[Freeipa-users] Re: IPA Client SSH under AD cross-forest trust not working

2019-04-29 Thread D via FreeIPA-users
That clears up a lot. The client was failing on the NSS part as no results for the ad user were returned from the ipa master. While cleaning cache and sss_debuglevel 10 on the master each time, testing indicates that a different ad ldap lookup is being done from the master during failed client

[Freeipa-users] Re: Multi Enrollment possible ?

2019-04-29 Thread François Cami via FreeIPA-users
On Mon, Apr 29, 2019 at 10:32 PM Karim Bourenane via FreeIPA-users wrote: > > Hello Jochen > > Thanks you or your reply. > My goal, is to authenticate differents users from each client network > interface. If the first ipa server goes down (or network unreachable), then > the admin user can acce

[Freeipa-users] Re: Multi Enrollment possible ?

2019-04-29 Thread Karim Bourenane via FreeIPA-users
Hello Jochen Thanks you or your reply. My goal, is to authenticate differents users from each client network interface. If the first ipa server goes down (or network unreachable), then the admin user can access to the second network interface to make change/correct . The goals also, is betwee

[Freeipa-users] Re: IPA Client SSH under AD cross-forest trust not working

2019-04-29 Thread Jakub Hrozek via FreeIPA-users
On Mon, Apr 29, 2019 at 07:48:30PM +, D wrote: > Ah ok, I see the nss lookup fails on the client now. What nss lookup exactly? > > On the ipa master during failed client login, the only nss log entry says my > ad user matched the ad domain. Did you crank up the debug logs? Chances are some

[Freeipa-users] Re: IPA Client SSH under AD cross-forest trust not working

2019-04-29 Thread D via FreeIPA-users
Ah ok, I see the nss lookup fails on the client now. On the ipa master during failed client login, the only nss log entry says my ad user matched the ad domain. When I log in to the master with ad creds (which works), I see all of the ad groups properly resolving in the logs (at least the ones

[Freeipa-users] Re: FreeIPA Client AD Trust user look-up latencies and results

2019-04-29 Thread Alexander Bokovoy via FreeIPA-users
On ma, 29 huhti 2019, John Desantis wrote: Alexander, Thanks for your continued support. I'm not saying about that at all. Can you show output of ipa group-show --all --raw adglobalposixgroup Sure thing! PROD:15:13:34-root@ipaserver1:~ # ipa group-show --all --raw adglobalposixgroup dn:

[Freeipa-users] Re: FreeIPA Client AD Trust user look-up latencies and results

2019-04-29 Thread John Desantis via FreeIPA-users
Alexander, Thanks for your continued support. > I'm not saying about that at all. > > Can you show output of > > ipa group-show --all --raw adglobalposixgroup Sure thing! PROD:15:13:34-root@ipaserver1:~ # ipa group-show --all --raw adglobalposixgroup dn: cn=adglobalposixgroup,cn=groups,cn=acc

[Freeipa-users] Re: FreeIPA Client AD Trust user look-up latencies and results

2019-04-29 Thread Alexander Bokovoy via FreeIPA-users
On ma, 29 huhti 2019, John Desantis wrote: Alexander, >Yes, the group was created within the IPA domain via the cli, and this >error is only manifest in the client log. However, the GID of the >group (10001) is supplied via the AD trust using the POSIX range. That isn't going to work at all.

[Freeipa-users] Re: IPA Client SSH under AD cross-forest trust not working

2019-04-29 Thread Jakub Hrozek via FreeIPA-users
On Mon, Apr 29, 2019 at 06:56:33PM +, D via FreeIPA-users wrote: > Hello, > > Apologies for the earlier premature post :) > > This list helped me solve a number of issues getting a proof-of-concept > ipa-ad cross-forest trust working. I believe there is one final issue, > hopefully one of t

[Freeipa-users] IPA Client SSH under AD cross-forest trust not working

2019-04-29 Thread D via FreeIPA-users
Hello, Apologies for the earlier premature post :) This list helped me solve a number of issues getting a proof-of-concept ipa-ad cross-forest trust working. I believe there is one final issue, hopefully one of the experts here can have a look at the logs and let me know if anything sticks out

[Freeipa-users] Re: FreeIPA Client AD Trust user look-up latencies and results

2019-04-29 Thread John Desantis via FreeIPA-users
Alexander, > >Yes, the group was created within the IPA domain via the cli, and this > >error is only manifest in the client log. However, the GID of the > >group (10001) is supplied via the AD trust using the POSIX range. > That isn't going to work at all. > > For IPA groups POSIX IDs should be

[Freeipa-users] Re: Client SSH under AD trust not working

2019-04-29 Thread D via FreeIPA-users
Please disregard this post, I accidentally sent this before finishing. Original Message On Apr 29, 2019, 2:29 PM, D via FreeIPA-users wrote: > Hello, > > This list helped solve a number of issues related to logging into clients > under a cross-forest AD trust. I believe there i

[Freeipa-users] Client SSH under AD trust not working

2019-04-29 Thread D via FreeIPA-users
Hello, This list helped solve a number of issues related to logging into clients under a cross-forest AD trust. I believe there is one final issue, I'm hoping one of the experts can have a look at the logs and configs. I can ssh into the IPA servers themselves using AD credentials just fine, h

[Freeipa-users] Re: FreeIPA Client AD Trust user look-up latencies and results

2019-04-29 Thread Alexander Bokovoy via FreeIPA-users
On ma, 29 huhti 2019, John Desantis via FreeIPA-users wrote: Sumit, Thanks for your reply. According to the logs you send there is an error during the first lookup when lookup up the group adglobalposixgroup: Is this really a group from the IPA domain? If yes and the SID is really missing (you

[Freeipa-users] Re: FreeIPA Client AD Trust user look-up latencies and results

2019-04-29 Thread John Desantis via FreeIPA-users
Sumit, Thanks for your reply. > According to the logs you send there is an error during the first > lookup when lookup up the group adglobalposixgroup: > Is this really a group from the IPA domain? If yes and the SID is really > missing (you can check with 'ipa group-show --all adglobalposixgroup

[Freeipa-users] [Announce] FreeIPA 4.7.90.pre1 released

2019-04-29 Thread Alexander Bokovoy via FreeIPA-users
The FreeIPA team would like to announce the first release candidate of FreeIPA 4.8.0 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora releases will be available in the official [https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-8/ COPR reposit

[Freeipa-users] Re: Trust-Controller offline Trust-Agents not handling AD user Kerberos authentication

2019-04-29 Thread Alexander Bokovoy via FreeIPA-users
On ma, 29 huhti 2019, David McDaniel via FreeIPA-users wrote: Environment: Single Site Two FreeIPA Idm Servers (1 Trust-Controller 1 Trust-Agent) We ran into an issue were our Trust-Controller was offline and Kerberos authentication began failing for AD users. We do not allow interactive passwor

[Freeipa-users] Trust-Controller offline Trust-Agents not handling AD user Kerberos authentication

2019-04-29 Thread David McDaniel via FreeIPA-users
Environment: Single Site Two FreeIPA Idm Servers (1 Trust-Controller 1 Trust-Agent) We ran into an issue were our Trust-Controller was offline and Kerberos authentication began failing for AD users. We do not allow interactive password auth. via sshd_config on IPA clients, only Pubkey or GSSAPI

[Freeipa-users] Re: FreeIPA Client AD Trust user look-up latencies and results

2019-04-29 Thread Sumit Bose via FreeIPA-users
On Thu, Apr 25, 2019 at 01:05:52PM -0400, John Desantis via FreeIPA-users wrote: > Hello all, > > So, for anyone following this thread, I've been able to make some > progress but not enough to consider the configuration production > ready. > > After watching sssd logs ([domain] debug_level = 10,