Re: [Freeipa-users] UPN suffixes in AD trust
On Thu, Jul 09, 2015 at 12:36:53PM +0200, Giorgio Biacchi wrote: > On 06/29/2015 03:11 PM, Sumit Bose wrote: > > On Mon, Jun 29, 2015 at 11:24:00AM +0200, Giorgio Biacchi wrote: > >> On 06/29/2015 10:30 AM, Sumit Bose wrote: > >>> On Mon, Jun 29, 2015 at 10:04:04AM +0200, Giorgio Biacchi wrote: > On 06/26/2015 08:06 PM, Sumit Bose wrote: > > On Fri, Jun 26, 2015 at 04:34:05PM +0200, Giorgio Biacchi wrote: > >> > >> > >> On 06/26/2015 02:38 PM, Sumit Bose wrote: > >>> On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote: > On 06/25/2015 05:44 PM, Sumit Bose wrote: > > On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: > >> On 06/25/2015 02:10 PM, Sumit Bose wrote: > >>> On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: > On 06/25/2015 12:56 PM, Sumit Bose wrote: > > On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: > >> On 06/24/2015 06:45 PM, Sumit Bose wrote: > >>> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi > >>> wrote: > Hi everybody, > I established a bidirectional trust between an IPA server > (version 4.1.0 on > CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), > mydomain.local. > Everything is working fine, and I'm able to authenticate and > logon on a linux > host joined to IPA server using AD credentials > (username@mydomain.local). > But active directory is configured with two more UPN > suffixes (otherdomain.com > and sub.otherdomain.com), and I cannot logon with > credentials using alternative > UPN (example: john@otherdomain.com). > > How can I make this possible? Another trust (ipa trust-add) > with the same AD? > Manual configuration of krb5 and/or sssd? > >>> > >>> Have you tried to login to an IPA client or the server? > >>> Please try with > >>> an IPA server first. If this does not work it would be nice > >>> if you can > >>> send the SSSD log files from the IPA server which are > >>> generated during > >>> the logon attempt. Please call 'sss_cache -E' before to > >>> invalidate all > >>> cached entries so that the logs will contain all needed calls > >>> to AD. > >>> > >>> Using UPN suffixes were added to the AD provider some time > >>> ago and the > >>> code is available in the IPA provider as well, but I guess no > >>> one has > >>> actually tried this before. > >>> > >>> bye, > >>> Sumit > >> > >> First of all let me say that i feel like I'm missing some > >> config somewhere.. > >> Changes tried in krb5.conf to support UPN suffixes didn't > >> helped. > >> I can only access the server vi ssh so I've attached the logs > >> for a successful > >> login for account1@mydomain.local and an unsuccessful login for > >> accou...@otherdomain.com done via ssh. > >> > >> Bye and thanks for your help > >> > > > > It looks like the request is not properly propagated to > > sub-domains (the > > trusted AD domain) but only send to the IPA domain. > > > > Would it be possible for you to run a test build of SSSD which > > might fix > > this? If yes, which version of SSSD are you currently using? > > Then I can > > prepare a test build with the patch on top of this version. > > > > bye, > > Sumit > > > > Hi, > I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and > I'm available for > any test. > > Here's the packages version for sssd: > > sssd-common-1.12.2-58.el7_1.6.x86_64 > sssd-krb5-1.12.2-58.el7_1.6.x86_64 > python-sssdconfig-1.12.2-58.el7_1.6.noarch > sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 > sssd-ipa-1.12.2-58.el7_1.6.x86_64 > sssd-1.12.2-58.el7_1.6.x86_64 > sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 > sssd-ad-1.12.2-58.el7_1.6.x86_64 > sssd-ldap-1.12.2-58.el7_1.6.x86_64 > sssd-common-pac-1.12.2-58.el7_1.6.x86_64 > sssd-proxy-1.12.2-58.el7_1.6.x86_64 > sssd-client-1.1
Re: [Freeipa-users] UPN suffixes in AD trust
On 06/29/2015 03:11 PM, Sumit Bose wrote: > On Mon, Jun 29, 2015 at 11:24:00AM +0200, Giorgio Biacchi wrote: >> On 06/29/2015 10:30 AM, Sumit Bose wrote: >>> On Mon, Jun 29, 2015 at 10:04:04AM +0200, Giorgio Biacchi wrote: On 06/26/2015 08:06 PM, Sumit Bose wrote: > On Fri, Jun 26, 2015 at 04:34:05PM +0200, Giorgio Biacchi wrote: >> >> >> On 06/26/2015 02:38 PM, Sumit Bose wrote: >>> On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote: On 06/25/2015 05:44 PM, Sumit Bose wrote: > On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: >> On 06/25/2015 02:10 PM, Sumit Bose wrote: >>> On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: On 06/25/2015 12:56 PM, Sumit Bose wrote: > On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: >> On 06/24/2015 06:45 PM, Sumit Bose wrote: >>> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: Hi everybody, I established a bidirectional trust between an IPA server (version 4.1.0 on CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), mydomain.local. Everything is working fine, and I'm able to authenticate and logon on a linux host joined to IPA server using AD credentials (username@mydomain.local). But active directory is configured with two more UPN suffixes (otherdomain.com and sub.otherdomain.com), and I cannot logon with credentials using alternative UPN (example: john@otherdomain.com). How can I make this possible? Another trust (ipa trust-add) with the same AD? Manual configuration of krb5 and/or sssd? >>> >>> Have you tried to login to an IPA client or the server? Please >>> try with >>> an IPA server first. If this does not work it would be nice if >>> you can >>> send the SSSD log files from the IPA server which are generated >>> during >>> the logon attempt. Please call 'sss_cache -E' before to >>> invalidate all >>> cached entries so that the logs will contain all needed calls >>> to AD. >>> >>> Using UPN suffixes were added to the AD provider some time ago >>> and the >>> code is available in the IPA provider as well, but I guess no >>> one has >>> actually tried this before. >>> >>> bye, >>> Sumit >> >> First of all let me say that i feel like I'm missing some config >> somewhere.. >> Changes tried in krb5.conf to support UPN suffixes didn't helped. >> I can only access the server vi ssh so I've attached the logs >> for a successful >> login for account1@mydomain.local and an unsuccessful login for >> accou...@otherdomain.com done via ssh. >> >> Bye and thanks for your help >> > > It looks like the request is not properly propagated to > sub-domains (the > trusted AD domain) but only send to the IPA domain. > > Would it be possible for you to run a test build of SSSD which > might fix > this? If yes, which version of SSSD are you currently using? Then > I can > prepare a test build with the patch on top of this version. > > bye, > Sumit > Hi, I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm available for any test. Here's the packages version for sssd: sssd-common-1.12.2-58.el7_1.6.x86_64 sssd-krb5-1.12.2-58.el7_1.6.x86_64 python-sssdconfig-1.12.2-58.el7_1.6.noarch sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 sssd-ipa-1.12.2-58.el7_1.6.x86_64 sssd-1.12.2-58.el7_1.6.x86_64 sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 sssd-ad-1.12.2-58.el7_1.6.x86_64 sssd-ldap-1.12.2-58.el7_1.6.x86_64 sssd-common-pac-1.12.2-58.el7_1.6.x86_64 sssd-proxy-1.12.2-58.el7_1.6.x86_64 sssd-client-1.12.2-58.el7_1.6.x86_64 >>> >>> Please try the packages at >>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 . >>> >>> bye, >>> Sumit >> >> Hi, >> I've installed the new RPMs, now if I run on the server: >> >
Re: [Freeipa-users] UPN suffixes in AD trust
On Mon, Jun 29, 2015 at 03:49:37PM +0200, Jakub Hrozek wrote: > On Mon, Jun 29, 2015 at 03:11:57PM +0200, Sumit Bose wrote: > > On Mon, Jun 29, 2015 at 11:24:00AM +0200, Giorgio Biacchi wrote: > > > On 06/29/2015 10:30 AM, Sumit Bose wrote: > > > > On Mon, Jun 29, 2015 at 10:04:04AM +0200, Giorgio Biacchi wrote: > > > >> On 06/26/2015 08:06 PM, Sumit Bose wrote: > > > >>> On Fri, Jun 26, 2015 at 04:34:05PM +0200, Giorgio Biacchi wrote: > > > > > > > > > On 06/26/2015 02:38 PM, Sumit Bose wrote: > > > > On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote: > > > >> On 06/25/2015 05:44 PM, Sumit Bose wrote: > > > >>> On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: > > > On 06/25/2015 02:10 PM, Sumit Bose wrote: > > > > On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: > > > >> On 06/25/2015 12:56 PM, Sumit Bose wrote: > > > >>> On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi > > > >>> wrote: > > > On 06/24/2015 06:45 PM, Sumit Bose wrote: > > > > On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi > > > > wrote: > > > >> Hi everybody, > > > >> I established a bidirectional trust between an IPA server > > > >> (version 4.1.0 on > > > >> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 > > > >> r2), mydomain.local. > > > >> Everything is working fine, and I'm able to authenticate > > > >> and logon on a linux > > > >> host joined to IPA server using AD credentials > > > >> (username@mydomain.local). > > > >> But active directory is configured with two more UPN > > > >> suffixes (otherdomain.com > > > >> and sub.otherdomain.com), and I cannot logon with > > > >> credentials using alternative > > > >> UPN (example: john@otherdomain.com). > > > >> > > > >> How can I make this possible? Another trust (ipa > > > >> trust-add) with the same AD? > > > >> Manual configuration of krb5 and/or sssd? > > > > > > > > Have you tried to login to an IPA client or the server? > > > > Please try with > > > > an IPA server first. If this does not work it would be nice > > > > if you can > > > > send the SSSD log files from the IPA server which are > > > > generated during > > > > the logon attempt. Please call 'sss_cache -E' before to > > > > invalidate all > > > > cached entries so that the logs will contain all needed > > > > calls to AD. > > > > > > > > Using UPN suffixes were added to the AD provider some time > > > > ago and the > > > > code is available in the IPA provider as well, but I guess > > > > no one has > > > > actually tried this before. > > > > > > > > bye, > > > > Sumit > > > > > > First of all let me say that i feel like I'm missing some > > > config somewhere.. > > > Changes tried in krb5.conf to support UPN suffixes didn't > > > helped. > > > I can only access the server vi ssh so I've attached the > > > logs for a successful > > > login for account1@mydomain.local and an unsuccessful login > > > for > > > accou...@otherdomain.com done via ssh. > > > > > > Bye and thanks for your help > > > > > > >>> > > > >>> It looks like the request is not properly propagated to > > > >>> sub-domains (the > > > >>> trusted AD domain) but only send to the IPA domain. > > > >>> > > > >>> Would it be possible for you to run a test build of SSSD > > > >>> which might fix > > > >>> this? If yes, which version of SSSD are you currently using? > > > >>> Then I can > > > >>> prepare a test build with the patch on top of this version. > > > >>> > > > >>> bye, > > > >>> Sumit > > > >>> > > > >> > > > >> Hi, > > > >> I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and > > > >> I'm available for > > > >> any test. > > > >> > > > >> Here's the packages version for sssd: > > > >> > > > >> sssd-common-1.12.2-58.el7_1.6.x86_64 > > > >> sssd-krb5-1.12.2-58.el7_1.6.x86_64 > > > >> python-sssdconfig-1.12.2-58.el7_1.6.noarch > > > >> sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 > > > >> sssd-ipa-1.12.2-58.el7_1.6.x86_64 > > > >> sssd-1.12.2-58.el7_1.6.x86_64 > > > >> sssd-libwbclient-1.12.2-58.el7_1
Re: [Freeipa-users] UPN suffixes in AD trust
On Mon, Jun 29, 2015 at 03:11:57PM +0200, Sumit Bose wrote: > On Mon, Jun 29, 2015 at 11:24:00AM +0200, Giorgio Biacchi wrote: > > On 06/29/2015 10:30 AM, Sumit Bose wrote: > > > On Mon, Jun 29, 2015 at 10:04:04AM +0200, Giorgio Biacchi wrote: > > >> On 06/26/2015 08:06 PM, Sumit Bose wrote: > > >>> On Fri, Jun 26, 2015 at 04:34:05PM +0200, Giorgio Biacchi wrote: > > > > > > On 06/26/2015 02:38 PM, Sumit Bose wrote: > > > On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote: > > >> On 06/25/2015 05:44 PM, Sumit Bose wrote: > > >>> On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: > > On 06/25/2015 02:10 PM, Sumit Bose wrote: > > > On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: > > >> On 06/25/2015 12:56 PM, Sumit Bose wrote: > > >>> On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: > > On 06/24/2015 06:45 PM, Sumit Bose wrote: > > > On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi > > > wrote: > > >> Hi everybody, > > >> I established a bidirectional trust between an IPA server > > >> (version 4.1.0 on > > >> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), > > >> mydomain.local. > > >> Everything is working fine, and I'm able to authenticate and > > >> logon on a linux > > >> host joined to IPA server using AD credentials > > >> (username@mydomain.local). > > >> But active directory is configured with two more UPN > > >> suffixes (otherdomain.com > > >> and sub.otherdomain.com), and I cannot logon with > > >> credentials using alternative > > >> UPN (example: john@otherdomain.com). > > >> > > >> How can I make this possible? Another trust (ipa trust-add) > > >> with the same AD? > > >> Manual configuration of krb5 and/or sssd? > > > > > > Have you tried to login to an IPA client or the server? > > > Please try with > > > an IPA server first. If this does not work it would be nice > > > if you can > > > send the SSSD log files from the IPA server which are > > > generated during > > > the logon attempt. Please call 'sss_cache -E' before to > > > invalidate all > > > cached entries so that the logs will contain all needed calls > > > to AD. > > > > > > Using UPN suffixes were added to the AD provider some time > > > ago and the > > > code is available in the IPA provider as well, but I guess no > > > one has > > > actually tried this before. > > > > > > bye, > > > Sumit > > > > First of all let me say that i feel like I'm missing some > > config somewhere.. > > Changes tried in krb5.conf to support UPN suffixes didn't > > helped. > > I can only access the server vi ssh so I've attached the logs > > for a successful > > login for account1@mydomain.local and an unsuccessful login for > > accou...@otherdomain.com done via ssh. > > > > Bye and thanks for your help > > > > >>> > > >>> It looks like the request is not properly propagated to > > >>> sub-domains (the > > >>> trusted AD domain) but only send to the IPA domain. > > >>> > > >>> Would it be possible for you to run a test build of SSSD which > > >>> might fix > > >>> this? If yes, which version of SSSD are you currently using? > > >>> Then I can > > >>> prepare a test build with the patch on top of this version. > > >>> > > >>> bye, > > >>> Sumit > > >>> > > >> > > >> Hi, > > >> I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and > > >> I'm available for > > >> any test. > > >> > > >> Here's the packages version for sssd: > > >> > > >> sssd-common-1.12.2-58.el7_1.6.x86_64 > > >> sssd-krb5-1.12.2-58.el7_1.6.x86_64 > > >> python-sssdconfig-1.12.2-58.el7_1.6.noarch > > >> sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 > > >> sssd-ipa-1.12.2-58.el7_1.6.x86_64 > > >> sssd-1.12.2-58.el7_1.6.x86_64 > > >> sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 > > >> sssd-ad-1.12.2-58.el7_1.6.x86_64 > > >> sssd-ldap-1.12.2-58.el7_1.6.x86_64 > > >> sssd-common-pac-1.12.2-58.el7_1.6.x86_64 > > >> sssd-proxy-1.12.2-58.el7_1.6.x86_64 > > >> sssd-client-1.12.2-58.el7_1.6.x86_64 > > > > > > Pl
Re: [Freeipa-users] UPN suffixes in AD trust
On Mon, Jun 29, 2015 at 11:24:00AM +0200, Giorgio Biacchi wrote: > On 06/29/2015 10:30 AM, Sumit Bose wrote: > > On Mon, Jun 29, 2015 at 10:04:04AM +0200, Giorgio Biacchi wrote: > >> On 06/26/2015 08:06 PM, Sumit Bose wrote: > >>> On Fri, Jun 26, 2015 at 04:34:05PM +0200, Giorgio Biacchi wrote: > > > On 06/26/2015 02:38 PM, Sumit Bose wrote: > > On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote: > >> On 06/25/2015 05:44 PM, Sumit Bose wrote: > >>> On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: > On 06/25/2015 02:10 PM, Sumit Bose wrote: > > On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: > >> On 06/25/2015 12:56 PM, Sumit Bose wrote: > >>> On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: > On 06/24/2015 06:45 PM, Sumit Bose wrote: > > On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: > >> Hi everybody, > >> I established a bidirectional trust between an IPA server > >> (version 4.1.0 on > >> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), > >> mydomain.local. > >> Everything is working fine, and I'm able to authenticate and > >> logon on a linux > >> host joined to IPA server using AD credentials > >> (username@mydomain.local). > >> But active directory is configured with two more UPN suffixes > >> (otherdomain.com > >> and sub.otherdomain.com), and I cannot logon with credentials > >> using alternative > >> UPN (example: john@otherdomain.com). > >> > >> How can I make this possible? Another trust (ipa trust-add) > >> with the same AD? > >> Manual configuration of krb5 and/or sssd? > > > > Have you tried to login to an IPA client or the server? Please > > try with > > an IPA server first. If this does not work it would be nice if > > you can > > send the SSSD log files from the IPA server which are generated > > during > > the logon attempt. Please call 'sss_cache -E' before to > > invalidate all > > cached entries so that the logs will contain all needed calls > > to AD. > > > > Using UPN suffixes were added to the AD provider some time ago > > and the > > code is available in the IPA provider as well, but I guess no > > one has > > actually tried this before. > > > > bye, > > Sumit > > First of all let me say that i feel like I'm missing some config > somewhere.. > Changes tried in krb5.conf to support UPN suffixes didn't helped. > I can only access the server vi ssh so I've attached the logs > for a successful > login for account1@mydomain.local and an unsuccessful login for > accou...@otherdomain.com done via ssh. > > Bye and thanks for your help > > >>> > >>> It looks like the request is not properly propagated to > >>> sub-domains (the > >>> trusted AD domain) but only send to the IPA domain. > >>> > >>> Would it be possible for you to run a test build of SSSD which > >>> might fix > >>> this? If yes, which version of SSSD are you currently using? Then > >>> I can > >>> prepare a test build with the patch on top of this version. > >>> > >>> bye, > >>> Sumit > >>> > >> > >> Hi, > >> I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm > >> available for > >> any test. > >> > >> Here's the packages version for sssd: > >> > >> sssd-common-1.12.2-58.el7_1.6.x86_64 > >> sssd-krb5-1.12.2-58.el7_1.6.x86_64 > >> python-sssdconfig-1.12.2-58.el7_1.6.noarch > >> sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 > >> sssd-ipa-1.12.2-58.el7_1.6.x86_64 > >> sssd-1.12.2-58.el7_1.6.x86_64 > >> sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 > >> sssd-ad-1.12.2-58.el7_1.6.x86_64 > >> sssd-ldap-1.12.2-58.el7_1.6.x86_64 > >> sssd-common-pac-1.12.2-58.el7_1.6.x86_64 > >> sssd-proxy-1.12.2-58.el7_1.6.x86_64 > >> sssd-client-1.12.2-58.el7_1.6.x86_64 > > > > Please try the packages at > > http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 . > > > > bye, > > Sumit > > Hi, > I've installed the new RPMs, now if I run on the server: > > id account1@mydomain.local > i
Re: [Freeipa-users] UPN suffixes in AD trust
On Fri, Jun 26, 2015 at 04:34:05PM +0200, Giorgio Biacchi wrote: > > > On 06/26/2015 02:38 PM, Sumit Bose wrote: > > On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote: > >> On 06/25/2015 05:44 PM, Sumit Bose wrote: > >>> On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: > On 06/25/2015 02:10 PM, Sumit Bose wrote: > > On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: > >> On 06/25/2015 12:56 PM, Sumit Bose wrote: > >>> On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: > On 06/24/2015 06:45 PM, Sumit Bose wrote: > > On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: > >> Hi everybody, > >> I established a bidirectional trust between an IPA server (version > >> 4.1.0 on > >> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), > >> mydomain.local. > >> Everything is working fine, and I'm able to authenticate and logon > >> on a linux > >> host joined to IPA server using AD credentials > >> (username@mydomain.local). > >> But active directory is configured with two more UPN suffixes > >> (otherdomain.com > >> and sub.otherdomain.com), and I cannot logon with credentials > >> using alternative > >> UPN (example: john@otherdomain.com). > >> > >> How can I make this possible? Another trust (ipa trust-add) with > >> the same AD? > >> Manual configuration of krb5 and/or sssd? > > > > Have you tried to login to an IPA client or the server? Please try > > with > > an IPA server first. If this does not work it would be nice if you > > can > > send the SSSD log files from the IPA server which are generated > > during > > the logon attempt. Please call 'sss_cache -E' before to invalidate > > all > > cached entries so that the logs will contain all needed calls to AD. > > > > Using UPN suffixes were added to the AD provider some time ago and > > the > > code is available in the IPA provider as well, but I guess no one > > has > > actually tried this before. > > > > bye, > > Sumit > > First of all let me say that i feel like I'm missing some config > somewhere.. > Changes tried in krb5.conf to support UPN suffixes didn't helped. > I can only access the server vi ssh so I've attached the logs for a > successful > login for account1@mydomain.local and an unsuccessful login for > accou...@otherdomain.com done via ssh. > > Bye and thanks for your help > > >>> > >>> It looks like the request is not properly propagated to sub-domains > >>> (the > >>> trusted AD domain) but only send to the IPA domain. > >>> > >>> Would it be possible for you to run a test build of SSSD which might > >>> fix > >>> this? If yes, which version of SSSD are you currently using? Then I > >>> can > >>> prepare a test build with the patch on top of this version. > >>> > >>> bye, > >>> Sumit > >>> > >> > >> Hi, > >> I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm > >> available for > >> any test. > >> > >> Here's the packages version for sssd: > >> > >> sssd-common-1.12.2-58.el7_1.6.x86_64 > >> sssd-krb5-1.12.2-58.el7_1.6.x86_64 > >> python-sssdconfig-1.12.2-58.el7_1.6.noarch > >> sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 > >> sssd-ipa-1.12.2-58.el7_1.6.x86_64 > >> sssd-1.12.2-58.el7_1.6.x86_64 > >> sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 > >> sssd-ad-1.12.2-58.el7_1.6.x86_64 > >> sssd-ldap-1.12.2-58.el7_1.6.x86_64 > >> sssd-common-pac-1.12.2-58.el7_1.6.x86_64 > >> sssd-proxy-1.12.2-58.el7_1.6.x86_64 > >> sssd-client-1.12.2-58.el7_1.6.x86_64 > > > > Please try the packages at > > http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 . > > > > bye, > > Sumit > > Hi, > I've installed the new RPMs, now if I run on the server: > > id account1@mydomain.local > id accou...@otherdomain.com > id accou...@sub.otherdomain.com > > all the users are found but I'm still unable to log in via ssh with the > accounts > @otherdomain.com and @sub.otherdomain.com. > > In attachment the logs for unsuccessful login for user > accou...@otherdomain.com. > >>> > >>> Bother, I forgot to add the fix to the pam responder as well, please try > >>> new packages from > >>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 . > >>> > >>> bye, > >>> Sumit > >>> > >> > >> Hi, > >> I've updated all the packages but still no login. > >> > >> Logs follows. > > > > I found another issue in the logs whi
Re: [Freeipa-users] UPN suffixes in AD trust
On 06/26/2015 02:38 PM, Sumit Bose wrote: > On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote: >> On 06/25/2015 05:44 PM, Sumit Bose wrote: >>> On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: On 06/25/2015 02:10 PM, Sumit Bose wrote: > On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: >> On 06/25/2015 12:56 PM, Sumit Bose wrote: >>> On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: On 06/24/2015 06:45 PM, Sumit Bose wrote: > On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: >> Hi everybody, >> I established a bidirectional trust between an IPA server (version >> 4.1.0 on >> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), >> mydomain.local. >> Everything is working fine, and I'm able to authenticate and logon >> on a linux >> host joined to IPA server using AD credentials >> (username@mydomain.local). >> But active directory is configured with two more UPN suffixes >> (otherdomain.com >> and sub.otherdomain.com), and I cannot logon with credentials using >> alternative >> UPN (example: john@otherdomain.com). >> >> How can I make this possible? Another trust (ipa trust-add) with the >> same AD? >> Manual configuration of krb5 and/or sssd? > > Have you tried to login to an IPA client or the server? Please try > with > an IPA server first. If this does not work it would be nice if you can > send the SSSD log files from the IPA server which are generated during > the logon attempt. Please call 'sss_cache -E' before to invalidate all > cached entries so that the logs will contain all needed calls to AD. > > Using UPN suffixes were added to the AD provider some time ago and the > code is available in the IPA provider as well, but I guess no one has > actually tried this before. > > bye, > Sumit First of all let me say that i feel like I'm missing some config somewhere.. Changes tried in krb5.conf to support UPN suffixes didn't helped. I can only access the server vi ssh so I've attached the logs for a successful login for account1@mydomain.local and an unsuccessful login for accou...@otherdomain.com done via ssh. Bye and thanks for your help >>> >>> It looks like the request is not properly propagated to sub-domains (the >>> trusted AD domain) but only send to the IPA domain. >>> >>> Would it be possible for you to run a test build of SSSD which might fix >>> this? If yes, which version of SSSD are you currently using? Then I can >>> prepare a test build with the patch on top of this version. >>> >>> bye, >>> Sumit >>> >> >> Hi, >> I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm >> available for >> any test. >> >> Here's the packages version for sssd: >> >> sssd-common-1.12.2-58.el7_1.6.x86_64 >> sssd-krb5-1.12.2-58.el7_1.6.x86_64 >> python-sssdconfig-1.12.2-58.el7_1.6.noarch >> sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 >> sssd-ipa-1.12.2-58.el7_1.6.x86_64 >> sssd-1.12.2-58.el7_1.6.x86_64 >> sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 >> sssd-ad-1.12.2-58.el7_1.6.x86_64 >> sssd-ldap-1.12.2-58.el7_1.6.x86_64 >> sssd-common-pac-1.12.2-58.el7_1.6.x86_64 >> sssd-proxy-1.12.2-58.el7_1.6.x86_64 >> sssd-client-1.12.2-58.el7_1.6.x86_64 > > Please try the packages at > http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 . > > bye, > Sumit Hi, I've installed the new RPMs, now if I run on the server: id account1@mydomain.local id accou...@otherdomain.com id accou...@sub.otherdomain.com all the users are found but I'm still unable to log in via ssh with the accounts @otherdomain.com and @sub.otherdomain.com. In attachment the logs for unsuccessful login for user accou...@otherdomain.com. >>> >>> Bother, I forgot to add the fix to the pam responder as well, please try >>> new packages from >>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 . >>> >>> bye, >>> Sumit >>> >> >> Hi, >> I've updated all the packages but still no login. >> >> Logs follows. > > I found another issue in the logs which should be fixed by the build > from http://koji.fedoraproject.org/koji/taskinfo?taskID=10217756 . > > Please send the sssd_pam log file as well it might contain more details > about what goes wrong during authentication. > > bye, > Sumit > Hi, packages update, sssd and kerberos services restarted, cache flushed but still no login on the IPA server. As before, logs attached. I've also included t
Re: [Freeipa-users] UPN suffixes in AD trust
On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote: > On 06/25/2015 05:44 PM, Sumit Bose wrote: > > On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: > >> On 06/25/2015 02:10 PM, Sumit Bose wrote: > >>> On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: > On 06/25/2015 12:56 PM, Sumit Bose wrote: > > On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: > >> On 06/24/2015 06:45 PM, Sumit Bose wrote: > >>> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: > Hi everybody, > I established a bidirectional trust between an IPA server (version > 4.1.0 on > CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), > mydomain.local. > Everything is working fine, and I'm able to authenticate and logon > on a linux > host joined to IPA server using AD credentials > (username@mydomain.local). > But active directory is configured with two more UPN suffixes > (otherdomain.com > and sub.otherdomain.com), and I cannot logon with credentials using > alternative > UPN (example: john@otherdomain.com). > > How can I make this possible? Another trust (ipa trust-add) with the > same AD? > Manual configuration of krb5 and/or sssd? > >>> > >>> Have you tried to login to an IPA client or the server? Please try > >>> with > >>> an IPA server first. If this does not work it would be nice if you can > >>> send the SSSD log files from the IPA server which are generated during > >>> the logon attempt. Please call 'sss_cache -E' before to invalidate all > >>> cached entries so that the logs will contain all needed calls to AD. > >>> > >>> Using UPN suffixes were added to the AD provider some time ago and the > >>> code is available in the IPA provider as well, but I guess no one has > >>> actually tried this before. > >>> > >>> bye, > >>> Sumit > >> > >> First of all let me say that i feel like I'm missing some config > >> somewhere.. > >> Changes tried in krb5.conf to support UPN suffixes didn't helped. > >> I can only access the server vi ssh so I've attached the logs for a > >> successful > >> login for account1@mydomain.local and an unsuccessful login for > >> accou...@otherdomain.com done via ssh. > >> > >> Bye and thanks for your help > >> > > > > It looks like the request is not properly propagated to sub-domains (the > > trusted AD domain) but only send to the IPA domain. > > > > Would it be possible for you to run a test build of SSSD which might fix > > this? If yes, which version of SSSD are you currently using? Then I can > > prepare a test build with the patch on top of this version. > > > > bye, > > Sumit > > > > Hi, > I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm > available for > any test. > > Here's the packages version for sssd: > > sssd-common-1.12.2-58.el7_1.6.x86_64 > sssd-krb5-1.12.2-58.el7_1.6.x86_64 > python-sssdconfig-1.12.2-58.el7_1.6.noarch > sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 > sssd-ipa-1.12.2-58.el7_1.6.x86_64 > sssd-1.12.2-58.el7_1.6.x86_64 > sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 > sssd-ad-1.12.2-58.el7_1.6.x86_64 > sssd-ldap-1.12.2-58.el7_1.6.x86_64 > sssd-common-pac-1.12.2-58.el7_1.6.x86_64 > sssd-proxy-1.12.2-58.el7_1.6.x86_64 > sssd-client-1.12.2-58.el7_1.6.x86_64 > >>> > >>> Please try the packages at > >>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 . > >>> > >>> bye, > >>> Sumit > >> > >> Hi, > >> I've installed the new RPMs, now if I run on the server: > >> > >> id account1@mydomain.local > >> id accou...@otherdomain.com > >> id accou...@sub.otherdomain.com > >> > >> all the users are found but I'm still unable to log in via ssh with the > >> accounts > >> @otherdomain.com and @sub.otherdomain.com. > >> > >> In attachment the logs for unsuccessful login for user > >> accou...@otherdomain.com. > > > > Bother, I forgot to add the fix to the pam responder as well, please try > > new packages from > > http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 . > > > > bye, > > Sumit > > > > Hi, > I've updated all the packages but still no login. > > Logs follows. I found another issue in the logs which should be fixed by the build from http://koji.fedoraproject.org/koji/taskinfo?taskID=10217756 . Please send the sssd_pam log file as well it might contain more details about what goes wrong during authentication. bye, Sumit > > Thanks again > -- > gb > > PGP Key: http://pgp.mit.edu/ > Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.c
Re: [Freeipa-users] UPN suffixes in AD trust
On 06/25/2015 05:44 PM, Sumit Bose wrote: > On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: >> On 06/25/2015 02:10 PM, Sumit Bose wrote: >>> On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: On 06/25/2015 12:56 PM, Sumit Bose wrote: > On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: >> On 06/24/2015 06:45 PM, Sumit Bose wrote: >>> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: Hi everybody, I established a bidirectional trust between an IPA server (version 4.1.0 on CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), mydomain.local. Everything is working fine, and I'm able to authenticate and logon on a linux host joined to IPA server using AD credentials (username@mydomain.local). But active directory is configured with two more UPN suffixes (otherdomain.com and sub.otherdomain.com), and I cannot logon with credentials using alternative UPN (example: john@otherdomain.com). How can I make this possible? Another trust (ipa trust-add) with the same AD? Manual configuration of krb5 and/or sssd? >>> >>> Have you tried to login to an IPA client or the server? Please try with >>> an IPA server first. If this does not work it would be nice if you can >>> send the SSSD log files from the IPA server which are generated during >>> the logon attempt. Please call 'sss_cache -E' before to invalidate all >>> cached entries so that the logs will contain all needed calls to AD. >>> >>> Using UPN suffixes were added to the AD provider some time ago and the >>> code is available in the IPA provider as well, but I guess no one has >>> actually tried this before. >>> >>> bye, >>> Sumit >> >> First of all let me say that i feel like I'm missing some config >> somewhere.. >> Changes tried in krb5.conf to support UPN suffixes didn't helped. >> I can only access the server vi ssh so I've attached the logs for a >> successful >> login for account1@mydomain.local and an unsuccessful login for >> accou...@otherdomain.com done via ssh. >> >> Bye and thanks for your help >> > > It looks like the request is not properly propagated to sub-domains (the > trusted AD domain) but only send to the IPA domain. > > Would it be possible for you to run a test build of SSSD which might fix > this? If yes, which version of SSSD are you currently using? Then I can > prepare a test build with the patch on top of this version. > > bye, > Sumit > Hi, I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm available for any test. Here's the packages version for sssd: sssd-common-1.12.2-58.el7_1.6.x86_64 sssd-krb5-1.12.2-58.el7_1.6.x86_64 python-sssdconfig-1.12.2-58.el7_1.6.noarch sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 sssd-ipa-1.12.2-58.el7_1.6.x86_64 sssd-1.12.2-58.el7_1.6.x86_64 sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 sssd-ad-1.12.2-58.el7_1.6.x86_64 sssd-ldap-1.12.2-58.el7_1.6.x86_64 sssd-common-pac-1.12.2-58.el7_1.6.x86_64 sssd-proxy-1.12.2-58.el7_1.6.x86_64 sssd-client-1.12.2-58.el7_1.6.x86_64 >>> >>> Please try the packages at >>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 . >>> >>> bye, >>> Sumit >> >> Hi, >> I've installed the new RPMs, now if I run on the server: >> >> id account1@mydomain.local >> id accou...@otherdomain.com >> id accou...@sub.otherdomain.com >> >> all the users are found but I'm still unable to log in via ssh with the >> accounts >> @otherdomain.com and @sub.otherdomain.com. >> >> In attachment the logs for unsuccessful login for user >> accou...@otherdomain.com. > > Bother, I forgot to add the fix to the pam responder as well, please try > new packages from > http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 . > > bye, > Sumit > Hi, I've updated all the packages but still no login. Logs follows. Thanks again -- gb PGP Key: http://pgp.mit.edu/ Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34 (Thu Jun 25 18:49:44 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [accou...@otherdomain.com], fail! (Thu Jun 25 18:49:44 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f2fd335e6b0:domains@ipa.mydomain.local] (Thu Jun 25 18:49:44 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [accou...@otherdomain.com]. (Thu Jun 25 18:49:44 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f2fd335e6b0:domains@ipa.mydomain.local] (Thu Jun 25 18:49:44 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][oth
Re: [Freeipa-users] UPN suffixes in AD trust
On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: > On 06/25/2015 02:10 PM, Sumit Bose wrote: > > On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: > >> On 06/25/2015 12:56 PM, Sumit Bose wrote: > >>> On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: > On 06/24/2015 06:45 PM, Sumit Bose wrote: > > On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: > >> Hi everybody, > >> I established a bidirectional trust between an IPA server (version > >> 4.1.0 on > >> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), > >> mydomain.local. > >> Everything is working fine, and I'm able to authenticate and logon on > >> a linux > >> host joined to IPA server using AD credentials > >> (username@mydomain.local). > >> But active directory is configured with two more UPN suffixes > >> (otherdomain.com > >> and sub.otherdomain.com), and I cannot logon with credentials using > >> alternative > >> UPN (example: john@otherdomain.com). > >> > >> How can I make this possible? Another trust (ipa trust-add) with the > >> same AD? > >> Manual configuration of krb5 and/or sssd? > > > > Have you tried to login to an IPA client or the server? Please try with > > an IPA server first. If this does not work it would be nice if you can > > send the SSSD log files from the IPA server which are generated during > > the logon attempt. Please call 'sss_cache -E' before to invalidate all > > cached entries so that the logs will contain all needed calls to AD. > > > > Using UPN suffixes were added to the AD provider some time ago and the > > code is available in the IPA provider as well, but I guess no one has > > actually tried this before. > > > > bye, > > Sumit > > First of all let me say that i feel like I'm missing some config > somewhere.. > Changes tried in krb5.conf to support UPN suffixes didn't helped. > I can only access the server vi ssh so I've attached the logs for a > successful > login for account1@mydomain.local and an unsuccessful login for > accou...@otherdomain.com done via ssh. > > Bye and thanks for your help > > >>> > >>> It looks like the request is not properly propagated to sub-domains (the > >>> trusted AD domain) but only send to the IPA domain. > >>> > >>> Would it be possible for you to run a test build of SSSD which might fix > >>> this? If yes, which version of SSSD are you currently using? Then I can > >>> prepare a test build with the patch on top of this version. > >>> > >>> bye, > >>> Sumit > >>> > >> > >> Hi, > >> I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm > >> available for > >> any test. > >> > >> Here's the packages version for sssd: > >> > >> sssd-common-1.12.2-58.el7_1.6.x86_64 > >> sssd-krb5-1.12.2-58.el7_1.6.x86_64 > >> python-sssdconfig-1.12.2-58.el7_1.6.noarch > >> sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 > >> sssd-ipa-1.12.2-58.el7_1.6.x86_64 > >> sssd-1.12.2-58.el7_1.6.x86_64 > >> sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 > >> sssd-ad-1.12.2-58.el7_1.6.x86_64 > >> sssd-ldap-1.12.2-58.el7_1.6.x86_64 > >> sssd-common-pac-1.12.2-58.el7_1.6.x86_64 > >> sssd-proxy-1.12.2-58.el7_1.6.x86_64 > >> sssd-client-1.12.2-58.el7_1.6.x86_64 > > > > Please try the packages at > > http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 . > > > > bye, > > Sumit > > Hi, > I've installed the new RPMs, now if I run on the server: > > id account1@mydomain.local > id accou...@otherdomain.com > id accou...@sub.otherdomain.com > > all the users are found but I'm still unable to log in via ssh with the > accounts > @otherdomain.com and @sub.otherdomain.com. > > In attachment the logs for unsuccessful login for user > accou...@otherdomain.com. Bother, I forgot to add the fix to the pam responder as well, please try new packages from http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 . bye, Sumit > > Bye > -- > gb > > PGP Key: http://pgp.mit.edu/ > Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] UPN suffixes in AD trust
On 06/25/2015 02:10 PM, Sumit Bose wrote: > On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: >> On 06/25/2015 12:56 PM, Sumit Bose wrote: >>> On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: On 06/24/2015 06:45 PM, Sumit Bose wrote: > On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: >> Hi everybody, >> I established a bidirectional trust between an IPA server (version 4.1.0 >> on >> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), >> mydomain.local. >> Everything is working fine, and I'm able to authenticate and logon on a >> linux >> host joined to IPA server using AD credentials (username@mydomain.local). >> But active directory is configured with two more UPN suffixes >> (otherdomain.com >> and sub.otherdomain.com), and I cannot logon with credentials using >> alternative >> UPN (example: john@otherdomain.com). >> >> How can I make this possible? Another trust (ipa trust-add) with the >> same AD? >> Manual configuration of krb5 and/or sssd? > > Have you tried to login to an IPA client or the server? Please try with > an IPA server first. If this does not work it would be nice if you can > send the SSSD log files from the IPA server which are generated during > the logon attempt. Please call 'sss_cache -E' before to invalidate all > cached entries so that the logs will contain all needed calls to AD. > > Using UPN suffixes were added to the AD provider some time ago and the > code is available in the IPA provider as well, but I guess no one has > actually tried this before. > > bye, > Sumit First of all let me say that i feel like I'm missing some config somewhere.. Changes tried in krb5.conf to support UPN suffixes didn't helped. I can only access the server vi ssh so I've attached the logs for a successful login for account1@mydomain.local and an unsuccessful login for accou...@otherdomain.com done via ssh. Bye and thanks for your help >>> >>> It looks like the request is not properly propagated to sub-domains (the >>> trusted AD domain) but only send to the IPA domain. >>> >>> Would it be possible for you to run a test build of SSSD which might fix >>> this? If yes, which version of SSSD are you currently using? Then I can >>> prepare a test build with the patch on top of this version. >>> >>> bye, >>> Sumit >>> >> >> Hi, >> I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm available >> for >> any test. >> >> Here's the packages version for sssd: >> >> sssd-common-1.12.2-58.el7_1.6.x86_64 >> sssd-krb5-1.12.2-58.el7_1.6.x86_64 >> python-sssdconfig-1.12.2-58.el7_1.6.noarch >> sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 >> sssd-ipa-1.12.2-58.el7_1.6.x86_64 >> sssd-1.12.2-58.el7_1.6.x86_64 >> sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 >> sssd-ad-1.12.2-58.el7_1.6.x86_64 >> sssd-ldap-1.12.2-58.el7_1.6.x86_64 >> sssd-common-pac-1.12.2-58.el7_1.6.x86_64 >> sssd-proxy-1.12.2-58.el7_1.6.x86_64 >> sssd-client-1.12.2-58.el7_1.6.x86_64 > > Please try the packages at > http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 . > > bye, > Sumit Hi, I've installed the new RPMs, now if I run on the server: id account1@mydomain.local id accou...@otherdomain.com id accou...@sub.otherdomain.com all the users are found but I'm still unable to log in via ssh with the accounts @otherdomain.com and @sub.otherdomain.com. In attachment the logs for unsuccessful login for user accou...@otherdomain.com. Bye -- gb PGP Key: http://pgp.mit.edu/ Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34 (Thu Jun 25 16:18:54 2015) [sssd[nss]] [nss_clear_memcache] (0x0400): Clearing memory caches. (Thu Jun 25 16:18:54 2015) [sssd[nss]] [nss_orphan_netgroups] (0x0400): Removing netgroups from memory cache. (Thu Jun 25 16:18:58 2015) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Jun 25 16:18:58 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [accou...@otherdomain.com]. (Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7fd3aa0776b0:domains@ipa.mydomain.local] (Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ipa.mydomain.local][otherdomain.com] (Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7fd3aa0776b0:domains@ipa.mydomain.local] (Thu Jun 25 16:18:58 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [accou...@otherdomain.com@ipa.mydomain.local] (Thu Jun 25 16:18:58 2015) [sssd[nss]] [sysdb_search_user_by_upn] (0x0400): No e
Re: [Freeipa-users] UPN suffixes in AD trust
On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: > On 06/25/2015 12:56 PM, Sumit Bose wrote: > > On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: > >> On 06/24/2015 06:45 PM, Sumit Bose wrote: > >>> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: > Hi everybody, > I established a bidirectional trust between an IPA server (version 4.1.0 > on > CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), > mydomain.local. > Everything is working fine, and I'm able to authenticate and logon on a > linux > host joined to IPA server using AD credentials (username@mydomain.local). > But active directory is configured with two more UPN suffixes > (otherdomain.com > and sub.otherdomain.com), and I cannot logon with credentials using > alternative > UPN (example: john@otherdomain.com). > > How can I make this possible? Another trust (ipa trust-add) with the > same AD? > Manual configuration of krb5 and/or sssd? > >>> > >>> Have you tried to login to an IPA client or the server? Please try with > >>> an IPA server first. If this does not work it would be nice if you can > >>> send the SSSD log files from the IPA server which are generated during > >>> the logon attempt. Please call 'sss_cache -E' before to invalidate all > >>> cached entries so that the logs will contain all needed calls to AD. > >>> > >>> Using UPN suffixes were added to the AD provider some time ago and the > >>> code is available in the IPA provider as well, but I guess no one has > >>> actually tried this before. > >>> > >>> bye, > >>> Sumit > >> > >> First of all let me say that i feel like I'm missing some config > >> somewhere.. > >> Changes tried in krb5.conf to support UPN suffixes didn't helped. > >> I can only access the server vi ssh so I've attached the logs for a > >> successful > >> login for account1@mydomain.local and an unsuccessful login for > >> accou...@otherdomain.com done via ssh. > >> > >> Bye and thanks for your help > >> > > > > It looks like the request is not properly propagated to sub-domains (the > > trusted AD domain) but only send to the IPA domain. > > > > Would it be possible for you to run a test build of SSSD which might fix > > this? If yes, which version of SSSD are you currently using? Then I can > > prepare a test build with the patch on top of this version. > > > > bye, > > Sumit > > > > Hi, > I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm available > for > any test. > > Here's the packages version for sssd: > > sssd-common-1.12.2-58.el7_1.6.x86_64 > sssd-krb5-1.12.2-58.el7_1.6.x86_64 > python-sssdconfig-1.12.2-58.el7_1.6.noarch > sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 > sssd-ipa-1.12.2-58.el7_1.6.x86_64 > sssd-1.12.2-58.el7_1.6.x86_64 > sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 > sssd-ad-1.12.2-58.el7_1.6.x86_64 > sssd-ldap-1.12.2-58.el7_1.6.x86_64 > sssd-common-pac-1.12.2-58.el7_1.6.x86_64 > sssd-proxy-1.12.2-58.el7_1.6.x86_64 > sssd-client-1.12.2-58.el7_1.6.x86_64 Please try the packages at http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 . bye, Sumit > > Thanks again > -- > gb > > PGP Key: http://pgp.mit.edu/ > Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] UPN suffixes in AD trust
On 06/25/2015 12:56 PM, Sumit Bose wrote: > On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: >> On 06/24/2015 06:45 PM, Sumit Bose wrote: >>> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: Hi everybody, I established a bidirectional trust between an IPA server (version 4.1.0 on CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), mydomain.local. Everything is working fine, and I'm able to authenticate and logon on a linux host joined to IPA server using AD credentials (username@mydomain.local). But active directory is configured with two more UPN suffixes (otherdomain.com and sub.otherdomain.com), and I cannot logon with credentials using alternative UPN (example: john@otherdomain.com). How can I make this possible? Another trust (ipa trust-add) with the same AD? Manual configuration of krb5 and/or sssd? >>> >>> Have you tried to login to an IPA client or the server? Please try with >>> an IPA server first. If this does not work it would be nice if you can >>> send the SSSD log files from the IPA server which are generated during >>> the logon attempt. Please call 'sss_cache -E' before to invalidate all >>> cached entries so that the logs will contain all needed calls to AD. >>> >>> Using UPN suffixes were added to the AD provider some time ago and the >>> code is available in the IPA provider as well, but I guess no one has >>> actually tried this before. >>> >>> bye, >>> Sumit >> >> First of all let me say that i feel like I'm missing some config somewhere.. >> Changes tried in krb5.conf to support UPN suffixes didn't helped. >> I can only access the server vi ssh so I've attached the logs for a >> successful >> login for account1@mydomain.local and an unsuccessful login for >> accou...@otherdomain.com done via ssh. >> >> Bye and thanks for your help >> > > It looks like the request is not properly propagated to sub-domains (the > trusted AD domain) but only send to the IPA domain. > > Would it be possible for you to run a test build of SSSD which might fix > this? If yes, which version of SSSD are you currently using? Then I can > prepare a test build with the patch on top of this version. > > bye, > Sumit > Hi, I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm available for any test. Here's the packages version for sssd: sssd-common-1.12.2-58.el7_1.6.x86_64 sssd-krb5-1.12.2-58.el7_1.6.x86_64 python-sssdconfig-1.12.2-58.el7_1.6.noarch sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 sssd-ipa-1.12.2-58.el7_1.6.x86_64 sssd-1.12.2-58.el7_1.6.x86_64 sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 sssd-ad-1.12.2-58.el7_1.6.x86_64 sssd-ldap-1.12.2-58.el7_1.6.x86_64 sssd-common-pac-1.12.2-58.el7_1.6.x86_64 sssd-proxy-1.12.2-58.el7_1.6.x86_64 sssd-client-1.12.2-58.el7_1.6.x86_64 Thanks again -- gb PGP Key: http://pgp.mit.edu/ Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] UPN suffixes in AD trust
On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: > On 06/24/2015 06:45 PM, Sumit Bose wrote: > > On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: > >> Hi everybody, > >> I established a bidirectional trust between an IPA server (version 4.1.0 on > >> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), > >> mydomain.local. > >> Everything is working fine, and I'm able to authenticate and logon on a > >> linux > >> host joined to IPA server using AD credentials (username@mydomain.local). > >> But active directory is configured with two more UPN suffixes > >> (otherdomain.com > >> and sub.otherdomain.com), and I cannot logon with credentials using > >> alternative > >> UPN (example: john@otherdomain.com). > >> > >> How can I make this possible? Another trust (ipa trust-add) with the same > >> AD? > >> Manual configuration of krb5 and/or sssd? > > > > Have you tried to login to an IPA client or the server? Please try with > > an IPA server first. If this does not work it would be nice if you can > > send the SSSD log files from the IPA server which are generated during > > the logon attempt. Please call 'sss_cache -E' before to invalidate all > > cached entries so that the logs will contain all needed calls to AD. > > > > Using UPN suffixes were added to the AD provider some time ago and the > > code is available in the IPA provider as well, but I guess no one has > > actually tried this before. > > > > bye, > > Sumit > > First of all let me say that i feel like I'm missing some config somewhere.. > Changes tried in krb5.conf to support UPN suffixes didn't helped. > I can only access the server vi ssh so I've attached the logs for a successful > login for account1@mydomain.local and an unsuccessful login for > accou...@otherdomain.com done via ssh. > > Bye and thanks for your help > It looks like the request is not properly propagated to sub-domains (the trusted AD domain) but only send to the IPA domain. Would it be possible for you to run a test build of SSSD which might fix this? If yes, which version of SSSD are you currently using? Then I can prepare a test build with the patch on top of this version. bye, Sumit -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] UPN suffixes in AD trust
On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: > Hi everybody, > I established a bidirectional trust between an IPA server (version 4.1.0 on > CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), mydomain.local. > Everything is working fine, and I'm able to authenticate and logon on a linux > host joined to IPA server using AD credentials (username@mydomain.local). > But active directory is configured with two more UPN suffixes (otherdomain.com > and sub.otherdomain.com), and I cannot logon with credentials using > alternative > UPN (example: john@otherdomain.com). > > How can I make this possible? Another trust (ipa trust-add) with the same AD? > Manual configuration of krb5 and/or sssd? Have you tried to login to an IPA client or the server? Please try with an IPA server first. If this does not work it would be nice if you can send the SSSD log files from the IPA server which are generated during the logon attempt. Please call 'sss_cache -E' before to invalidate all cached entries so that the logs will contain all needed calls to AD. Using UPN suffixes were added to the AD provider some time ago and the code is available in the IPA provider as well, but I guess no one has actually tried this before. bye, Sumit > > Thanks in advance > > -- > gb > > PGP Key: http://pgp.mit.edu/ > Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34 > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] UPN suffixes in AD trust
Hi everybody, I established a bidirectional trust between an IPA server (version 4.1.0 on CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), mydomain.local. Everything is working fine, and I'm able to authenticate and logon on a linux host joined to IPA server using AD credentials (username@mydomain.local). But active directory is configured with two more UPN suffixes (otherdomain.com and sub.otherdomain.com), and I cannot logon with credentials using alternative UPN (example: john@otherdomain.com). How can I make this possible? Another trust (ipa trust-add) with the same AD? Manual configuration of krb5 and/or sssd? Thanks in advance -- gb PGP Key: http://pgp.mit.edu/ Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
