Hello.
My mission is to install an FreeIPA instance as subdomain of AD, and to
allow AD users to login to some Linux servers. I Installed and
configured it, but i meet a problem, AD users are not allowed to login
to FreeIPA .
A piece of everything:
AD = adexample.com ( 2008R2 )
IPA =ipa.adexample.com
# ipa --version
VERSION: 4.1.0, API_VERSION: 2.112
# sssd --version
1.12.2
# hostname
otp1tst86.ipa.adexample.com
# uname -a
Linux otp1tst86.ipa.adexample.com 3.10.0-229.7.2.el7.x86_64 #1 SMP Tue
Jun 23 22:06:11 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_1nRCjmt
Default principal: administra...@adexample.com
Valid starting Expires Service principal
08/05/2015 16:30:32 08/06/2015 02:14:53
krbtgt/ipa.adexample....@adexample.com
renew until 08/06/2015 16:14:50
08/05/2015 16:14:53 08/06/2015 02:14:53 krbtgt/adexample....@adexample.com
renew until 08/06/2015 16:14:50
# cat sssd.conf
[domain/ipa.adexample.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.adexample.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = otp1tst86.ipa.adexample.com
chpass_provider = ipa
ipa_server = otp1tst86.ipa.adexample.com
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
subdomains_provider = ipa
[sssd]
services = nss, sudo, pam, ssh, pac
config_file_version = 2
sudo_provider = ldap
ldap_uri = ldap://otp1tst86.ipa.adexample.com
ldap_sudo_search_base = ou=sudoers,dc=ipa, dc=adexample,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/otp1tst86.ipa.adexample.com
ldap_sasl_realm = IPA.ADEXAMPLE.COM
krb5_server = otp1tst86.ipa.adexample.com
domains = ipa.adexample.com
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
# egrep "^[^#]" /etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns wins
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files sss
aliases: files nisplus
sudoers: files sss
Here I can see AD users.
# wbinfo -ug
ADEXAMPLE\administrator
ADEXAMPLE\guest
ADEXAMPLE\krbtgt
ADEXAMPLE\abrajnicov
ADEXAMPLE\ipa$
ADEXAMPLE\kuzea
admins
editors
default smb group
ad_admins
ADEXAMPLE\domain computers
ADEXAMPLE\domain controllers
ADEXAMPLE\schema admins
ADEXAMPLE\enterprise admins
ADEXAMPLE\domain admins
ADEXAMPLE\domain users
ADEXAMPLE\domain guests
ADEXAMPLE\group policy creator owners
ADEXAMPLE\read-only domain controllers
ADEXAMPLE\enterprise read-only domain controllers
ADEXAMPLE\dnsupdateproxy
[root@otp1tst86 ~]# id ad...@ipa.adexample.com
uid=1466400000(admin) gid=1466400000(admins) groups=1466400000(admins)
[root@otp1tst86 ~]# id ku...@adexample.com
id: ku...@adexample.com: no such user
So you can see that AD users is not visible to sssd.
# cat /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = IPA.ADEXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
IPA.ADEXAMPLE.COM = {
kdc = otp1tst86.ipa.adexample.com:88
master_kdc = otp1tst86.ipa.adexample.com:88
admin_server = otp1tst86.ipa.adexample.com:749
default_domain = ipa.adexample.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
auth_to_local =
RULE:[1:$1@$0](^.*@ADEXAMPLE.COM$)s/@ADEXAMPLE.COM/@adexample.com/
auth_to_local = DEFAULT
}
[domain_realm]
.ipa.adexample.com = IPA.ADEXAMPLE.COM
ipa.adexample.com = IPA.ADEXAMPLE.COM
.adexample.com = ADEXAMPLE.COM
adexample.com = ADEXAMPLE.COM
[dbmodules]
IPA.ADEXAMPLE.COM = {
db_library = ipadb.so
}
# wbinfo -n 'adexample\Domain Admins'
S-1-5-21-4094320520-3357938610-121029971-512 SID_DOM_GROUP (2)
But when I try to login to a server using ssh I meet these error:
Aug 05 16:40:28 otp1tst86.ipa.adexample.com sshd[3997]: Invalid user
ku...@adexample.com from ::1
Aug 05 16:40:28 otp1tst86.ipa.adexample.com sshd[3997]:
input_userauth_request: invalid user ku...@adexample.com [preauth]
Aug 05 16:40:34 otp1tst86.ipa.adexample.com sshd[3997]:
pam_unix(sshd:auth): check pass; user unknown
Aug 05 16:40:34 otp1tst86.ipa.adexample.com sshd[3997]:
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=localhost
Aug 05 16:40:37 otp1tst86.ipa.adexample.com sshd[3997]: Failed password
for invalid user ku...@adexample.com from ::1 port 32809 ssh2
I don't know if these information is sufficient. But I hope that someone
will help me to troubleshoot the problem.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
