subject:"\[Freeipa\-users\] Unable to ssh after establishing trust"

Re: [Freeipa-users] Unable to ssh after establishing trust

2016-07-20 Thread pgb205

thank you! that was it

  From: Simpson Lachlan <lachlan.simp...@petermac.org>
 To: pgb205 <pgb...@yahoo.com>; Sumit Bose <sb...@redhat.com> 
Cc: Freeipa-users <freeipa-users@redhat.com>
 Sent: Tuesday, July 19, 2016 7:30 PM
 Subject: RE: Re: [Freeipa-users] Unable to ssh after establishing trust
   
#yiv1956000891 #yiv1956000891 -- _filtered #yiv1956000891 
{font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv1956000891 
{panose-1:2 11 6 9 7 2 5 8 2 4;} _filtered #yiv1956000891 {panose-1:2 11 6 9 7 
2 5 8 2 4;} _filtered #yiv1956000891 {font-family:Calibri;panose-1:2 15 5 2 2 2 
4 3 2 4;} _filtered #yiv1956000891 {font-family:Tahoma;panose-1:2 11 6 4 3 5 4 
4 2 4;} _filtered #yiv1956000891 {panose-1:2 11 6 9 7 2 5 8 2 4;}#yiv1956000891 
#yiv1956000891 p.yiv1956000891MsoNormal, #yiv1956000891 
li.yiv1956000891MsoNormal, #yiv1956000891 div.yiv1956000891MsoNormal 
{margin:0cm;margin-bottom:.0001pt;font-size:12.0pt;}#yiv1956000891 a:link, 
#yiv1956000891 span.yiv1956000891MsoHyperlink 
{color:blue;text-decoration:underline;}#yiv1956000891 a:visited, #yiv1956000891 
span.yiv1956000891MsoHyperlinkFollowed 
{color:purple;text-decoration:underline;}#yiv1956000891 
span.yiv1956000891EmailStyle17 
{color:windowtext;font-weight:normal;font-style:normal;}#yiv1956000891 
span.yiv1956000891SpellE {}#yiv1956000891 .yiv1956000891MsoChpDefault 
{font-size:10.0pt;} _filtered #yiv1956000891 {margin:72.0pt 72.0pt 72.0pt 
72.0pt;}#yiv1956000891 div.yiv1956000891WordSection1 {}#yiv1956000891 From: 
freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On 
Behalf Ofpgb205
Sent: Wednesday, 20 July 2016 5:28 AM
To: Sumit Bose
Cc: Freeipa-users
Subject: Re: [Freeipa-users] Unable to ssh after establishing trust    
well...I'm not sure what I changed, if anything, but I am able to login with my 
AD credentials. I have restarted ipa server and cleared sss_cache, so maybe 
that helped.    A few other things still remain though:    right now im logging 
in asjsmith@ADDOMAIN.LOCAL I would want it to be eitherjsm...@addomain.com or 
better yet jsmith  --without specifying the domain name.    How can this be 
accomplished?    [Lachlan Simpson]       You are looking for the 
default_domain_suffix setting in the sssd stanza of /etc/sssd/sssd.conf    
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-user-ids.html
    CheersL.          thanks    From: Sumit Bose <sb...@redhat.com>
To: pgb205 <pgb...@yahoo.com>
Cc: Freeipa-users <freeipa-users@redhat.com>
Sent: Tuesday, July 19, 2016 3:33 AM
Subject: Re: [Freeipa-users] Unable to ssh after establishing trust 
On Mon, Jul 18, 2016 at 09:21:07PM +, pgb205 wrote:
> Sumit,
> 
> I have set the names of all the Domain Controllers to be resolvable to the IP
> of the one reachable Domain Controller in /etc/hosts
> 
> /etc/hosts:
> Reachable_IP_BOX  172.10.10.1
> DC1                            172.10.10.1
> DC2                            172.10.10.1
> ...
> ...

The IP address should come first, please see man hosts for details.

> 
> However, I still see the following
> Marking SRV lookup of service 'gc_addomain.local' as 'neutral'
> Marking server dc1.addomain.local' as 'name not resolved'

Have you tried to add the fully-qualified names (dc1.addomain.local) in
the right format (see above) to /etc/hosts?

> 
> 
> Additionally I have configured 
> [domain/ipa.internal]
>      with 
> subdomain_inherit = ldap_user_principal
> ldap_user_principal = nosuchattr
> 
> 
> As far as your earlier note about seeing ewr-fipa-x1 in logs. That used to be
> the old hostname of the IPA KDC.
> After much troubleshooting I believe I got this fixed by deleting  extra
> folders in
> /var/named/dyndb-ldap/ipa/master
> Right now the only two folders are ipa.internal and .in-addr.arpa.
> I think this is what helped with this issue. but can you please confirm if it
> sounds reasonable.

Not sure how you got the additional directories but if on only have a
single IPA DNS domain the two directories are sufficient.

bye, 
Sumit

> 
> 
> Ssh is still failing, possibly due to the problem 1 above. Is there anything
> else I can do to force ipa to pay attention to the /etc/hosts ?
> Or is this some other issue?
> 
> thanks
> ━━━
> From: Sumit Bose <sb...@redhat.com>
> To: pgb205 <pgb...@yahoo.com>
> Cc: Sumit Bose <sb...@redhat.com>; Freeipa-users <freeipa-users@redhat.com>
> Sent: Wednesday, July 13, 2016 5:43 AM
> Subject: Re: [Freeipa-users] Unable to ssh after establishing trust
> 
> On Tue, Jul 12, 2016 at 06:40:22PM +0000, pgb205 wrote:
> > +freeipa-users list
> >
> >      From: pgb205 <pgb...@yahoo.com>
> >  To: S

Re: [Freeipa-users] Unable to ssh after establishing trust

2016-07-19 Thread Simpson Lachlan

From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of pgb205
Sent: Wednesday, 20 July 2016 5:28 AM
To: Sumit Bose
Cc: Freeipa-users
Subject: Re: [Freeipa-users] Unable to ssh after establishing trust

well...I'm not sure what I changed, if anything, but I am able to login with my 
AD credentials. I have restarted ipa server and cleared sss_cache, so maybe 
that helped.

A few other things still remain though:

right now im logging in as jsmith@ADDOMAIN.LOCAL<mailto:jsmith@ADDOMAIN.LOCAL>
I would want it to be either jsm...@addomain.com<mailto:jsm...@addomain.com>
or better yet
jsmith  --without specifying the domain name.

How can this be accomplished?

[Lachlan Simpson]


You are looking for the default_domain_suffix setting in the sssd stanza of 
/etc/sssd/sssd.conf

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-user-ids.html

Cheers
L.



thanks


From: Sumit Bose <sb...@redhat.com<mailto:sb...@redhat.com>>
To: pgb205 <pgb...@yahoo.com<mailto:pgb...@yahoo.com>>
Cc: Freeipa-users <freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>>
Sent: Tuesday, July 19, 2016 3:33 AM
Subject: Re: [Freeipa-users] Unable to ssh after establishing trust

On Mon, Jul 18, 2016 at 09:21:07PM +, pgb205 wrote:
> Sumit,
>
> I have set the names of all the Domain Controllers to be resolvable to the IP
> of the one reachable Domain Controller in /etc/hosts
>
> /etc/hosts:
> Reachable_IP_BOX  172.10.10.1
> DC1172.10.10.1
> DC2172.10.10.1
> ...
> ...

The IP address should come first, please see man hosts for details.

>
> However, I still see the following
> Marking SRV lookup of service 'gc_addomain.local' as 'neutral'
> Marking server dc1.addomain.local' as 'name not resolved'

Have you tried to add the fully-qualified names (dc1.addomain.local) in
the right format (see above) to /etc/hosts?

>
>
> Additionally I have configured
> [domain/ipa.internal]
>  with
> subdomain_inherit = ldap_user_principal
> ldap_user_principal = nosuchattr
>
>
> As far as your earlier note about seeing ewr-fipa-x1 in logs. That used to be
> the old hostname of the IPA KDC.
> After much troubleshooting I believe I got this fixed by deleting  extra
> folders in
> /var/named/dyndb-ldap/ipa/master
> Right now the only two folders are ipa.internal and .in-addr.arpa.
> I think this is what helped with this issue. but can you please confirm if it
> sounds reasonable.

Not sure how you got the additional directories but if on only have a
single IPA DNS domain the two directories are sufficient.

bye,

Sumit

>
>
> Ssh is still failing, possibly due to the problem 1 above. Is there anything
> else I can do to force ipa to pay attention to the /etc/hosts ?
> Or is this some other issue?
>
> thanks
> ━━━
> From: Sumit Bose <sb...@redhat.com<mailto:sb...@redhat.com>>
> To: pgb205 <pgb...@yahoo.com<mailto:pgb...@yahoo.com>>
> Cc: Sumit Bose <sb...@redhat.com<mailto:sb...@redhat.com>>; Freeipa-users 
> <freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>>
> Sent: Wednesday, July 13, 2016 5:43 AM
> Subject: Re: [Freeipa-users] Unable to ssh after establishing trust
>
> On Tue, Jul 12, 2016 at 06:40:22PM +, pgb205 wrote:
> > +freeipa-users list
> >
> >  From: pgb205 <pgb...@yahoo.com<mailto:pgb...@yahoo.com>>
> >  To: Sumit Bose <sb...@redhat.com<mailto:sb...@redhat.com>>
> >  Sent: Tuesday, July 12, 2016 2:12 PM
> >  Subject: Re: [Freeipa-users] Unable to ssh after establishing trust
> >
> > Sumit, thanks for replying
> > So the first issue is my fault, probably from when I was sanitizing logs.
> > our active directory domain is ad_domain.local, but users would expect to
> login as userid@ad_domain.com<mailto:userid@ad_domain.com> or just userid.for 
> ipa the kerberos realm is
> IPA_DOMAIN.INTERNAL and domain is ipa_domain.internal.
> > ewr-fipa_server used to be old trial server so I am not sure why it's still
> in the dns lookup results. I'll check this part further.
> > Lastly. only the connection to one of the domain controllers on AD side is
> open. As discussed previously with Alexandr BokovoyI forced, in 
> /etc/krb5.conf,
> a connection to this single, accessible domain controller. Are there any other
> files where I would needto lock down the connections between ipa->ad so that
> all traffic goes to specific active directory domain controller?
> > thanks again for replying so quickly.
>
> Curr

Re: [Freeipa-users] Unable to ssh after establishing trust

2016-07-19 Thread pgb205

well...I'm not sure what I changed, if anything, but I am able to login with my 
AD credentials. I have restarted ipa server and cleared sss_cache, so maybe 
that helped.
A few other things still remain though:
right now im logging in as jsmith@ADDOMAIN.LOCALI would want it to be either 
jsmith@ADDOMAIN.COMor better yetjsmith  --without specifying the domain name.
How can this be accomplished?
thanks

  From: Sumit Bose <sb...@redhat.com>
 To: pgb205 <pgb...@yahoo.com> 
Cc: Freeipa-users <freeipa-users@redhat.com>
 Sent: Tuesday, July 19, 2016 3:33 AM
 Subject: Re: [Freeipa-users] Unable to ssh after establishing trust
   
On Mon, Jul 18, 2016 at 09:21:07PM +, pgb205 wrote:
> Sumit,
> 
> I have set the names of all the Domain Controllers to be resolvable to the IP
> of the one reachable Domain Controller in /etc/hosts
> 
> /etc/hosts:
> Reachable_IP_BOX  172.10.10.1
> DC1                            172.10.10.1
> DC2                            172.10.10.1
> ...
> ...

The IP address should come first, please see man hosts for details.

> 
> However, I still see the following
> Marking SRV lookup of service 'gc_addomain.local' as 'neutral'
> Marking server dc1.addomain.local' as 'name not resolved'

Have you tried to add the fully-qualified names (dc1.addomain.local) in
the right format (see above) to /etc/hosts?

> 
> 
> Additionally I have configured 
> [domain/ipa.internal]
>      with 
> subdomain_inherit = ldap_user_principal
> ldap_user_principal = nosuchattr
> 
> 
> As far as your earlier note about seeing ewr-fipa-x1 in logs. That used to be
> the old hostname of the IPA KDC.
> After much troubleshooting I believe I got this fixed by deleting  extra
> folders in
> /var/named/dyndb-ldap/ipa/master
> Right now the only two folders are ipa.internal and .in-addr.arpa.
> I think this is what helped with this issue. but can you please confirm if it
> sounds reasonable.

Not sure how you got the additional directories but if on only have a
single IPA DNS domain the two directories are sufficient.

bye,
Sumit

> 
> 
> Ssh is still failing, possibly due to the problem 1 above. Is there anything
> else I can do to force ipa to pay attention to the /etc/hosts ?
> Or is this some other issue?
> 
> thanks
> ━━━
> From: Sumit Bose <sb...@redhat.com>
> To: pgb205 <pgb...@yahoo.com>
> Cc: Sumit Bose <sb...@redhat.com>; Freeipa-users <freeipa-users@redhat.com>
> Sent: Wednesday, July 13, 2016 5:43 AM
> Subject: Re: [Freeipa-users] Unable to ssh after establishing trust
> 
> On Tue, Jul 12, 2016 at 06:40:22PM +, pgb205 wrote:
> > +freeipa-users list
> >
> >      From: pgb205 <pgb...@yahoo.com>
> >  To: Sumit Bose <sb...@redhat.com>
> >  Sent: Tuesday, July 12, 2016 2:12 PM
> >  Subject: Re: [Freeipa-users] Unable to ssh after establishing trust
> >  
> > Sumit, thanks for replying
> > So the first issue is my fault, probably from when I was sanitizing logs. 
> > our active directory domain is ad_domain.local, but users would expect to
> login as userid@ad_domain.com or just userid.for ipa the kerberos realm is
> IPA_DOMAIN.INTERNAL and domain is ipa_domain.internal.
> > ewr-fipa_server used to be old trial server so I am not sure why it's still
> in the dns lookup results. I'll check this part further.
> > Lastly. only the connection to one of the domain controllers on AD side is
> open. As discussed previously with Alexandr BokovoyI forced, in 
> /etc/krb5.conf,
> a connection to this single, accessible domain controller. Are there any other
> files where I would needto lock down the connections between ipa->ad so that
> all traffic goes to specific active directory domain controller?
> > thanks again for replying so quickly.
> 
> Currently it is not possible to specify individual AD DC SSSD on the IPA
> server should talk to. We have ticket
> https://fedorahosted.org/sssd/ticket/2599 to make this possible in some
> later versions of SSSD.
> 
> Currently SSSD uses a DNS SRV lookup like _ldap._tcp.ad_domain.local to
> get a list of AD DC, then picks one to get the next nearest site for the
> IPA domain and finally tries to lookup a DC from the matching site (if
> any).
> 
> According to your logs SSSD was able to find 18 DCs with the SRV lookup.
> A call like
> 
>    dig SRV _ldap._tcp.ad_domain.local
> 
> on the IPA server should return the same list of 18 DCs.
> 
> As a work-around, or better a hack, you might want to try to set the IP
> address of all the 18 DC returned to the IP address of the only
> accessible DC in /etc/hosts. This way SSSD should have no chance to
>

Re: [Freeipa-users] Unable to ssh after establishing trust

2016-07-19 Thread pgb205

Sorry, I typed things out instead of copy/paste
my etc hosts looks like:

search  ad.local127.0.0.1       localhost
# The following lines are desirable for IPv6 capable hosts::1     localhost 
ip6-localhost ip6-loopbackff02::1 ip6-allnodesff02::2 ip6-allrouters
10.10.10.1         ipa_server.ipa.internal    ipa_server172.19.10.10     
ad_server1.ad.local172.19.10.10     ad_server2.ad.local172.19.10.10     
ad_server3.ad.local
If you want I can send you the sssd logs again

  From: Sumit Bose <sb...@redhat.com>
 To: pgb205 <pgb...@yahoo.com> 
Cc: Freeipa-users <freeipa-users@redhat.com>
 Sent: Tuesday, July 19, 2016 3:33 AM
 Subject: Re: [Freeipa-users] Unable to ssh after establishing trust
   
On Mon, Jul 18, 2016 at 09:21:07PM +, pgb205 wrote:
> Sumit,
> 
> I have set the names of all the Domain Controllers to be resolvable to the IP
> of the one reachable Domain Controller in /etc/hosts
> 
> /etc/hosts:
> Reachable_IP_BOX  172.10.10.1
> DC1                            172.10.10.1
> DC2                            172.10.10.1
> ...
> ...

The IP address should come first, please see man hosts for details.

> 
> However, I still see the following
> Marking SRV lookup of service 'gc_addomain.local' as 'neutral'
> Marking server dc1.addomain.local' as 'name not resolved'

Have you tried to add the fully-qualified names (dc1.addomain.local) in
the right format (see above) to /etc/hosts?

> 
> 
> Additionally I have configured 
> [domain/ipa.internal]
>      with 
> subdomain_inherit = ldap_user_principal
> ldap_user_principal = nosuchattr
> 
> 
> As far as your earlier note about seeing ewr-fipa-x1 in logs. That used to be
> the old hostname of the IPA KDC.
> After much troubleshooting I believe I got this fixed by deleting  extra
> folders in
> /var/named/dyndb-ldap/ipa/master
> Right now the only two folders are ipa.internal and .in-addr.arpa.
> I think this is what helped with this issue. but can you please confirm if it
> sounds reasonable.

Not sure how you got the additional directories but if on only have a
single IPA DNS domain the two directories are sufficient.

bye,
Sumit

> 
> 
> Ssh is still failing, possibly due to the problem 1 above. Is there anything
> else I can do to force ipa to pay attention to the /etc/hosts ?
> Or is this some other issue?
> 
> thanks
> ━━━
> From: Sumit Bose <sb...@redhat.com>
> To: pgb205 <pgb...@yahoo.com>
> Cc: Sumit Bose <sb...@redhat.com>; Freeipa-users <freeipa-users@redhat.com>
> Sent: Wednesday, July 13, 2016 5:43 AM
> Subject: Re: [Freeipa-users] Unable to ssh after establishing trust
> 
> On Tue, Jul 12, 2016 at 06:40:22PM +, pgb205 wrote:
> > +freeipa-users list
> >
> >      From: pgb205 <pgb...@yahoo.com>
> >  To: Sumit Bose <sb...@redhat.com>
> >  Sent: Tuesday, July 12, 2016 2:12 PM
> >  Subject: Re: [Freeipa-users] Unable to ssh after establishing trust
> >  
> > Sumit, thanks for replying
> > So the first issue is my fault, probably from when I was sanitizing logs. 
> > our active directory domain is ad_domain.local, but users would expect to
> login as userid@ad_domain.com or just userid.for ipa the kerberos realm is
> IPA_DOMAIN.INTERNAL and domain is ipa_domain.internal.
> > ewr-fipa_server used to be old trial server so I am not sure why it's still
> in the dns lookup results. I'll check this part further.
> > Lastly. only the connection to one of the domain controllers on AD side is
> open. As discussed previously with Alexandr BokovoyI forced, in 
> /etc/krb5.conf,
> a connection to this single, accessible domain controller. Are there any other
> files where I would needto lock down the connections between ipa->ad so that
> all traffic goes to specific active directory domain controller?
> > thanks again for replying so quickly.
> 
> Currently it is not possible to specify individual AD DC SSSD on the IPA
> server should talk to. We have ticket
> https://fedorahosted.org/sssd/ticket/2599 to make this possible in some
> later versions of SSSD.
> 
> Currently SSSD uses a DNS SRV lookup like _ldap._tcp.ad_domain.local to
> get a list of AD DC, then picks one to get the next nearest site for the
> IPA domain and finally tries to lookup a DC from the matching site (if
> any).
> 
> According to your logs SSSD was able to find 18 DCs with the SRV lookup.
> A call like
> 
>    dig SRV _ldap._tcp.ad_domain.local
> 
> on the IPA server should return the same list of 18 DCs.
> 
> As a work-around, or better a hack, you might want to try to set the IP
> address of all the 18 DC returned to the IP address of the only

Re: [Freeipa-users] Unable to ssh after establishing trust

2016-07-19 Thread Sumit Bose

On Mon, Jul 18, 2016 at 09:21:07PM +, pgb205 wrote:
> Sumit,
> 
> I have set the names of all the Domain Controllers to be resolvable to the IP
> of the one reachable Domain Controller in /etc/hosts
> 
> /etc/hosts:
> Reachable_IP_BOX   172.10.10.1
> DC1172.10.10.1
> DC2172.10.10.1
> ...
> ...

The IP address should come first, please see man hosts for details.

> 
> However, I still see the following
> Marking SRV lookup of service 'gc_addomain.local' as 'neutral'
> Marking server dc1.addomain.local' as 'name not resolved'

Have you tried to add the fully-qualified names (dc1.addomain.local) in
the right format (see above) to /etc/hosts?

> 
> 
> Additionally I have configured 
> [domain/ipa.internal]
>   with 
> subdomain_inherit = ldap_user_principal
> ldap_user_principal = nosuchattr
> 
> 
> As far as your earlier note about seeing ewr-fipa-x1 in logs. That used to be
> the old hostname of the IPA KDC.
> After much troubleshooting I believe I got this fixed by deleting  extra
> folders in
> /var/named/dyndb-ldap/ipa/master
> Right now the only two folders are ipa.internal and .in-addr.arpa.
> I think this is what helped with this issue. but can you please confirm if it
> sounds reasonable.

Not sure how you got the additional directories but if on only have a
single IPA DNS domain the two directories are sufficient.

bye,
Sumit

> 
> 
> Ssh is still failing, possibly due to the problem 1 above. Is there anything
> else I can do to force ipa to pay attention to the /etc/hosts ?
> Or is this some other issue?
> 
> thanks
> ━━━
> From: Sumit Bose <sb...@redhat.com>
> To: pgb205 <pgb...@yahoo.com>
> Cc: Sumit Bose <sb...@redhat.com>; Freeipa-users <freeipa-users@redhat.com>
> Sent: Wednesday, July 13, 2016 5:43 AM
> Subject: Re: [Freeipa-users] Unable to ssh after establishing trust
> 
> On Tue, Jul 12, 2016 at 06:40:22PM +, pgb205 wrote:
> > +freeipa-users list
> >
> >      From: pgb205 <pgb...@yahoo.com>
> >  To: Sumit Bose <sb...@redhat.com>
> >  Sent: Tuesday, July 12, 2016 2:12 PM
> >  Subject: Re: [Freeipa-users] Unable to ssh after establishing trust
> >   
> > Sumit, thanks for replying
> > So the first issue is my fault, probably from when I was sanitizing logs. 
> > our active directory domain is ad_domain.local, but users would expect to
> login as userid@ad_domain.com or just userid.for ipa the kerberos realm is
> IPA_DOMAIN.INTERNAL and domain is ipa_domain.internal.
> > ewr-fipa_server used to be old trial server so I am not sure why it's still
> in the dns lookup results. I'll check this part further.
> > Lastly. only the connection to one of the domain controllers on AD side is
> open. As discussed previously with Alexandr BokovoyI forced, in 
> /etc/krb5.conf,
> a connection to this single, accessible domain controller. Are there any other
> files where I would needto lock down the connections between ipa->ad so that
> all traffic goes to specific active directory domain controller?
> > thanks again for replying so quickly.
> 
> Currently it is not possible to specify individual AD DC SSSD on the IPA
> server should talk to. We have ticket
> https://fedorahosted.org/sssd/ticket/2599 to make this possible in some
> later versions of SSSD.
> 
> Currently SSSD uses a DNS SRV lookup like _ldap._tcp.ad_domain.local to
> get a list of AD DC, then picks one to get the next nearest site for the
> IPA domain and finally tries to lookup a DC from the matching site (if
> any).
> 
> According to your logs SSSD was able to find 18 DCs with the SRV lookup.
> A call like
> 
> dig SRV _ldap._tcp.ad_domain.local
> 
> on the IPA server should return the same list of 18 DCs.
> 
> As a work-around, or better a hack, you might want to try to set the IP
> address of all the 18 DC returned to the IP address of the only
> accessible DC in /etc/hosts. This way SSSD should have no chance to
> connect to a different DC.
> 
> bye,
> 
> Sumit
> 
> >
> >  From: Sumit Bose <sb...@redhat.com>
> >  To: pgb205 <pgb...@yahoo.com>
> > Cc: Sumit Bose <sb...@redhat.com>
> >  Sent: Tuesday, July 12, 2016 5:37 AM
> >  Subject: Re: [Freeipa-users] Unable to ssh after establishing trust
> > 
> > On Mon, Jul 11, 2016 at 09:14:03PM +, pgb205 wrote:
> > > Sumit, 
> > > sssd log files attached with debug=10 in all sections.I have attempted
> several logins for comparison as well as kinit commands
> >
> > I came across tw

Re: [Freeipa-users] Unable to ssh after establishing trust

2016-07-18 Thread pgb205

Sumit,
I have set the names of all the Domain Controllers to be resolvable to the IP 
of the one reachable Domain Controller in /etc/hosts
/etc/hosts:Reachable_IP_BOX   172.10.10.1DC1                            
172.10.10.1DC2                            172.10.10.1..
However, I still see the followingMarking SRV lookup of service 
'gc_addomain.local' as 'neutral'
Marking server dc1.addomain.local' as 'name not resolved'

Additionally I have configured [domain/ipa.internal]
      with 
subdomain_inherit = ldap_user_principalldap_user_principal = nosuchattr

As far as your earlier note about seeing ewr-fipa-x1 in logs. That used to be 
the old hostname of the IPA KDC.After much troubleshooting I believe I got this 
fixed by deleting  extra folders in
/var/named/dyndb-ldap/ipa/masterRight now the only two folders are ipa.internal 
and .in-addr.arpa.
I think this is what helped with this issue. but can you please confirm if it 
sounds reasonable.

Ssh is still failing, possibly due to the problem 1 above. Is there anything 
else I can do to force ipa to pay attention to the /etc/hosts ?Or is this some 
other issue?
thanks  From: Sumit Bose <sb...@redhat.com>
 To: pgb205 <pgb...@yahoo.com> 
Cc: Sumit Bose <sb...@redhat.com>; Freeipa-users <freeipa-users@redhat.com>
 Sent: Wednesday, July 13, 2016 5:43 AM
 Subject: Re: [Freeipa-users] Unable to ssh after establishing trust

On Tue, Jul 12, 2016 at 06:40:22PM +, pgb205 wrote:
> +freeipa-users list
> 
>      From: pgb205 <pgb...@yahoo.com>
>  To: Sumit Bose <sb...@redhat.com> 
>  Sent: Tuesday, July 12, 2016 2:12 PM
>  Subject: Re: [Freeipa-users] Unable to ssh after establishing trust
>    
> Sumit, thanks for replying
> So the first issue is my fault, probably from when I was sanitizing logs. 
> our active directory domain is ad_domain.local, but users would expect to 
> login as userid@ad_domain.com or just userid.for ipa the kerberos realm is 
> IPA_DOMAIN.INTERNAL and domain is ipa_domain.internal.
> ewr-fipa_server used to be old trial server so I am not sure why it's still 
> in the dns lookup results. I'll check this part further.
> Lastly. only the connection to one of the domain controllers on AD side is 
> open. As discussed previously with Alexandr BokovoyI forced, in 
> /etc/krb5.conf, a connection to this single, accessible domain controller. 
> Are there any other files where I would needto lock down the connections 
> between ipa->ad so that all traffic goes to specific active directory domain 
> controller?
> thanks again for replying so quickly.

Currently it is not possible to specify individual AD DC SSSD on the IPA
server should talk to. We have ticket
https://fedorahosted.org/sssd/ticket/2599 to make this possible in some
later versions of SSSD. 

Currently SSSD uses a DNS SRV lookup like _ldap._tcp.ad_domain.local to
get a list of AD DC, then picks one to get the next nearest site for the
IPA domain and finally tries to lookup a DC from the matching site (if
any).

According to your logs SSSD was able to find 18 DCs with the SRV lookup.
A call like

    dig SRV _ldap._tcp.ad_domain.local

on the IPA server should return the same list of 18 DCs.

As a work-around, or better a hack, you might want to try to set the IP
address of all the 18 DC returned to the IP address of the only
accessible DC in /etc/hosts. This way SSSD should have no chance to
connect to a different DC.

bye,
Sumit

> 
>      From: Sumit Bose <sb...@redhat.com>
>  To: pgb205 <pgb...@yahoo.com> 
> Cc: Sumit Bose <sb...@redhat.com>
>  Sent: Tuesday, July 12, 2016 5:37 AM
>  Subject: Re: [Freeipa-users] Unable to ssh after establishing trust
>  
> On Mon, Jul 11, 2016 at 09:14:03PM +, pgb205 wrote:
> > Sumit, 
> > sssd log files attached with debug=10 in all sections.I have attempted 
> > several logins for comparison as well as kinit commands
> 
> I came across two issues in the logs.
> 
> First it looks like you use 'user@AD_DOMAIN.LOCAL' at the login prompt
> but there seem to be an alternative domain suffix 'AD_DOMAIN.COM' on the
> AD side and user principal attributes 'user@AD_DOMAIN.COM'. Currently
> FreeIPA cannot resolve those principals correctly. It was planned for
> IPA 4.4.0 and SSSD 1.14.0 but because of an issue found in 4.4.0 it will
> be available (hopefully) with IPA 4.4.1 and SSSD 1.14.1. In the meantime
> please try to work-around suggested at the end of
> http://osdir.com/ml/freeipa-users/2016-01/msg00304.html . When trying to
> authenticate with user@AD_DOMAIN.COM SSSD looks for a server called
> ewr-fipa_server.ad_domain.com but cannot find it an return the error code
> for "Cannot contact any KDC for requested realm".
> 
> Second there are some issues access AD DCs via LDAP. SSSD tries to
> connect to mm-sfdc01.ad

Re: [Freeipa-users] Unable to ssh after establishing trust

2016-07-13 Thread Sumit Bose

On Tue, Jul 12, 2016 at 06:40:22PM +, pgb205 wrote:
> +freeipa-users list
> 
>   From: pgb205 <pgb...@yahoo.com>
>  To: Sumit Bose <sb...@redhat.com> 
>  Sent: Tuesday, July 12, 2016 2:12 PM
>  Subject: Re: [Freeipa-users] Unable to ssh after establishing trust
>
> Sumit, thanks for replying
> So the first issue is my fault, probably from when I was sanitizing logs. 
> our active directory domain is ad_domain.local, but users would expect to 
> login as userid@ad_domain.com or just userid.for ipa the kerberos realm is 
> IPA_DOMAIN.INTERNAL and domain is ipa_domain.internal.
> ewr-fipa_server used to be old trial server so I am not sure why it's still 
> in the dns lookup results. I'll check this part further.
> Lastly. only the connection to one of the domain controllers on AD side is 
> open. As discussed previously with Alexandr BokovoyI forced, in 
> /etc/krb5.conf, a connection to this single, accessible domain controller. 
> Are there any other files where I would needto lock down the connections 
> between ipa->ad so that all traffic goes to specific active directory domain 
> controller?
> thanks again for replying so quickly.

Currently it is not possible to specify individual AD DC SSSD on the IPA
server should talk to. We have ticket
https://fedorahosted.org/sssd/ticket/2599 to make this possible in some
later versions of SSSD. 

Currently SSSD uses a DNS SRV lookup like _ldap._tcp.ad_domain.local to
get a list of AD DC, then picks one to get the next nearest site for the
IPA domain and finally tries to lookup a DC from the matching site (if
any).

According to your logs SSSD was able to find 18 DCs with the SRV lookup.
A call like

dig SRV _ldap._tcp.ad_domain.local

on the IPA server should return the same list of 18 DCs.

As a work-around, or better a hack, you might want to try to set the IP
address of all the 18 DC returned to the IP address of the only
accessible DC in /etc/hosts. This way SSSD should have no chance to
connect to a different DC.

bye,
Sumit

> 
>   From: Sumit Bose <sb...@redhat.com>
>  To: pgb205 <pgb...@yahoo.com> 
> Cc: Sumit Bose <sb...@redhat.com>
>  Sent: Tuesday, July 12, 2016 5:37 AM
>  Subject: Re: [Freeipa-users] Unable to ssh after establishing trust
>   
> On Mon, Jul 11, 2016 at 09:14:03PM +, pgb205 wrote:
> > Sumit, 
> > sssd log files attached with debug=10 in all sections.I have attempted 
> > several logins for comparison as well as kinit commands
> 
> I came across two issues in the logs.
> 
> First it looks like you use 'user@AD_DOMAIN.LOCAL' at the login prompt
> but there seem to be an alternative domain suffix 'AD_DOMAIN.COM' on the
> AD side and user principal attributes 'user@AD_DOMAIN.COM'. Currently
> FreeIPA cannot resolve those principals correctly. It was planned for
> IPA 4.4.0 and SSSD 1.14.0 but because of an issue found in 4.4.0 it will
> be available (hopefully) with IPA 4.4.1 and SSSD 1.14.1. In the meantime
> please try to work-around suggested at the end of
> http://osdir.com/ml/freeipa-users/2016-01/msg00304.html . When trying to
> authenticate with user@AD_DOMAIN.COM SSSD looks for a server called
> ewr-fipa_server.ad_domain.com but cannot find it an return the error code
> for "Cannot contact any KDC for requested realm".
> 
> Second there are some issues access AD DCs via LDAP. SSSD tries to
> connect to mm-sfdc01.ad_domain.local and mm-tokyo-02.ad_domain.local but
> both fails. It is not clear from the logs if already the DNS lookup for
> those fails or if the connection itself runs into a timeout. In the
> former case you should make sure that the names can be resolved in the
> IPA server in the latter you can try to increase ldap_network_timeout
> (see man sssd-ldap for details). Since SSSD cannot connect to the DCs it
> switches the AD domains to offline. The authentication request is
> handled offline as well but since there are no cached credentials you
> get the permission denied error.
> 
> HTH
> 
> bye,
> Sumit
> 
> > 
> >      From: Sumit Bose <sb...@redhat.com>
> >  To: pgb205 <pgb...@yahoo.com> 
> > Cc: "Freeipa-users@redhat.com" <Freeipa-users@redhat.com>
> >  Sent: Monday, July 11, 2016 3:06 AM
> >  Subject: Re: [Freeipa-users] Unable to ssh after establishing trust
> >    
> > On Mon, Jul 11, 2016 at 03:46:57AM +, pgb205 wrote:
> > > I have successfully established trust and am able to obtain ticket 
> > > granting ticketkinit user@AD_DOMAIN.COMI can also do kinit 
> > > admin@IPA_DOMAIN.COMssh admin@IPA_DOMAIN.COM also works
> > > however, ssh user@AD_DOMAIN.COM or user@ad_domain.com fails
> > > I have checked that there are no h

Re: [Freeipa-users] Unable to ssh after establishing trust

2016-07-12 Thread pgb205

+freeipa-users list

  From: pgb205 <pgb...@yahoo.com>
 To: Sumit Bose <sb...@redhat.com> 
 Sent: Tuesday, July 12, 2016 2:12 PM
 Subject: Re: [Freeipa-users] Unable to ssh after establishing trust

Sumit, thanks for replying
So the first issue is my fault, probably from when I was sanitizing logs. 
our active directory domain is ad_domain.local, but users would expect to login 
as userid@ad_domain.com or just userid.for ipa the kerberos realm is 
IPA_DOMAIN.INTERNAL and domain is ipa_domain.internal.
ewr-fipa_server used to be old trial server so I am not sure why it's still in 
the dns lookup results. I'll check this part further.
Lastly. only the connection to one of the domain controllers on AD side is 
open. As discussed previously with Alexandr BokovoyI forced, in /etc/krb5.conf, 
a connection to this single, accessible domain controller. Are there any other 
files where I would needto lock down the connections between ipa->ad so that 
all traffic goes to specific active directory domain controller?
thanks again for replying so quickly.

  From: Sumit Bose <sb...@redhat.com>
 To: pgb205 <pgb...@yahoo.com> 
Cc: Sumit Bose <sb...@redhat.com>
 Sent: Tuesday, July 12, 2016 5:37 AM
 Subject: Re: [Freeipa-users] Unable to ssh after establishing trust

On Mon, Jul 11, 2016 at 09:14:03PM +, pgb205 wrote:
> Sumit, 
> sssd log files attached with debug=10 in all sections.I have attempted 
> several logins for comparison as well as kinit commands

I came across two issues in the logs.

First it looks like you use 'user@AD_DOMAIN.LOCAL' at the login prompt
but there seem to be an alternative domain suffix 'AD_DOMAIN.COM' on the
AD side and user principal attributes 'user@AD_DOMAIN.COM'. Currently
FreeIPA cannot resolve those principals correctly. It was planned for
IPA 4.4.0 and SSSD 1.14.0 but because of an issue found in 4.4.0 it will
be available (hopefully) with IPA 4.4.1 and SSSD 1.14.1. In the meantime
please try to work-around suggested at the end of
http://osdir.com/ml/freeipa-users/2016-01/msg00304.html . When trying to
authenticate with user@AD_DOMAIN.COM SSSD looks for a server called
ewr-fipa_server.ad_domain.com but cannot find it an return the error code
for "Cannot contact any KDC for requested realm".

Second there are some issues access AD DCs via LDAP. SSSD tries to
connect to mm-sfdc01.ad_domain.local and mm-tokyo-02.ad_domain.local but
both fails. It is not clear from the logs if already the DNS lookup for
those fails or if the connection itself runs into a timeout. In the
former case you should make sure that the names can be resolved in the
IPA server in the latter you can try to increase ldap_network_timeout
(see man sssd-ldap for details). Since SSSD cannot connect to the DCs it
switches the AD domains to offline. The authentication request is
handled offline as well but since there are no cached credentials you
get the permission denied error.

HTH

bye,
Sumit

> 
>      From: Sumit Bose <sb...@redhat.com>
>  To: pgb205 <pgb...@yahoo.com> 
> Cc: "Freeipa-users@redhat.com" <Freeipa-users@redhat.com>
>  Sent: Monday, July 11, 2016 3:06 AM
>  Subject: Re: [Freeipa-users] Unable to ssh after establishing trust
>    
> On Mon, Jul 11, 2016 at 03:46:57AM +, pgb205 wrote:
> > I have successfully established trust and am able to obtain ticket granting 
> > ticketkinit user@AD_DOMAIN.COMI can also do kinit admin@IPA_DOMAIN.COMssh 
> > admin@IPA_DOMAIN.COM also works
> > however, ssh user@AD_DOMAIN.COM or user@ad_domain.com fails
> > I have checked that there are no hbac rules other then the default 
> > allow_all rule
> > in sssd_ssh.log see
> > permission denied (6) error in sssd_ipa.domain.log file I see
> > pam_handler_callback 6 permission_denied
> > in sssd_nss.log Unable to get information from Data ProviderError: 3 
> > Account info lookup failedWill try to return what we have in cache
> > in /var/log/secure received for user user@AD_DOMAIN.COM: 6 (Permission 
> > denied) 
> > 
> > I can provided full logs if necessary to diagnose the above problem.
> 
> Yes, full SSSD logs with debug_level=10 would be best.
> 
> > --Additionally, I would like to be able to login as user not 
> > user@AD_DOMAIN.COM
> > My understanding that only thing that I have to change to make this happen 
> > is /etc/krb5.conffor line 
> > [libdefaults] default_realm=AD_DOMAN.COM and then restarting ipa services.
> 
> No, please do not change the default_realm. This is not related to the
> issues you are seeing.
> 
> bye,
> Sumit
> 
> > However, when I do this I get failure to restart Samba service
> 
> > -- 
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> 
> 
> 
>  

  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Unable to ssh after establishing trust

2016-07-11 Thread Sumit Bose

On Mon, Jul 11, 2016 at 03:46:57AM +, pgb205 wrote:
> I have successfully established trust and am able to obtain ticket granting 
> ticketkinit user@AD_DOMAIN.COMI can also do kinit admin@IPA_DOMAIN.COMssh 
> admin@IPA_DOMAIN.COM also works
> however, ssh user@AD_DOMAIN.COM or user@ad_domain.com fails
> I have checked that there are no hbac rules other then the default allow_all 
> rule
> in sssd_ssh.log see
> permission denied (6) error in sssd_ipa.domain.log file I see
> pam_handler_callback 6 permission_denied
> in sssd_nss.log Unable to get information from Data ProviderError: 3 Account 
> info lookup failedWill try to return what we have in cache
> in /var/log/secure received for user user@AD_DOMAIN.COM: 6 (Permission 
> denied) 
> 
> I can provided full logs if necessary to diagnose the above problem.

Yes, full SSSD logs with debug_level=10 would be best.

> --Additionally, I would like to be able to login as user not 
> user@AD_DOMAIN.COM
> My understanding that only thing that I have to change to make this happen is 
> /etc/krb5.conffor line 
> [libdefaults] default_realm=AD_DOMAN.COM and then restarting ipa services.

No, please do not change the default_realm. This is not related to the
issues you are seeing.

bye,
Sumit

> However, when I do this I get failure to restart Samba service

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Unable to ssh after establishing trust

2016-07-11 Thread Lachlan Musicman

Have you set up the external group and internal group as required in IPA?

The server you are trying to log into - you have added this to the IPA
server using ipa-client-install?

When you are logged into the server that you want to login to as root (or
local user), does `id user@ad_domain.com` give you the results you expected?

(sorry to ask simple questions, but just in case)

cheers
L.


--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper

On 11 July 2016 at 13:46, pgb205  wrote:

> I have successfully established trust and am able to obtain ticket
> granting ticket
> kinit user@AD_DOMAIN.COM
> I can also do kinit admin@IPA_DOMAIN.COM
> ssh admin@IPA_DOMAIN.COM also works
>
> however, ssh user@AD_DOMAIN.COM or user@ad_domain.com fails
>
> I have checked that there are no hbac rules other then the default
> allow_all rule
>
> in sssd_ssh.log see
> permission denied (6) error
>
> in sssd_ipa.domain.log file I see
> pam_handler_callback 6 permission_denied
>
> in sssd_nss.log
> Unable to get information from Data Provider
> Error: 3 Account info lookup failed
> Will try to return what we have in cache
>
> in /var/log/secure
>  received for user user@AD_DOMAIN.COM: 6 (Permission denied)
>
> I can provided full logs if necessary to diagnose the above problem.
>
> --
> Additionally, I would like to be able to login as *user *not 
> *user@AD_DOMAIN.COM
> *
> My understanding that only thing that I have to change to make this happen
> is /etc/krb5.conf
> for line
> [libdefaults]
>  default_realm=AD_DOMAN.COM
> and then restarting ipa services.
>
> However, when I do this I get failure to restart Samba service
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Unable to ssh after establishing trust

2016-07-10 Thread pgb205

I have successfully established trust and am able to obtain ticket granting 
ticketkinit user@AD_DOMAIN.COMI can also do kinit admin@IPA_DOMAIN.COMssh 
admin@IPA_DOMAIN.COM also works
however, ssh user@AD_DOMAIN.COM or user@ad_domain.com fails
I have checked that there are no hbac rules other then the default allow_all 
rule
in sssd_ssh.log see
permission denied (6) error in sssd_ipa.domain.log file I see
pam_handler_callback 6 permission_denied
in sssd_nss.log Unable to get information from Data ProviderError: 3 Account 
info lookup failedWill try to return what we have in cache
in /var/log/secure received for user user@AD_DOMAIN.COM: 6 (Permission denied) 

I can provided full logs if necessary to diagnose the above problem.
--Additionally, I would like to be able to login as user not 
user@AD_DOMAIN.COM
My understanding that only thing that I have to change to make this happen is 
/etc/krb5.conffor line 
[libdefaults] default_realm=AD_DOMAN.COM and then restarting ipa services.
However, when I do this I get failure to restart Samba service-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Unable to ssh after establishing trust

Re: [Freeipa-users] Unable to ssh after establishing trust

Re: [Freeipa-users] Unable to ssh after establishing trust

Re: [Freeipa-users] Unable to ssh after establishing trust

Re: [Freeipa-users] Unable to ssh after establishing trust

Re: [Freeipa-users] Unable to ssh after establishing trust

Re: [Freeipa-users] Unable to ssh after establishing trust

Re: [Freeipa-users] Unable to ssh after establishing trust

Re: [Freeipa-users] Unable to ssh after establishing trust

Re: [Freeipa-users] Unable to ssh after establishing trust

[Freeipa-users] Unable to ssh after establishing trust

11 matches

Site Navigation

Mail list logo

Footer information