> On 1 Dec 2017, at 10:52, Henrik Johansson <henr...@henkis.net> wrote: > > Hi, > > Answers below, I found one thing that don’t look correct, on another > virtualised test-system I can get a cifs ticket when I am admin on the IPA > server, in this setup it only works if I get tickets from the AD domain > manually first: > > [root@ipaserver httpd]# kinit admin > Password for ad...@idm.test.net: > [root@ipaserver httpd]# klist > Ticket cache: KEYRING:persistent:0:0 > Default principal: ad...@idm.test.net > > Valid starting Expires Service principal > 12/01/2017 10:25:48 12/02/2017 10:25:39 krbtgt/idm.test....@idm.test.net > [root@ipaserver httpd]# kvno -S cifs adserver.ad2.test.net > kvno: Server krbtgt/ad2.test....@idm.test.net not found in Kerberos database > while getting credentials for cifs/adserver.ad2.test....@ad2.test.net > [root@ipaserver httpd]# kinit adminu...@ad2.test.net > Password for adminu...@ad2.test.net: > Warning: Your password will expire in 5 days on Wed 06 Dec 2017 03:20:14 PM > CET > [root@ipaserver httpd]# kvno -S cifs adserver.ad2.test.net > cifs/adserver.ad2.test....@ad2.test.net: kvno = 13 > > >> On 27 Nov 2017, at 14:06, Jakub Hrozek via FreeIPA-users >> <freeipa-users@lists.fedorahosted.org> wrote: >> >> On Tue, Nov 21, 2017 at 01:55:31PM +0100, Henrik Stigendal via FreeIPA-users >> wrote: >>> Hello everyone, >>> >>> I’m new to this and are trying to setup a working trust against an AD >>> forrest, I seem to have a working trust but when I try to reference >>> external groups (or users) I get: >>> >>> # ipa group-add-member ad_users_external --external "AD2\Domain Users" >>> [member user]: >>> [member group]: >>> Group name: ad_users_external >>> Description: AD users external map >>> Failed members: >>> member user: >>> member group: AD2\Domain Users: trusted domain object not found >>> ------------------------- >>> Number of members added 0 >>> ------------------------- >> >> I think the lookup goes eventually from the ipa command line framework >> to SSSD, does lookup through the usual SSSD channels (getent passwd >> username@domain) work? > > No, that does not work at all. > >> >>> >>> I enable some logging and last in the mail is the output there from the >>> command above, any suggestions what could cause this? Current version of >>> IPA is 4.5. >>> >>> Regards >>> Henrik >>> >>> Tue Nov 21 13:10:42.675713 2017] [:warn] [pid 38221] [client >>> 192.168.6.82:34714] failed to set perms (3140) on file >>> (/var/run/ipa/ccaches/ad...@idm.test.net)!, referer: >>> https://ipaserver.idm.test.net/ipa/xml >>> string_to_sid: SID AD2\Domain Users is not in a valid format >> >> btw did you try also a lookup of a name qualified with the full AD domain >> name (i.e. username@ad.domain instead of ad\\username)? I wonder if just >> the flatname is acting up.. > > > I’ve tested both without luck.
I would suggest to find out why the lookups from the command line don’t work. You can check how to debug sssd here: https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html feel free to share your logs if they are not easy to read. > >> >>> lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty >>> Processing section "[global]" >>> INFO: Current debug levels: >>> all: 11 >>> tdb: 11 >>> printdrivers: 11 >>> lanman: 11 >>> smb: 11 >>> rpc_parse: 11 >>> rpc_srv: 11 >>> rpc_cli: 11 >>> passdb: 11 >>> sam: 11 >>> auth: 11 >>> winbind: 11 >>> vfs: 11 >>> idmap: 11 >>> quota: 11 >>> acls: 11 >>> locking: 11 >>> msdfs: 11 >>> dmapi: 11 >>> registry: 11 >>> scavenger: 11 >>> dns: 11 >>> ldb: 11 >>> tevent: 11 >>> pm_process() returned Yes >>> added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 >>> netmask=255.255.255.0 >>> added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 >>> netmask=255.255.255.0 >>> added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 >>> netmask=255.255.255.0 >>> added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 >>> netmask=255.255.255.0 >>> added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 >>> netmask=255.255.255.0 >>> added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 >>> netmask=255.255.255.0 >>> added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 >>> netmask=255.255.255.0 >>> added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 >>> netmask=255.255.255.0 >>> finddcs: searching for a DC by DNS domain ad2.test.net >>> finddcs: looking for SRV records for _ldap._tcp.ad2.test.net >>> resolve_lmhosts: Attempting lmhosts lookup for name >>> _ldap._tcp.ad2.test.net<0x0> >>> getlmhostsent: lmhost entry: 127.0.0.1 localhost >>> ads_dns_lookup_srv: 2 records returned in the answer section. >>> ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389] >>> ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389] >>> Addrs = 192.168.5.158@389/adserver,192.168.5.104@389/adserver >>> finddcs: DNS SRV response 0 at '192.168.5.158' >>> finddcs: DNS SRV response 1 at '192.168.5.104' >>> finddcs: performing CLDAP query on 192.168.5.158 >>> &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX >>> command : LOGON_SAM_LOGON_RESPONSE_EX (23) >>> sbz : 0x0000 (0) >>> server_type : 0x0001f1fc (127484) >>> 0: NBT_SERVER_PDC >>> 1: NBT_SERVER_GC >>> 1: NBT_SERVER_LDAP >>> 1: NBT_SERVER_DS >>> 1: NBT_SERVER_KDC >>> 1: NBT_SERVER_TIMESERV >>> 1: NBT_SERVER_CLOSEST >>> 1: NBT_SERVER_WRITABLE >>> 0: NBT_SERVER_GOOD_TIMESERV >>> 0: NBT_SERVER_NDNC >>> 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6 >>> 1: NBT_SERVER_FULL_SECRET_DOMAIN_6 >>> 1: NBT_SERVER_ADS_WEB_SERVICE >>> 1: NBT_SERVER_DS_8 >>> 0: NBT_SERVER_HAS_DNS_NAME >>> 0: NBT_SERVER_IS_DEFAULT_NC >>> 0: NBT_SERVER_FOREST_ROOT >>> domain_uuid : 63c3a477-85f9-5f01-96e8-2597a5c48978 >>> forest : 'ad2.test.net' >>> dns_domain : 'ad2.test.net' >>> pdc_dns_name : 'adserver.ad2.test.net' >>> domain_name : 'AD2' >>> pdc_name : 'adserver' >>> user_name : '' >>> server_site : 'AS001' >>> client_site : 'AS002' >>> sockaddr_size : 0x00 (0) >>> sockaddr: struct nbt_sockaddr >>> sockaddr_family : 0x00000000 (0) >>> pdc_ip : (null) >>> remaining : DATA_BLOB length=0 >>> next_closest_site : NULL >>> nt_version : 0x00000005 (5) >>> 1: NETLOGON_NT_VERSION_1 >>> 0: NETLOGON_NT_VERSION_5 >>> 1: NETLOGON_NT_VERSION_5EX >>> 0: NETLOGON_NT_VERSION_5EX_WITH_IP >>> 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE >>> 0: NETLOGON_NT_VERSION_AVOID_NT4EMUL >>> 0: NETLOGON_NT_VERSION_PDC >>> 0: NETLOGON_NT_VERSION_IP >>> 0: NETLOGON_NT_VERSION_LOCAL >>> 0: NETLOGON_NT_VERSION_GC >>> lmnt_token : 0xffff (65535) >>> lm20_token : 0xffff (65535) >>> finddcs: Found matching DC 192.168.5.158 with server_type=0x0001f1fc >>> [Tue Nov 21 13:10:42.740320 2017] [:error] [pid 26496] ipa: INFO: >>> [jsonserver_session] ad...@idm.test.net: >>> group_add_member/1(u'ad_users_external', ipaexternalmember=(u'AD2\\\\Domain >>> Users',), version=u'2.228'): SUCCESS >> >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org