On 12/3/2016 12:57 PM, TomK wrote:
On 12/3/2016 12:33 AM, TomK wrote:
On 12/2/2016 8:43 AM, Sumit Bose wrote:
On Fri, Dec 02, 2016 at 08:30:28AM -0500, TomK wrote:
Hey All,
I've successfully mapped the nixadmins to the external group
nixadmins_external. However no users in that group make it over to
Free IPA
that I can see.
ipa group-add-member nixadmins_external --external "nixadmins"
Windows AD users, 3 of them, are in the windows AD group nixadmins.
However
I can't port them over.
These accounts have UNIX attributes assigned to them.
Question that I have and can't find, should I be seeing these users
in the
mapped groups above? ( ie within the GUI should I see any users
listed from
AD DC in nixadmins or nixadmins_external? )
no, the GUI won't show them. Calling 'id user_from_nixadmins@ad.domain'
should show that nixadmins_external is a member of that group. With
recent version of SSSD 'getent group nixadmins_external' should list the
users from nixadmins as well, older versions might miss them.
HTH
bye,
Sumit
If there is an issue and I'm just not picking it out from the debug
logs,
what to look for? Is there anything more I need to do on the Windows
side
that I haven't found on the existing pages?
# ipa group-add-member nixadmins_external --external "nixadmins"
[member user]:
[member group]:
Group name: nixadmins_external
Description: NIX Admins External map
External member: S-1-5-21-3418825849-1633701630-2291579631-1006
Member groups: nixadmins
Member of groups: nixadmins
Indirect Member groups: nixadmins_external
-------------------------
Number of members added 1
-------------------------
#
# ipa trustdomain-find abc.xyz
Domain name: abc.xyz
Domain NetBIOS name: ABC
Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
Domain enabled: True
----------------------------
Number of entries returned 1
----------------------------
#
[realms]
DOM.ABC.XYZ = {
.
.
.
auth_to_local = RULE:[1:$1@$0](^.*@ABC.XYZ$)s/@ABC.XYZ/@abc.xyz/
auth_to_local = DEFAULT
}
# ipa trust-fetch-domains abc.xyz
----------------------------------------------------------------------------------------
List of trust domains successfully refreshed. Use trustdomain-find
command
to list them.
----------------------------------------------------------------------------------------
----------------------------
Number of entries returned 0
----------------------------
[root@idmipa01 sssd]# ipa trustdomain-find abc.xyz
Domain name: abc.xyz
Domain NetBIOS name: ABC
Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
Domain enabled: True
----------------------------
Number of entries returned 1
----------------------------
# ipa trust-fetch-domains abc.xyz
----------------------------------------------------------------------------------------
List of trust domains successfully refreshed. Use trustdomain-find
command
to list them.
----------------------------------------------------------------------------------------
----------------------------
Number of entries returned 0
----------------------------
#
The following command successfully returns all AD objects under the
Users
cn.
# ldapsearch -x -h 192.168.0.3 -D "t...@abc.xyz" -W -b
"cn=users,dc=abc,dc=xyz" -s sub "(cn=*)" cn mail sn
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the
sun.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Nothing:
# id t...@abc.xyz
id: t...@abc.xyz: no such user
# getent group nixadmins_external
# getent group nixadmins
nixadmins:*:1746600012:
#
I'll enable debug logging to determine further.
I'm getting the following in the logs. Not sure why it cannot assign a
GID (possibly a range mismatch) but my dnaRemainingValues: 99498 and so
is fine:
[2016/12/03 10:45:44.232656, 3, pid=4792, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_allocate_gid.c:45(winbindd_allocate_gid_send)
allocate_gid
[2016/12/03 10:45:44.232689, 1, pid=4792, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:439(ndr_print_function_debug)
wbint_AllocateGid: struct wbint_AllocateGid
in: struct wbint_AllocateGid
[2016/12/03 10:45:44.233134, 1, pid=4792, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:439(ndr_print_function_debug)
wbint_AllocateGid: struct wbint_AllocateGid
out: struct wbint_AllocateGid
gid : *
gid : 0x0000000000000000 (0)
result : NT_STATUS_UNSUCCESSFUL
[2016/12/03 10:45:44.233192, 5, pid=4792, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_allocate_gid.c:83(winbindd_allocate_gid_recv)
Could not allocate gid: NT_STATUS_UNSUCCESSFUL
[2016/12/03 10:45:44.233212, 10, pid=4792, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd.c:787(wb_request_done)
wb_request_done[5125:ALLOCATE_GID]: NT_STATUS_UNSUCCESSFUL
Any hints would be appreciated while I look for a solution on this end.
Could not get much from logs and decided to start fresh. When I run this:
ipa trust-add --type=ad mds.xyz --admin Administrator --password
Trust works fine and id t...@mds.xyz returns a valid result.
However when I run the following on both masters on a fresh new setup:
ipa-adtrust-install --netbios-name=NIX -a "<SECRET>"
ipa trust-add --type=ad "mds.xyz" --trust-secret
and created a trust object in AD DC with the name of NIX and a
non-transitive trust, the above did NOT work. I didn't get anything by
typing id t...@mds.xyz. (I do not get an option for a Forest Trust as
the gif on this page suggests:
https://www.freeipa.org/page/Active_Directory_trust_setup . Possibly
it's Server 2012 hence the difference in what's presented to me but
another reason is that the name I type for the trust can't resolve to an
IP for now: nix.mds.xyz . So I use NIX to match the bios name used on
the ipa-adtrust-install command above. )
I went back to the trust object in AD and set it to Transitive from
Non-transitive. And all of a sudden I can resolve the AD ID's on the IP
Servers and all is working fine. Great!
I could not follow the section within the online document above for
setting up forwarders. I had to delegate nix.mds.xyz from the two AD /
DNS Clustered Windows Server 2012 servers to the two FreeIPA servers
(idmipa01, idmipa02) . I found that the forwarding section doesn't
quite jive well with delegation in Windows Server 2012.
The remaining questions I need to ask is does the NetBIOS name used on
the ipa-adtrust-install command above have to match the AD DC Trust
object name? Any tie's between the naming of the two? ( Thinking no
tie in but not 100% . Seems AD expects a domain that resolves to an IP )
Also, given this setup I have:
1) The two windows servers, winad01, winad02 are both DNS, AD servers
and are clustered (NLB)
2) Have DNS delegation on nix.mds.xyz so FreeIPA servers will be
authoritative for that subdomain.
3) AD Trust objects look for a resolvable domain (ie nix.mds.xyz) and
current version of FreeIPA does not yet resolve nix.mds.xyz to any IP (
4) IPA ipa-adtrust-install only accepts NetBIOS names.
Is it at all possible to setup a non-transitive trust with all that? (
I might just not be seeing the forest through the trees :) - Pun
Intended. ) Still new to quite a bit of this so thank you for your
patience and feedback.
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
