Hi!
It surely does. Thank you!
Eemeli
-----Original Message-----
From: Sumit Bose <sb...@redhat.com>
Sent: perjantai 6. syyskuuta 2019 10.19
To: Jokinen Eemeli <eemeli.joki...@cinia.fi>
Cc: Sumit Bose <sb...@redhat.com>; FreeIPA users list
<freeipa-users@lists.fedorahosted.org>
Subject: Re: [Freeipa-users] Re: Problems joining an Ubuntu client to IPA
server and using AD Credentials
On Fri, Sep 06, 2019 at 06:54:56AM +0000, Jokinen Eemeli wrote:
> Hi!
>
> Trust show
>
> --
> Realm name: <ad.domain>
> Domain NetBIOS name: <ADNETBIOS>
> Domain Security Identifier: S-1-5-21-1014394416-1363177490-1625040996
> Trust direction: Trusting forest
> Trust type: Active Directory domain
> UPN suffixes: <company.domain>
> --
>
> I try to attach the log file here, not sure if it goes through...
Hi,
...
(Fri Sep 6 09:22:12 2019) [sssd[be[<ipa.company.domain>]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[objectclass=ipaNTTrustedDomain][cn=trusts,dc=<ipa>,dc=<company>,dc=<domain>].
(Fri Sep 6 09:22:12 2019) [sssd[be[<ipa.company.domain>]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Sep 6
09:22:12 2019) [sssd[be[<ipa.company.domain>]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [ipaNTFlatName] (Fri Sep 6 09:22:12 2019)
[sssd[be[<ipa.company.domain>]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [ipaNTTrustedDomainSID] (Fri Sep 6 09:22:12 2019)
[sssd[be[<ipa.company.domain>]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [ipaNTTrustDirection] (Fri Sep 6 09:22:12 2019)
[sssd[be[<ipa.company.domain>]]] [sdap_get_generic_ext_step] (0x2000):
ldap_search_ext called, msgid = 6 ...
this means you are using an older version of SSSD which cannot detect
automatically if enterprise principals can be used, with newer versions you
should see a '[ipaNTAdditionalSuffixes]' here as well. So you have to set the
option manually.
'ipa-client-install' cannot set this you have to use a configuration management
tool.
HTH
bye,
Sumit
>
>
> Eemeli
>
> -----Original Message-----
> From: Sumit Bose <sb...@redhat.com>
> Sent: perjantai 6. syyskuuta 2019 9.14
> To: Jokinen Eemeli <eemeli.joki...@cinia.fi>
> Cc: Sumit Bose <sb...@redhat.com>; FreeIPA users list
> <freeipa-users@lists.fedorahosted.org>
> Subject: Re: [Freeipa-users] Re: Problems joining an Ubuntu client to
> IPA server and using AD Credentials
>
> On Fri, Sep 06, 2019 at 05:20:03AM +0000, Jokinen Eemeli wrote:
> > Hi!
> >
> > Nice! That seemed to do the trick after rebooting the client.
> >
> > Is there a switch to set that up during "ipa-client-install" or should I
> > use configuration management to deploy that when needed?
>
> Hi,
>
> recent version of SSSD should be able to determine automatically if
> enterprise principals should be enabled or not. To investigate why
> this did not happen in your case please let me know which version of
> SSSD you are using and send the output of
>
> ipa trust-show trusted.ad.forest.root
>
> As a next step I might as you for the sssd_ipa.domain.log file with
> debug_level=9 in the [domain/...] section of sssd.conf which covers the
> startup of SSSD.
>
> bye,
> Sumit
>
> >
> >
> > Eemeli
> >
> > -----Original Message-----
> > From: Sumit Bose <sb...@redhat.com>
> > Sent: torstai 5. syyskuuta 2019 19.03
> > To: Jokinen Eemeli <eemeli.joki...@cinia.fi>
> > Cc: FreeIPA users list <freeipa-users@lists.fedorahosted.org>; Sumit
> > Bose <sb...@redhat.com>
> > Subject: Re: [Freeipa-users] Re: Problems joining an Ubuntu client
> > to IPA server and using AD Credentials
> >
> > On Thu, Sep 05, 2019 at 03:03:17PM +0000, Jokinen Eemeli wrote:
> > > Hi!
> > >
> > > In the fact we're using RHEL 7 with ipa-server 4.6.4
> > >
> >
> > Hi,
> >
> > in this case please try to add
> >
> > krb5_use_enterprise_principal = True
> >
> > to the [domain/...] section of sssd.conf on the Ubuntu client.
> >
> > HTH
> >
> > bye,
> > Sumit
> >
> > >
> > > Eemeli
> > >
> > > -----Original Message-----
> > > From: Sumit Bose via FreeIPA-users
> > > <freeipa-users@lists.fedorahosted.org>
> > > Sent: torstai 5. syyskuuta 2019 16.36
> > > To: freeipa-users@lists.fedorahosted.org
> > > Cc: Sumit Bose <sb...@redhat.com>
> > > Subject: [Freeipa-users] Re: Problems joining an Ubuntu client to
> > > IPA server and using AD Credentials
> > >
> > > On Thu, Sep 05, 2019 at 01:11:44PM +0000, Jokinen Eemeli via
> > > FreeIPA-users wrote:
> > > > Hi!
> > > >
> > > > I have a problem I could use help on resolving:
> > > >
> > > > We have a working IPA Cluster and I try to join in with Ubuntu
> > > > 16.04 freeipa-client. Everything seems to go smoothly, it
> > > > creates config files that look just right. However when I try to
> > > > login with SSH using AD Credentials I've joined the IPA with I
> > > > can't login and auth.log gives me an error
> > > >
> > > > --
> > > > Sep 5 15:46:29 testcomputer2 sshd[1907]: pam_unix(sshd:auth):
> > > > authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> > > > rhost=<ip> user=<user>@<ad.domain> Sep 5 15:46:29
> > > > testcomputer2
> > > > sshd[1907]: pam_sss(sshd:auth): authentication failure; logname=
> > > > uid=0
> > > > euid=0 tty=ssh ruser= rhost=<ip> user=<user>@<ad.domain> Sep 5
> > > > 15:46:29 testcomputer2 sshd[1907]: pam_sss(sshd:auth): received
> > > > for user <user>@<ad.domain>: 4 (System error) Sep 5 15:46:31
> > > > testcomputer2 sshd[1907]: Failed password for <user>@<ad.domain>
> > > > from <ip> port 42416 ssh2
> > > > --
> > > >
> > > > Couldn't find anything solid but then I turned on debug levels and
> > > > looked into krb5_child.log. Our ipadomain is ipa.company.domain but for
> > > > some reason it tries to find the username from company.domain and of
> > > > course it can't find the username there.
> > >
> > > Hi,
> > >
> > > which IPA version are you using on the server?
> > >
> > > It looks like you have defined the user principal name of the user in AD
> > > as <user>@<company.domain>. Depending on the version of IPA there are two
> > > different solutions.
> > >
> > > bye,
> > > Sumit
> > >
> > > >
> > > > --
> > > > (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]]
> > > > [tgt_req_child]
> > > > (0x1000): Attempting to get a TGT (Thu Sep 5 15:46:29 2019)
> > > > [[sssd[krb5_child[1909]]]] [get_and_save_tgt] (0x0400):
> > > > Attempting kinit for realm [<company.domain>] (Thu Sep 5
> > > > 15:46:29 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb]
> > > > (0x4000):
> > > > [1909]
> > > > 1567687589.927017: Getting initial credentials for
> > > > <user>@<company.domain> (Thu Sep 5 15:46:29 2019)
> > > > [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000):
> > > > [1909]
> > > > 1567687589.927076: FAST armor ccache:
> > > > MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain>
> > > > (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]]
> > > > [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.927109:
> > > > Retrieving
> > > > host/testcomputer2.<ipa.company.domain>@<ipa.company.domain> ->
> > > > krb5_ccache_conf_data/fast_avail/krbtgt\/<company.domain>\@<company.
> > > > do
> > > > main>@X-CACHECONF: from
> > > > MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> with result:
> > > > -1765328243/Matching credential not found (Thu Sep 5 15:46:29
> > > > 2019) [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000):
> > > > [1909]
> > > > 1567687589.927151: Sending request (172 bytes) to
> > > > <company.domain> (Thu Sep 5 15:46:29 2019)
> > > > [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909]
> > > > 1567687589.938377:
> > > > Retrying AS request with master KDC (Thu Sep 5 15:46:29 2019)
> > > > [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000):
> > > > [1909]
> > > > 1567687589.938418: Getting initial credentials for
> > > > <user>@<company.domain> (Thu Sep 5 15:46:29 2019)
> > > > [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000):
> > > > [1909]
> > > > 1567687589.938442: FAST armor ccache:
> > > > MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain>
> > > > (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]]
> > > > [sss_child_krb5_trace_cb] (0x4000): [1909] 1567687589.938467:
> > > > Retrieving
> > > > host/testcomputer2.<ipa.company.domain>@<ipa.company.domain> ->
> > > > krb5_ccache_conf_data/fast_avail/krbtgt\/<company.domain>\@<company.
> > > > do
> > > > main>@X-CACHECONF: from
> > > > MEMORY:/var/lib/sss/db/fast_ccache_<ipa.company.domain> with result:
> > > > -1765328243/Matching credential not found (Thu Sep 5 15:46:29 2019)
> > > > [[sssd[krb5_child[1909]]]] [sss_child_krb5_trace_cb] (0x4000): [1909]
> > > > 1567687589.938511: Sending request (172 bytes) to <company.domain>
> > > > (master) (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]]
> > > > [get_and_save_tgt] (0x0020): 1232: [-1765328230][Cannot find KDC for
> > > > realm "<company.domain>"] (Thu Sep 5 15:46:29 2019)
> > > > [[sssd[krb5_child[1909]]]] [map_krb5_error] (0x0020): 1301:
> > > > [-1765328230][Cannot find KDC for realm "<company.domain>"] (Thu Sep 5
> > > > 15:46:29 2019) [[sssd[krb5_child[1909]]]] [k5c_send_data] (0x0200):
> > > > Received error code 1432158209 (Thu Sep 5 15:46:29 2019)
> > > > [[sssd[krb5_child[1909]]]] [pack_response_packet] (0x2000): response
> > > > packet size: [4] (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]]
> > > > [k5c_send_data] (0x4000): Response sent.
> > > > (Thu Sep 5 15:46:29 2019) [[sssd[krb5_child[1909]]]] [main] (0x0400):
> > > > krb5_child completed successfully
> > > > --
> > > >
> > > > Seems like it converts ad.domain to company.domain and not to
> > > > ipa.company.domain for some reason. But like I said the configuration
> > > > on /var/lib/sss/pubconf/krb5.include.d seems legit.
> > > >
> > > > --
> > > > [domain_realm]
> > > > .<ad.domain> = <AD.DOMAIN>
> > > > <ad.domain> = <AD.DOMAIN>
> > > > [capaths]
> > > > <AD.DOMAIN> = {
> > > > <IPA.COMPANY.DOMAIN> = <AD.DOMAIN> } <IPA.COMPANY.DOMAIN> = {
> > > > <AD.DOMAIN> = <AD.DOMAIN>
> > > > }
> > > > --
> > > >
> > > > Any ideas why it's dropping the subdomain out?
> > > >
> > > >
> > > > Eemeli
> > >
> > > > _______________________________________________
> > > > FreeIPA-users mailing list --
> > > > freeipa-users@lists.fedorahosted.org
> > > > To unsubscribe send an email to
> > > > freeipa-users-le...@lists.fedorahosted.org
> > > > Fedora Code of Conduct:
> > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > List Guidelines:
> > > > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives:
> > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists
> > > > .f
> > > > ed
> > > > or
> > > > ahosted.org
> > > _______________________________________________
> > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > > To unsubscribe send an email to
> > > freeipa-users-le...@lists.fedorahosted.org
> > > Fedora Code of Conduct:
> > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines:
> > > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.f
> > > ed
> > > or
> > > ahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
