On (23/08/15 17:53), alireza baghery wrote: >Hi i install Centos 7.1 (IDM Server) >and integrate with Windows SERVER 2008 R2 Trust >USER AD can not Login on client (OLE 6.6) but User create idm can login > >name IDM SERVER= ipasrv.l.infotechpsp.net >domain Windows = infotechpsp.net > >i execute [ kinit abagh...@infotechpsp.net] on IDM Server >and klist and show keytab abagheri >but execute kvno abag...@infotechpsp.net >get ERROR kvno Server not found in kerberos database >please help me and thank you > >KLIST >================================ > >Valid starting Expires Service principal >08/23/15 17:09:53 08/24/15 03:11:34 krbtgt/infotechpsp....@infotechpsp.net > renew until 08/24/15 17:09:53 > >===================================== > >Tail LOG /var/log/sssd/ssd_l.infotechpsp.net debug_level = 6 >===================================== >[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with >[(objectclass=*)][]. >(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] >[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg >set >(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [sdap_kinit_send] >(0x0400): Attempting kinit (default, host/ussd7.l.infotechpsp.net, >L.INFOTECHPSP.NET, 86400) >(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] >[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' >(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [resolve_srv_send] >(0x0200): The status of SRV lookup is resolved >(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] >[be_resolve_server_process] (0x0200): Found address for server >ipasrv.l.infotechpsp.net: [10.30.160.19] TTL 1200 >(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] >[set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child >(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] >[write_pipe_handler] (0x0400): All data has been sent! >(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] >[read_pipe_handler] (0x0400): EOF received, client finished >(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] >[sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ >ccache_L.INFOTECHPSP.NET], expired on [1440420165] >(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] >[sdap_cli_auth_step] (0x0100): expire timeout is 900 >(Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [sasl_bind_send] >(0x0100): Executing sasl bind mech: GSSAPI, user: host/ >ussd7.l.infotechpsp.net >(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]] >[child_sig_handler] (0x0100): child [13370] finished successfully. >(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]] >[fo_set_port_status] (0x0100): Marking port 389 of server ' >ipasrv.l.infotechpsp.net' as 'working' >(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]] >[set_server_common_status] (0x0100): Marking server ' >ipasrv.l.infotechpsp.net' as 'working' >(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]] >[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with >[objectclass=ipaNTTrustedDomain][cn=trusts,dc=l,dc=infotechpsp,dc=net]. >(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]] [be_run_online_cb] >(0x0080): Going online. Running callbacks. >(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]] >[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg >set >(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]] >[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with >[objectclass=ipaIDRange][cn=ranges,cn=etc,dc=l,dc=infotechpsp,dc=net]. >(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]] >[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg >set >(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]] >[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with >[objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=l,dc=infotechpsp,dc=net]. >(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]] >[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg >set >(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]] >[get_subdomains_callback] (0x0400): Backend returned: (0, 0, <NULL>) >[Success] >(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]] >[be_get_account_info] (0x0100): Got request for [4097][1][name=abagheri] >(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]] >[ipa_s2n_exop_send] (0x0400): Executing extended operation >(Sun Aug 23 17:12:46 2015) [sssd[be[l.infotechpsp.net]]] >[ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Operations >error(1), (null) There seems to be a problem on server side. It's is a very likely bug in sssd on FreeIPA server.
Some AD related fixes are included in latest update in el7.1 (1.12.2-58.el7_1.14) If it does not help please try to upgrade to the latest upstream version of sssd[1]. I hope it will help otherwise we will need to see log files from IPA server. LS [1] https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12/ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project