On Mon, Jul 24, 2017 at 2:53 PM, Jason Beck <jason.s.b...@gmail.com> wrote:
> On Mon, Jul 24, 2017 at 2:23 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > >> On Mon, Jul 24, 2017 at 01:53:20PM -0400, Jason Beck wrote: >> > On Mon, Jul 24, 2017 at 9:25 AM, Jakub Hrozek <jhro...@redhat.com> >> wrote: >> > >> > > On Mon, Jul 24, 2017 at 09:05:59AM -0400, Jason Beck wrote: >> > > > On Jul 24, 2017 4:14 AM, "Jakub Hrozek via FreeIPA-users" < >> > > > freeipa-users@lists.fedorahosted.org> wrote: >> > > > >> > > > > On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via >> FreeIPA-users >> > > > > wrote: >> > > > > > I have been trying to reliably get an AD trust setup for a few >> weeks >> > > and >> > > > > no >> > > > > > matter what I try, when I goto add AD users to an external >> group in >> > > > > > FreeIPA, I get: >> > > > > > >> > > > > > "trusted domain object not found" >> > > > > > >> > > > > > Googling around tends to always yield the same suggestions: >> > > > > > >> > > > > > 1) Check time sync >> > > > > > 2) Check DNS >> > > > > > 3) Check firewall >> > > > > > >> > > > > > I have done all of this ad nauseam in several different >> environments >> > > with >> > > > > > several different versions of FreeIPA and Windows servers. I >> have >> > > > > gotten a >> > > > > > setup to work maybe 2% of the time out of hundreds of attempts. >> > > > > > >> > > > > > I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the COPR >> > > repo). >> > > > > I >> > > > > > am trying to establish trust with a mixed Windows 2012 & 2008 >> > > forest. I >> > > > > > have tried both one and two way trusts. Everything seems to >> work >> > > fine up >> > > > > > until I try to add AD users to FreeIPA. >> > > > > > >> > > > > > I have verified all of the requisite DNS records exist and >> return the >> > > > > > proper information on both sides, there are no firewalls >> between any >> > > of >> > > > > the >> > > > > > hosts, and the AD servers and FreeIPA servers are synchronized >> by the >> > > > > same >> > > > > > NTP servers. >> > > > > > >> > > > > > What could I possibly be missing? >> > > > > >> > > > > Can you resolve the object you're trying to add with sssd? >> > > > > >> > > > > e.g. id foo@windows.domain >> > > > > _______________________________________________ >> > > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahost >> ed.org >> > > > > To unsubscribe send an email to freeipa-users-leave@lists. >> > > fedorahosted.org >> > > > >> > > > >> > > > No. I can login via Kerberos, kinit user@ad.domain. But neither >> id >> > > > user@ad.domain nor getent passwd user@ad.domain are successful. >> > > >> > > Then please follow >> > > https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html >> > > >> > >> > Jakub, >> > >> > Thank you for the support thus far. I have followed some suggestions >> in >> > the sssd troubleshooting link you provided. I am seeing these errors >> > whenever I try to perform an operation that would lookup an AD user, >> e.g. >> > id user@ad.domain. I am performing the user lookups on the primary IPA >> > server itself. >> > >> > *sssd.conf:* >> > >> > [domain/ipa.domain] >> > >> > debug_level = 10 >> > >> > cache_credentials = True >> > >> > enumerate = False >> > >> > krb5_store_password_if_offline = True >> > >> > ipa_domain = ipa.domain >> > >> > id_provider = ipa >> > >> > auth_provider = ipa >> > >> > access_provider = ipa >> > >> > ipa_hostname = ipa01.ipa.domain >> > >> > chpass_provider = ipa >> > >> > ipa_server = _srv_ >> > >> > ldap_tls_cacert = /etc/ipa/ca.crt >> > >> > [sssd] >> > >> > services = sudo, nss, ifp, pam, ssh, pac >> > >> > debug_level = 10 >> > >> > domains = ipa.domain >> > >> > [nss] >> > >> > debug_level = 10 >> > >> > [pam] >> > >> > debug_level = 10 >> > >> > [sudo] >> > >> > debug_level = 10 >> > >> > [autofs] >> > >> > debug_level = 10 >> > >> > [ssh] >> > >> > debug_level = 10 >> > >> > [pac] >> > >> > debug_level = 10 >> > >> > [ifp] >> > >> > debug_level = 10 >> > >> > [secrets] >> > >> > debug_level = 10 >> > >> Are you sure it's the server itself? Because for one, I would expect to >> see ipa_server_mode=True in sssd.conf and also ipa_server set to fqdn of >> 'self', not to _srv_. >> >> Also the s2n exop failed messages make it look like the debug messages >> are from a client. >> >> Anyway, one thing to examine is: >> > Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) >> > [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #49: Data Provider >> > Error: 3, 5, Failed to get reply from Data Provider >> > >> > Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) >> > [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an >> > error [org.freedesktop.sssd.Error.DataProvider.Offline] >> > >> >> This indicates a communication issue towards the server. You should look >> for messages that say that 'a port is not working'. >> > > Sorry, I've been troubleshooting this for weeks, trying various settings. > When I add the variables to sssd.conf > > [domain/ipa.domain] > ... > ipa_server_mode = True > ipa_server = ipa01.ipa.domain > ... > > and restart sssd: > > I am now getting the following errors, also id user@ad.domain and/or > getent passwd user@ad.domain return failure immediately: > > Jul 24 14:40:41 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:40:41 > 2017) [sssd[be[ipa.domain]]] [sdap_get_server_opts_from_rootdse] > (0x0020): ldap_rootdse_last_usn configured but not found in rootdse! > > Jul 24 14:40:41 iad1aipa01.ipa.domain sssd_be[12156]: GSSAPI client step 1 > > Jul 24 14:40:41 iad1aipa01.ipa.domain sssd_be[12156]: GSSAPI client step 1 > > Jul 24 14:40:41 iad1aipa01.ipa.domain sssd_be[12156]: GSSAPI client step 1 > > Jul 24 14:40:41 iad1aipa01.ipa.domain sssd_be[12156]: GSSAPI client step 2 > > Jul 24 14:40:47 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:40:47 > 2017) [sssd[be[ipa.domain]]] [ipa_sudo_fetch_rules_done] (0x0040): Received > 0 sudo rules > > Jul 24 14:41:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:41:13 > 2017) [sssd[nss]] [cache_req_data_create] (0x0020): Bug: id cannot be 0! > > Jul 24 14:41:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:41:13 > 2017) [sssd[nss]] [cache_req_data_create] (0x0020): Unable to create > cache_req data [1432158209]: Internal Error > > Jul 24 14:41:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:41:13 > 2017) [sssd[nss]] [nss_getby_id] (0x0020): Unable to set cache request data! > > Jul 24 14:41:27 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:41:27 > 2017) [sssd[pac]] [accept_fd_handler] (0x0020): Access denied for uid [389]. > > Jul 24 14:42:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:42:13 > 2017) [sssd[nss]] [cache_req_data_create] (0x0020): Bug: id cannot be 0! > > Jul 24 14:42:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:42:13 > 2017) [sssd[nss]] [cache_req_data_create] (0x0020): Unable to create > cache_req data [1432158209]: Internal Error > > Jul 24 14:42:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:42:13 > 2017) [sssd[nss]] [nss_getby_id] (0x0020): Unable to set cache request data! > > > As far as ports not working, all of the IPA services are running, the > local firewalls are all turned off on the IPA servers and the firewalls > between the AD servers and the IPA servers are completely open for the IPA > server addresses. LDAP queries work fine to both the AD servers and the > IPA servers. I can kinit fine as an AD user on the IPA servers. > > # ipactl status > > Directory Service: RUNNING > > krb5kdc Service: RUNNING > > kadmin Service: RUNNING > > named Service: RUNNING > > httpd Service: RUNNING > > ipa-custodia Service: RUNNING > > pki-tomcatd Service: RUNNING > > smb Service: RUNNING > > winbind Service: RUNNING > > ipa-otpd Service: RUNNING > > ipa-dnskeysyncd Service: RUNNING > > ipa: INFO: The ipactl command was successful > I have reinstalled everything from scratch again and run through the setup instructions here: https://www.freeipa.org/page/Active_Directory_trust_setup . Everything "works" until I get to the point of adding an external user to an external group in FreeIPA. The only configuration I have changed is to increase the debug logging in both sssd.conf and smb/netconf and adding the 'auth_to_local' lines in krb5.conf. When I start sssd I am seeing the following: Jul 24 16:10:14 ipa01.ipa.domain sssd[be[ipa.domain]][11828]: SRV discovery is enabled on the IPA server while using custom dns_discovery_domain. DNS discovery of trusted AD domain will likely fail. It is recommended not to use SRV discovery or the dns_discovery_domain option for the IPA domain while running on the server itself Jul 24 16:10:14 ipa01.ipa.domain sssd[11826]: (Mon Jul 24 16:10:14 2017) [sssd[be[ipa.chewy.com]]] [ipa_init_server_mode] (0x0020): SRV discovery is enabled on the IPA server while using custom dns_discovery_domain. DNS discovery of trusted AD domain will likely fail. It is recommended not to use SRV discovery or the dns_discovery_domain option for the IPA domain while running on the server itself I am not setting a custom dns_discovery_domain in sssd.conf. Whenever I try to id user@ad.domain or getent passwd user@ad.domain nothing is logged in sssd. Is it possible to have the sssd on the IPA servers also be clients? Thanks, J
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org