On Tue, Aug 16, 2016 at 02:28:50PM +0200, rajat gupta wrote:
> Hi,
> 
> 
> I have done IPA AD trust between IPA and AD server. But trust is showing
> offline always. But we are able to get the AD user information. And able to
> grant the  KRB ticket.
> 
> 
> 
> # wbinfo --online-status
> BUILTIN : online
> IPA : online
> *CORP : offline*
> 
> 
> #id adu...@corp.addomain.com
> uid=1007656917(adu...@corp.addomain.com) gid=1007656917(
> adu...@corp.addomain.com) groups=1007656917(adu...@corp.addomain.com
> ),1007715891(prg-msoffice2013pro(kms)@corp.addomain.com),1007663829(
> da-eeg-intra-r...@corp.addomain.com),1007600513(domain
> us...@corp.addomain.com)
> 
> 
> [root@ilt-gif-ipa01 ~]# kinit  adu...@corp.addomain.com
> Password for adu...@corp.addomain.com:
> [root@ilt-gif-ipa01 ~]#
> [root@ilt-gif-ipa01 ~]#
> [root@ilt-gif-ipa01 ~]# klist
> Ticket cache: KEYRING:persistent:0:0
> Default principal: adu...@corp.addomain.com
> 
> Valid starting       Expires              Service principal
> 08/11/2016 13:11:35  08/11/2016 23:11:35  krbtgt/
> corp.addomain....@corp.addomain.com
>         renew until 08/12/2016 13:11:29
> [root@ilt-gif-ipa01 ~]#
> 
> 
> 
> Form IPA client server we are able to get the all thinks ( KRB ticket/
> user/groups )
> 
> [root@ilt-gif-ipa02 ~]# getent passwd adu...@corp.addomain.com
> adu...@corp.addomain.com:*:1007656917:1007656917:USER  NAME:/home/
> corp.addomain.com/aduser:
> [root@ilt-gif-ipa02 ~]#
> 
> 
> [root@ilt-gif-ipa02 ~]# getent group adu...@corp.addomain.com
> adu...@corp.addomain.com:*:1007656917:
> [root@ilt-gif-ipa02 ~]#
> 
> 
> [root@ilt-gif-ipa02 ~]# id adu...@corp.addomain.com
> uid=1007656917(adu...@corp.addomain.com) gid=1007656917(
> adu...@corp.addomain.com) groups=1007656917(adu...@corp.addomain.com
> ),1007715891(prg-msoffice2013pro(kms)@corp.addomain.com),1007663829(
> da-eeg-intra-r...@corp.addomain.com),1007600513(domain
> us...@corp.addomain.com),1007725088(tfs_us...@corp.addomain.com)
> 
> 
> Also we are to ssh  to IPA client on same machine or from some other
> machine with gss authentication. But using password authentication it’s
> failed to login.
> 
> *ERROR:- pam_sss(sshd:auth): authentication failure; logname*
> 
> 
> kinit adu...@corp.addomain.com
> Password for adu...@corp.addomain.com:
> 
> 
> 
> [root@ilt-gif-ipa02 ~]# ssh -vl adu...@corp.addomain.com
> ilt-gif-ipa02.ipa.preprod.local
> OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: /etc/ssh/ssh_config line 60: Applying options for *
> debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p
> 22 ilt-gif-ipa02.ipa.preprod.local
> debug1: permanently_set_uid: 0/0
> debug1: permanently_drop_suid: 0
> debug1: identity file /root/.ssh/id_rsa type -1
> debug1: identity file /root/.ssh/id_rsa-cert type -1
> debug1: identity file /root/.ssh/id_dsa type -1
> debug1: identity file /root/.ssh/id_dsa-cert type -1
> debug1: identity file /root/.ssh/id_ecdsa type -1
> debug1: identity file /root/.ssh/id_ecdsa-cert type -1
> debug1: identity file /root/.ssh/id_ed25519 type -1
> debug1: identity file /root/.ssh/id_ed25519-cert type -1
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_6.6.1
> debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
> debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-ctr hmac-md5-...@openssh.com none
> debug1: kex: client->server aes128-ctr hmac-md5-...@openssh.com none
> debug1: kex: curve25519-sha...@libssh.org need=16 dh_need=16
> debug1: kex: curve25519-sha...@libssh.org need=16 dh_need=16
> debug1: sending SSH2_MSG_KEX_ECDH_INIT
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> debug1: Server host key: ECDSA
> f0:e6:b2:66:c8:41:06:4e:83:a4:a2:c5:5a:57:24:66
> debug1: Host 'ilt-gif-ipa02.ipa.preprod.local' is known and matches the
> ECDSA host key.
> debug1: Found key in /root/.ssh/known_hosts:3
> debug1: ssh_ecdsa_verify: signature correct
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug1: Next authentication method: gssapi-keyex
> debug1: No valid Key exchange context
> debug1: Next authentication method: gssapi-with-mic
> *debug1: Authentication succeeded (gssapi-with-mic).*
> Authenticated to ilt-gif-ipa02.ipa.preprod.local (via proxy).
> debug1: channel 0: new [client-session]
> debug1: Requesting no-more-sessi...@openssh.com
> debug1: Entering interactive session.
> debug1: Sending environment.
> debug1: Sending env LANG = en_US.UTF-8
> Last login: Thu Aug 11 13:17:05 2016 from ilt-gif-ipa02.ipa.preprod.local
> 
> RHN kickstart on 2014-10-16
> 
> -sh-4.2$ pwd
> /home/corp.addomain.com/aduser
> -sh-4.2$ who am i
> adu...@corp.addomain.com pts/3        2016-08-11 13:19
> (ilt-gif-ipa02.ipa.preprod.local)
> -sh-4.2$
> 
> 
> 
> ]# ssh  adu...@corp.addomain.com@ilt-gif-ipa02.ipa.preprod.local
> e600...@corp.corpcommon.com@ilt-gif-ipa02.ipa.preprod.local's password:
> Permission denied, please try again.
> e600...@corp.corpcommon.com@ilt-gif-ipa02.ipa.preprod.local's password:
> 
> 
> Can you please help me i am not able to login with AD user
> password authentication.

This is the devel list, you're probably looking for the freeipa-users
list:
    http://www.redhat.com/mailman/listinfo/freeipa-users
and the best place to start debugging is:
    https://fedorahosted.org/sssd/wiki/Troubleshooting

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to