Thanks very much for the feedback.
RE: how often do we need to lookup unauthenticated users......this is strictly
a test environment used to duplicate customer problems
so in reality we never have to do it but that is the current problem at
hand.....customer is unable to consistently authenticate users.
They have implemented additional screening limits for the users, but for now we
are only trying to get the basic functionality to work.
In our case, am unable to authenticate the valid users on the AD server using
ssh on the IdM server;
[root@linux ~]# ssh -l ld...@osn.cxo.cpqcorp.net linux
ld...@osn.cxo.cpqcorp.net@linux's password:
Permission denied, please try again.
ld...@osn.cxo.cpqcorp.net@linux's password:
Received disconnect from 10.20.0.59: 2: Too many authentication failures for
ld...@osn.cxo.cpqcorp.net<mailto:ld...@osn.cxo.cpqcorp.net>
We know the password that is used for this test user is correct.
The logs and the tcpdump seem to indicate a problem with Kerberos verification
but not being a Kerberos heavy, I'm not sure
just what might be wrong, possibly with the krb5.conf file. This is the
krb5kdc.log entry for the attempted ssh login above:
Oct 08 08:58:51 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.20.0.59: NEEDED_PREAUTH:
host/linux.ipa.cxo.cpqcorp....@ipa.cxo.cpqcorp.net for
krbtgt/ipa.cxo.cpqcorp....@ipa.cxo.cpqcorp.net, Additional pre-authentication
required
Oct 08 08:58:51 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.20.0.59: ISSUE: authtime 1412773131, etypes
{rep=18 tkt=18 ses=18}, host/linux.ipa.cxo.cpqcorp....@ipa.cxo.cpqcorp.net for
krbtgt/ipa.cxo.cpqcorp....@ipa.cxo.cpqcorp.net
Oct 08 08:58:51 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): TGS_REQ (6
etypes {18 17 16 23 25 26}) 10.20.0.59: ISSUE: authtime 1412773131, etypes
{rep=18 tkt=18 ses=18}, host/linux.ipa.cxo.cpqcorp....@ipa.cxo.cpqcorp.net for
ldap/linux.ipa.cxo.cpqcorp....@ipa.cxo.cpqcorp.net
Oct 08 08:58:51 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): closing down fd
11
>From tcpdump, the error given by Kerberos is STATUS_DOMAIN_TRUST_INCONSISTENT
>From the IdM server, this is the trust setup previously between the IdM server
>and the AD server;
[root@linux ~]# ipa trust-show osn.cxo.cpqcorp.net
Realm name: osn.cxo.cpqcorp.net
Domain NetBIOS name: OSN
Domain Security Identifier: S-1-5-21-3753757867-1859638558-383537475
Trust direction: Two-way trust
Trust type: Active Directory domain
Further down in this e-mail is the krb5.conf file.
Do we have something defined incorrectly for Kerberos ?
Al
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal
Sent: Tuesday, October 07, 2014 5:02 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] domain trust linux to AD server not finding user
profiles
On 10/07/2014 05:03 PM, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
wrote:
[cid:part1.03030509.00090400@redhat.com]
I've been following the steps outlined in section 7.3.5 of the manual entitled
Integrating OpenShift Enterprise
with Identity Management (IdM)
in Red Hat Enterprise Linux
OpenShift Enterprise 2.1
IdM in Red Hat Enterprise Linux 7
Windows Server 2012 - Active Directory Integration
I now have our RHEL V7 running IdM, setup as an IdM Server in a domain, Realm
and subnet
different from our existing AD server running Windows 2008 R2 with a populated
user database
that can be queried using ldapsearch and can authorize users.
I have successfully created a domain trust between the RHEL V7 Server
(linux.ipa.cxo.cpqcorp.net 10.20.0.59/24) and the AD Server
(win2008.osn.cxo.cpqcorp.net 16.112.240.55).
To simplify the configuration I have no firewall running and so have stopped
both iptables
and firewalld.
All steps in section 7.3.5 have been followed. But when I run the first test
for a user
on the AD system, the system is unable to find anything:
[root@linux ~]# getent group 'OSN\Domain Users'
[root@linux ~]#
[root@linux ~]#
[root@linux ~]# getent passwd 'OSN\ldap25'
[root@linux ~]#
The users and related information are not fetched until you authenticate as
this user.
The ability to fetch users and groups that are not yet authenticated is tracked
by the ticket https://fedorahosted.org/sssd/ticket/2159 and will be addressed
in the next version of SSSD.
How frequently do you really need to lookup unauthenticated AD users and AD
groups on linux systems? What is the use case?
The ticket above is for the cases when there is an application that needs to
fetch the user so that admin of the application can assign privileges to this
user. But this is a pretty corner case.
I find this in the krb5kdc.log file:
Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.20.0.59: NEEDED_PREAUTH:
host/linux.ipa.cxo.cpqcorp....@ipa.cxo.cpqcorp.net<mailto:host/linux.ipa.cxo.cpqcorp....@ipa.cxo.cpqcorp.net>
for
krbtgt/ipa.cxo.cpqcorp....@ipa.cxo.cpqcorp.net<mailto:krbtgt/ipa.cxo.cpqcorp....@ipa.cxo.cpqcorp.net>,
Additional pre-authentication required
Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.20.0.59: ISSUE: authtime 1412713681, etypes
{rep=18 tkt=18 ses=18},
host/linux.ipa.cxo.cpqcorp....@ipa.cxo.cpqcorp.net<mailto:host/linux.ipa.cxo.cpqcorp....@ipa.cxo.cpqcorp.net>
for
krbtgt/ipa.cxo.cpqcorp....@ipa.cxo.cpqcorp.net<mailto:krbtgt/ipa.cxo.cpqcorp....@ipa.cxo.cpqcorp.net>
Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): TGS_REQ (6
etypes {18 17 16 23 25 26}) 10.20.0.59: ISSUE: authtime 1412713681, etypes
{rep=18 tkt=18 ses=18},
host/linux.ipa.cxo.cpqcorp....@ipa.cxo.cpqcorp.net<mailto:host/linux.ipa.cxo.cpqcorp....@ipa.cxo.cpqcorp.net>
for
ldap/linux.ipa.cxo.cpqcorp....@ipa.cxo.cpqcorp.net<mailto:ldap/linux.ipa.cxo.cpqcorp....@ipa.cxo.cpqcorp.net>
Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): closing down fd
11
I'm not quite sure what else I'm missing or have not understood in order to
query the
AD server from the linux IdM server...but it would appear that something is not
correctly
defined in the krb5.conf file found below:
[root@linux ~]# cat /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log<FILE:///\\var\log\krb5libs.log>
kdc = FILE:/var/log/krb5kdc.log<FILE:///\\var\log\krb5kdc.log>
admin_server = FILE:/var/log/kadmind.log<FILE:///\\var\log\kadmind.log>
[libdefaults]
default_realm = IPA.CXO.CPQCORP.NET
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
IPA.CXO.CPQCORP.NET = {
kdc = linux.ipa.cxo.cpqcorp.net:88
master_kdc = linux.ipa.cxo.cpqcorp.net:88
admin_server = linux.ipa.cxo.cpqcorp.net:749
default_domain = ipa.cxo.cpqcorp.net
pkinit_anchors = FILE:/etc/ipa/ca.crt<FILE:///\\etc\ipa\ca.crt>
auth_to_local =
RULE:[1:$1@$0](^.*@OSN.CXO.CPQCORP.NET$)s/@OSN.CXO.CPQCORP.NET/@osn.cxo.cpqcorp.net/<mailto:%5e.*@OSN.CXO.CPQCORP.NET$)s/@OSN.CXO.CPQCORP.NET/@osn.cxo.cpqcorp.net/>
auth_to_local = DEFAULT
}
OSN.CXO.CPQCORP.NET = {
kdc = win2008.osn.cxo.cpqcorp.net
master_kdc = win2008.osn.cxo.cpqcorp.net
admin_sever = win2008.osn.cxo.cpqcorp.net
}
[domain_realm]
.ipa.cxo.cpqcorp.net = IPA.CXO.CPQCORP.NET
ipa.cxo.cpqcorp.net = IPA.CXO.CPQCORP.NET
.osn.cxo.cpqcorp.net = OSN.CXO.CPQCORP.NET
osn.cxo.cpqcorp.net = OSN.CXO.CPQCORP.NET
[dbmodules]
IPA.CXO.CPQCORP.NET = {
db_library = ipadb.so
}
Any help greatly appreciated.
Al
Al Licause
CSC Americas BCS Technical Specialist
HP Customer Support Center
Hours 5am-2pm Pacific time USA
Manager: mark.bai...@hp.com<mailto:mark.bai...@hp.com>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
