ipa.domain id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa01.ipa.domain chpass_provider = ipa ipa_server = _srv_ ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = sudo, nss, ifp, pam, ssh, pac debug_level = 10 domains = ipa.domain [nss] debug_level = 10 [pam] debug_level = 10 [sudo] debug_level = 10 [autofs] debug_level = 10 [ssh] debug_level = 10 [pac] debug_level = 10 [ifp] debug_level = 10 [secrets] debug_level = 10 *sssd.log (debug 10 on everything):* Jul 24 13:19:40 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:19:40 2017) [sssd[be[ipa.domain]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. Jul 24 13:19:40 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1 Jul 24 13:19:40 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1 Jul 24 13:19:40 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:19:40 2017) [sssd[pac]] [accept_fd_handler] (0x0020): Access denied for uid [389]. Jul 24 13:19:40 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1 Jul 24 13:19:40 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 2 Jul 24 13:19:46 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:19:46 2017) [sssd[be[ipa.domain]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. Jul 24 13:19:46 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:19:46 2017) [sssd[pac]] [accept_fd_handler] (0x0020): Access denied for uid [389]. Jul 24 13:19:46 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1 Jul 24 13:19:46 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1 Jul 24 13:19:46 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:19:46 2017) [sssd[pac]] [accept_fd_handler] (0x0020): Access denied for uid [389]. Jul 24 13:19:46 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1 Jul 24 13:19:46 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 2 Jul 24 13:19:52 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:19:52 2017) [sssd[be[ipa.domain]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. Jul 24 13:19:52 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1 Jul 24 13:19:52 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1 Jul 24 13:19:52 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1 Jul 24 13:19:52 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 2 Jul 24 13:19:58 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:19:58 2017) [sssd[be[ipa.domain]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. Jul 24 13:19:58 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:19:58 2017) [sssd[pac]] [accept_fd_handler] (0x0020): Access denied for uid [389]. Jul 24 13:19:58 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1 Jul 24 13:19:58 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1 Jul 24 13:19:58 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1 Jul 24 13:19:58 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 2 Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[be[ipa.domain]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[be[ipa.domain]]] [fo_resolve_service_send] (0x0020): No available servers for service 'IPA' Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[be[ipa.domain]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[be[ipa.domain]]] [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: [11]: Resource temporarily unavailable. Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #39: Data Provider Error: 1, 11, Offline Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #40: Data Provider Error: 1, 11, Offline Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #39: Data Provider Error: 3, 5, Failed to get reply from Data Provider Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #40: Data Provider Error: 3, 5, Failed to get reply from Data Provider Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #39: Data Provider Error: 3, 5, Failed to get reply from Data Provider Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #40: Data Provider Error: 3, 5, Failed to get reply from Data Provider Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #42: Data Provider Error: 3, 5, Failed to get reply from Data Provider Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #43: Data Provider Error: 3, 5, Failed to get reply from Data Provider Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #43: Data Provider Error: 3, 5, Failed to get reply from Data Provider Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #43: Data Provider Error: 3, 5, Failed to get reply from Data Provider Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #44: Data Provider Error: 3, 5, Failed to get reply from Data Provider Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #45: Data Provider Error: 3, 5, Failed to get reply from Data Provider Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #45: Data Provider Error: 3, 5, Failed to get reply from Data Provider Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #45: Data Provider Error: 3, 5, Failed to get reply from Data Provider Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #46: Data Provider Error: 3, 5, Failed to get reply from Data Provider Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #47: Data Provider Error: 3, 5, Failed to get reply from Data Provider Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #47: Data Provider Error: 3, 5, Failed to get reply from Data Provider Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #47: Data Provider Error: 3, 5, Failed to get reply from Data Provider Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #48: Data Provider Error: 3, 5, Failed to get reply from Data Provider Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #49: Data Provider Error: 3, 5, Failed to get reply from Data Provider Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #49: Data Provider Error: 3, 5, Failed to get reply from Data Provider Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #49: Data Provider Error: 3, 5, Failed to get reply from Data Provider Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline] Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #50: Data Provider Error: 3, 5, Failed to get reply from Data Provider Jul 24 13:20:06 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:06 2017) [sssd[pac]] [accept_fd_handler] (0x0020): Access denied for uid [389].
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
