Hi I've managed to get trusts working with CentOS 7 as an IdM server, Win2K8R2 AD DC and CentOS6.5 as a client, using the exact same series of steps as in the documentation. Attached is the process I used.
I'll continue testing RHEL7 and Fedora 20.1 and submit a bug report if necessary. Thanks for the assistance all!! Traiano On Sat, Sep 13, 2014 at 12:07 AM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Fri, 12 Sep 2014, Traiano Welcome wrote: > >> Hi List >> >> >> I'm following the guide at >> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Assumptions , this >> time with Fedora 20.1. >> >> >> Everything proceeds smoothly until I try to establish trust with the AD >> domain controller, at which point IPA crashes: >> >> --- >> [root@idm001 ~]# ipa trust-add --type=ad mhatest.local --admin >> Administrator --password >> Active directory domain administrator's password: >> ipa: ERROR: an internal error has occurred >> [root@idm001 ~]# >> --- >> >> I've attached the exact, step by step process I used to arrive at this >> point. Attached also are the debug logs (as per the debugging guidelines). >> > Looks like you have connectivity problems (or firewall?): > finddcs: Found matching DC 172.16.107.109 with server_type=0x000031fd > [Fri Sep 12 23:30:00.471404 2014] [:error] [pid 3876] ipa: ERROR: LDAP > error when connecting to KWTTSTADDC002: {'desc': "Can't contact LDAP > server"} > > Anyway, please file a bug for Fedora and attach the logs there, we'll > try to improve error messaging here. > > >> >> Many thanks in advance for any insight I could use to understand and fix >> this issue! I am also moving on to re/testing the same process on >> CentOS 7, CentOS 6.5 to rule out the possibility of subtle variations in >> package version bugs (or basically net any that might exist :-p) >> > Yep. > > > -- > / Alexander Bokovoy >
1. AD DC Details - Provides DNS via Windows DNS Server for MHATEST.LOCAL, ENGENEON.LOCAL, LINUX.MHATEST.LOCAL - Win2K8 R2 Enterprise (VM running on Hyper-V) - DNS hostname: kwttstaddc001.mhatest.local - IP Address: 172.16.107.109 2. IdM Server Details - CentOS Linux release 7.0.1406 (Core) - DNS hostname: idm003.engeneon.local - IP Address: 172.16.107.106 3. Linux Client machine: - 172.16.104.145 ronin.engeneon.local ronin - CentOS6.5 Summary: - IPA server IP address: 172.16.107.106 - IPA server hostname: idm003.engeneon.local - IPA domain: ipa_domain engeneon.local - IPA NetBIOS: ENGENEON - IPA Kerberos realm, IPA_DOMAIN, is equal to IPA domain: ENGENEON.LOCAL - AD DC IP address: ad_ip_address: 172.16.107.109 - AD DC hostname: ad_hostname: kwttstaddc001.mhatest.local - AD domain: ad_domain: MHATEST.LOCAL - AD NetBIOS: ad_netbios: MHATEST - AD admins group SID: <fillmein> 4. Windows 2008 R2 AD DC Configuration Settings (172.16.107.109) Printout summary from the "DCPROMO" configuration wizard: - Configure this server as the first Active Directory domain controller in a new forest. - The new domain name is "MHATEST.LOCAL". This is also the name of the new forest. - The NetBIOS name of the domain is "MHATEST". - Forest Functional Level: Windows Server 2008 R2 - Domain Functional Level: Windows Server 2008 R2 - Site: Default-First-Site-Name - Additional Options: Read-only domain controller: "No" Global catalog: Yes DNS Server: Yes - Create DNS Delegation: No - Database folder: C:\Windows\NTDS - Log file folder: C:\Windows\NTDS - SYSVOL folder: C:\Windows\SYSVOL - The DNS Server service will be installed on this computer. - The DNS Server service will be configured on this computer. - This computer will be configured to use this DNS server as its preferred DNS server. - The password of the new domain Administrator will be the same as the password of the local Administrator of this computer. A second AD integrated zone was created on the AD server for the IPA domain: Name: ENGENEON.LOCAL Type: Active Directory-Integrated Primary Lookup type: Forward 5. IDM Server Configuration Sequence: - Guide #1 (IPA Setup) http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Assumptions - Guide #2 (AD setup) http://stef.thewalter.net/2012/08/how-to-create-active-directory-domain.html - Guide #3 (NOT USED IN THIS SEQUENCE!!): Mark Heslin's guide: "Integrating OSE for IdMfor RHEL 1.0" 5.1 Installing the IPA server (CentOS 7, on VMware ESXI 5.5): [done] yum update -y Setup the local caching name-server: [DONE] yum install caching-nameserver [DONE] configure forwarders in /etc/named.conf: forwarders { 172.16.107.109; /* ... or the address of your ISP DNS server */ }; Zone configuration on the IPA server: --- zone "mhatest.local" { type stub; masters { 172.16.107.109; }; }; zone "engeneon.local" { type stub; masters { 172.16.107.109; }; }; --- - Testing that the IPA server can use the local caching dns servicet to resolve the test AD domain: --- [root@idm001 ~]# dig +short soa mhatest.local @127.0.0.1 Times out!!! SERVFAIL --- [DONE] yum install -y "*ipa-server" "*ipa-server-trust-ad" samba4-winbind-clients samba4-winbind samba4-client bind bind-dyndb-ldap [DONE] Configure hostname and /etc/hosts: --- [root@idm001 ~]# cat /etc/hosts 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 172.16.107.108 idm001.engeneon.local idm001 [root@idm001 ~]# hostname idm001.engeneon.local --- [DONE] Install the IPA server: ipa-server-install -a XXXXXXXXX -p XXXXXXXXX --domain=engeneon.local --realm=ENGENEON.LOCAL --setup-dns --no-forwarders -U --- <trimmed for brevity> . . . [9/11]: restarting named [10/11]: configuring named to start on boot [11/11]: changing resolv.conf to point to ourselves Done configuring DNS (named). Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password --- [DONE] Verify IPA users available to IPA Services: --- [root@idm001 ~]# id admin uid=392600000(admin) gid=392600000(admins) groups=392600000(admins) [root@idm001 ~]# getent passwd admin admin:*:392600000:392600000:Administrator:/home/admin:/bin/bash [root@idm001 ~]# --- [] Configure IPA for Cross-Realm Trusts: ipa-adtrust-install --netbios-name=ENGENEON -a XXXXXXXXX Output: --- [root@idm001 ~]# ipa-adtrust-install --netbios-name=ENGENEON -a XXXXXXXXX The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup components needed to establish trust to AD domains for the FreeIPA Server. This includes: * Configure Samba * Add trust related objects to FreeIPA LDAP server To accept the default shown in brackets, press the Enter key. WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing samba configuration. Do you wish to continue? [no]: yes WARNING: 3 existing users or groups do not have a SID identifier assigned. Installer can run a task to have ipa-sidgen Directory Server plugin generate the SID identifier for all these users. Please note, the in case of a high number of users and groups, the operation might lead to high replication traffic and performance degradation. Refer to ipa-adtrust-install(1) man page for details. Do you want to run the ipa-sidgen task? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Done configuring CIFS. ============================================================================= Setup complete You must make sure these network ports are open: TCP Ports: * 138: netbios-dgm * 139: netbios-ssn * 445: microsoft-ds UDP Ports: * 138: netbios-dgm * 139: netbios-ssn * 389: (C)LDAP * 445: microsoft-ds Additionally you have to make sure the FreeIPA LDAP server is not reachable by any domain controller in the Active Directory domain by closing down the following ports for these servers: TCP Ports: * 389, 636: LDAP/LDAPS You may want to choose to REJECT the network packets instead of DROPing them to avoid timeouts on the AD domain controllers. ============================================================================= [DONE] Open the firewall Wide: --- [root@idm001 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@idm001 ~]# --- [DONE] Check TimeZone Settings on both the AD server and the IPA server: idm001.engeneon.net: --- [root@idm001 ~]# date Fri Sep 12 21:10:56 AST 2014 --- kwttstaddc002.mhatest.local: --- PS C:\Users\Administrator> date Friday, September 12, 2014 9:10:33 PM --- 5. DNS Configuration: (The scenario here is "domains are parallel") - AD DNS Zone : mhatest.local - IPA DNS Zone : engeneon.local 5.1 Configure conditional forwarder for IPA domain (engeneon.local): dnscmd 127.0.0.1 /ZoneAdd engeneon.local /Forwarder 172.16.107.108 Output: --- PS C:\Users\Administrator> dnscmd 127.0.0.1 /ZoneAdd engeneon.local /Forwarder 172.16.107.108 DNS Server 127.0.0.1 created zone engeneon.local: Command completed successfully. --- 5.2 On IPA server, add conditional forwarder for AD domain: ipa dnszone-add mhatest.local --name-server=kwttstaddc002.mhatest.local --admin-email='hostmaster@mhatest.local' --force --forwarder=172.16.107.109 --forward-policy=only --ip-address=172.16.107.109 Output: --- [root@idm001 ~]# ipa dnszone-add mhatest.local --name-server=KWTTSTADDC002.mhatest.local --admin-email='hostmaster@mhatest.local' --force --forwarder=172.16.107.109 --forward-policy=only --ip-address=172.16.107.109 Zone name: mhatest.local Authoritative nameserver: kwttstaddc002.mhatest.local Administrator e-mail address: hostmaster.mhatest.local. SOA serial: 1410546132 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant ENGENEON.LOCAL krb5-self * A; grant ENGENEON.LOCAL krb5-self * AAAA; grant ENGENEON.LOCAL krb5-self * SSHFP; Active zone: TRUE Dynamic update: FALSE Allow query: any; Allow transfer: none; Zone forwarders: 172.16.107.109 Forward policy: only [root@idm001 ~]# --- - Dig tests: --- [root@idm001 ~]# dig +short SRV _ldap._tcp.engeneon.local 0 100 389 idm001.engeneon.local. --- --- [root@idm001 ~]# dig +short SRV _ldap._tcp.mhatest.local 0 100 389 kwttstaddc002.mhatest.local. --- 6.Establish and verify cross-realm trust: ipa trust-add --type=ad mhatest.local --admin Administrator --password Output: --- [root@idm003 ~]# ipa trust-add --type=ad mhatest.local --admin Administrator --password Active directory domain administrator's password: ------------------------------------------------------ Added Active Directory trust for realm "MHATEST.LOCAL" ------------------------------------------------------ Realm name: MHATEST.LOCAL Domain NetBIOS name: MHATEST Domain Security Identifier: S-1-5-21-3779563847-208264455-1888173826 SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified [root@idm003 ~]# --- 7. Test if we can pull a list of trusted domains: ipa trustdomain-find "mhatest.local" --- [root@idm003 ~]# ipa trustdomain-find "mhatest.local" Domain name: MHATEST.LOCAL Domain NetBIOS name: MHATEST Domain Security Identifier: S-1-5-21-3779563847-208264455-1888173826 Domain enabled: True ---------------------------- Number of entries returned 1 ---------------------------- [root@idm003 ~]# --- 8. Modify /etc/krb5.conf [realms] ENGENEON.LOCAL = { kdc = idm003.engeneon.local:88 master_kdc = idm003.engeneon.local:88 admin_server = idm003.engeneon.local:749 default_domain = engeneon.local pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[1:$1@$0](^.*@AD_DOMAIN$)s/@AD_DOMAIN/@ad_domain/ auth_to_local = DEFAULT } --- [root@idm003 ~]# service krb5kdc restart Redirecting to /bin/systemctl restart krb5kdc.service [root@idm003 ~]# service sssd restart Redirecting to /bin/systemctl restart sssd.service [root@idm003 ~]# --- 9. Allow access for users from AD domain to protected resources: ipa group-add --desc='mhatest.local admins external map' ad_admins_external --external ipa group-add --desc='mhatest.local admins' ad_admins ipa group-add-member ad_admins_external --external 'MHATEST\Domain Admins' Output: --- [root@idm003 ~]# ipa group-add --desc='mhatest.local admins external map' ad_admins_external --external -------------------------------- Added group "ad_admins_external" -------------------------------- Group name: ad_admins_external Description: mhatest.local admins external map [root@idm003 ~]# [root@idm003 ~]# [root@idm003 ~]# [root@idm003 ~]# ipa group-add --desc='mhatest.local admins' ad_admins ----------------------- Added group "ad_admins" ----------------------- Group name: ad_admins Description: mhatest.local admins GID: 563000004 [root@idm003 ~]# [root@idm003 ~]# ipa group-add-member ad_admins_external --external 'MHATEST\Domain Admins' [member user]: [member group]: Group name: ad_admins_external Description: mhatest.local admins external map External member: S-1-5-21-3779563847-208264455-1888173826-512 ------------------------- Number of members added 1 ------------------------- [root@idm003 ~]# --- [root@idm003 ~]# ipa group-add-member ad_admins --groups ad_admins_external Group name: ad_admins Description: mhatest.local admins GID: 563000004 Member groups: ad_admins_external ------------------------- Number of members added 1 ------------------------- [root@idm003 ~]# --- 9. Testing Cross Realm Trust: - Create a user in AD: - SSH in to the IPA server using user@mhatest.local REsult: Works fine :-) --- -sh-4.2$ -sh-4.2$ klist Ticket cache: KEYRING:persistent:734001104:krb_ccache_EIBqyEC Default principal: welcomet@MHATEST.LOCAL Valid starting Expires Service principal 09/13/2014 01:02:19 09/13/2014 11:02:19 krbtgt/MHATEST.LOCAL@MHATEST.LOCAL renew until 09/14/2014 01:02:19 -sh-4.2$ -sh-4.2$ -sh-4.2$ id uid=734001104(welcomet@mhatest.local) gid=734001104(welcomet@mhatest.local) groups=734001104(welcomet@mhatest.local),734000513(domain users@mhatest.local) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -sh-4.2$ -sh-4.2$ --- 10. Enroll another linux host as a client to the IPA server: - CentOS 6.5 ipa-client-install --enable-dns-updates --ssh-trust-dns --mkhomedir ---- [root@ronin ~]# ipa-client-install --enable-dns-updates --ssh-trust-dns --mkhomedir Discovery was successful! Hostname: ronin.engeneon.local Realm: ENGENEON.LOCAL DNS Domain: engeneon.local IPA Server: idm003.engeneon.local BaseDN: dc=engeneon,dc=local Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Password for admin@ENGENEON.LOCAL: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=ENGENEON.LOCAL Issuer: CN=Certificate Authority,O=ENGENEON.LOCAL Valid From: Fri Sep 12 21:35:22 2014 UTC Valid Until: Tue Sep 12 21:35:22 2034 UTC Enrolled in IPA realm ENGENEON.LOCAL Created /etc/ipa/default.conf New SSSD config will be created Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ENGENEON.LOCAL trying https://idm003.engeneon.local/ipa/xml Forwarding 'env' to server u'https://idm003.engeneon.local/ipa/xml' DNS server record set to: ronin.engeneon.local -> 172.16.104.145 Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Forwarding 'host_mod' to server u'https://idm003.engeneon.local/ipa/xml' SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. [root@ronin ~]# ---- Check we can get KRB5 tickets: --- [root@ronin ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@ENGENEON.LOCAL Valid starting Expires Service principal 09/13/14 01:09:17 09/14/14 01:09:13 krbtgt/ENGENEON.LOCAL@ENGENEON.LOCAL [root@ronin ~]# --- Check the user id : --- -sh-4.1$ getent passwd welcomet@mhatest.local welcomet@mhatest.local:*:734001104:734001104:Traiano TG. Welcome:/home/MHATEST.LOCAL/welcomet: -sh-4.1$ --- Corresponsing traces from the krbkdc.log on the IPA server side: --- Sep 13 01:37:09 idm003.engeneon.local krb5kdc[19829](info): TGS_REQ (4 etypes {18 17 16 23}) 172.16.104.145: ISSUE: authtime 1410561429, etypes {rep=18 tkt=18 ses=18}, welcomet@MHATEST.LOCAL for host/ronin.engeneon.local@ENGENEON.LOCAL Sep 13 01:37:09 idm003.engeneon.local krb5kdc[19829](info): closing down fd 12 ---
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project