>This probably means the user can’t be resolved at all, so the authentication 
>process doesn’t even make it to the PAM phase. Does ‘getent passwd 
>user@domainfqdn’ work?
Returns nothing.

>Are you testing on the IDM server itself or on one of the clients? I would 
>suggest to make the IDM server work first.
On the IDM server itself. I previously tested on a client but I’ve since done a 
complete reinstall of the OS and IPA server.

>Either way, you’ll want to enable the SSSD debug logs and take a look there.
The only thing that seems to stand out is an error of “Object SID [SID] has a 
RID that is larger than ldap_idmap_range_size”. But from a quick Google search 
that leads me to believe that’s a red herring. Otherwise I have a full debug 
log from when attempting to login with an AD user.

> Don’t use domain-local groups. Domain-local groups can only be assigned to a 
> cross-forest group membership by accident, IPA needs to be fixed to disallow 
> that.
Understood. I also tried mapping with a Global group but that returned an 
error; only using Domain Local or Universal group seemed to work. But for some 
reason now attempting to re-add the group is returning a “trusted domain object 
not found” error. With a little testing it seems like the group member is only 
capable of being added if the AD group is set as a Domain Local; the previous 
error occurs if the group is a Global or Universal one. The forest level is 
Windows 2012, if that helps at all.

David Eddleman

From: FreeIPA User Group <freeipa-users@lists.fedorahosted.org>
Reply-To: FreeIPA User Group <freeipa-users@lists.fedorahosted.org>
Date: Wednesday, August 9, 2017 at 8:22 AM
To: FreeIPA User Group <freeipa-users@lists.fedorahosted.org>
Cc: Jakub Hrozek <jhro...@redhat.com>
Subject: [Freeipa-users] Re: Unable to login with AD users


On 8 Aug 2017, at 16:58, Eddleman, David via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
 wrote:

Hello,

I have created a FreeIPA solution using Red Hat’s IDM product.
FreeIPA version: 4.5.0
OS version: RHEL 7.4

I have successfully installed the server portion and can authenticate to it 
using local IDM users, such as the ‘admin’ user. I have created a one-way trust 
between the IPA realm and an AD realm successfully, as `ipa trust-show` 
demonstrates, returning the SID of the domain. I have also created the local 
POSIX and external groups and mapped them. `ipa group-show <extgroupname>` 
returns the external member SID just fine.

However, I cannot authenticate in the server over SSH using one of those AD 
users. I’ve checked the HBAC rules and they are fine. One thing I noticed when 
monitoring the securelog when testing is that the IDM users make a call to 
pam_sss, as expected, but the AD users do not.

This probably means the user can’t be resolved at all, so the authentication 
process doesn’t even make it to the PAM phase. Does ‘getent passwd 
user@domainfqdn’ work?

Are you testing on the IDM server itself or on one of the clients? I would 
suggest to make the IDM server work first.

Either way, you’ll want to enable the SSSD debug logs and take a look there.


I have tried multiple ways of passing the user and all are rejected -- 
user@netbios, user@domainfqdn, netbios\user, and domainfqdn\user.

Either netbios\user or user@domainfqdn work, the others do not.


The user in question is in a single group in AD, and it has been tested with 
the group being both Domain Local and Universal with the same results. There is 
only one member of the group, the user that I am attempting login with.

Don’t use domain-local groups. Domain-local groups can only be assigned to a 
cross-forest group membership by accident, IPA needs to be fixed to disallow 
that.

Domain-local groups are just that, local to the domain they are defined in and 
during login, the membership to a domain local group from a non-local domain is 
stripped from the PAC and would remove the group membership of the user in that 
group during login.



Have I missed something?

David Eddleman

_______________________________________________
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org>


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to