Hi, Answers below, I found one thing that don’t look correct, on another virtualised test-system I can get a cifs ticket when I am admin on the IPA server, in this setup it only works if I get tickets from the AD domain manually first:
[root@ipaserver httpd]# kinit admin Password for ad...@idm.test.net: [root@ipaserver httpd]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: ad...@idm.test.net Valid starting Expires Service principal 12/01/2017 10:25:48 12/02/2017 10:25:39 krbtgt/idm.test....@idm.test.net [root@ipaserver httpd]# kvno -S cifs adserver.ad2.test.net kvno: Server krbtgt/ad2.test....@idm.test.net not found in Kerberos database while getting credentials for cifs/adserver.ad2.test....@ad2.test.net [root@ipaserver httpd]# kinit adminu...@ad2.test.net Password for adminu...@ad2.test.net: Warning: Your password will expire in 5 days on Wed 06 Dec 2017 03:20:14 PM CET [root@ipaserver httpd]# kvno -S cifs adserver.ad2.test.net cifs/adserver.ad2.test....@ad2.test.net: kvno = 13 > On 27 Nov 2017, at 14:06, Jakub Hrozek via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > On Tue, Nov 21, 2017 at 01:55:31PM +0100, Henrik Stigendal via FreeIPA-users > wrote: >> Hello everyone, >> >> I’m new to this and are trying to setup a working trust against an AD >> forrest, I seem to have a working trust but when I try to reference external >> groups (or users) I get: >> >> # ipa group-add-member ad_users_external --external "AD2\Domain Users" >> [member user]: >> [member group]: >> Group name: ad_users_external >> Description: AD users external map >> Failed members: >> member user: >> member group: AD2\Domain Users: trusted domain object not found >> ------------------------- >> Number of members added 0 >> ------------------------- > > I think the lookup goes eventually from the ipa command line framework > to SSSD, does lookup through the usual SSSD channels (getent passwd > username@domain) work? No, that does not work at all. > >> >> I enable some logging and last in the mail is the output there from the >> command above, any suggestions what could cause this? Current version of IPA >> is 4.5. >> >> Regards >> Henrik >> >> Tue Nov 21 13:10:42.675713 2017] [:warn] [pid 38221] [client >> 192.168.6.82:34714] failed to set perms (3140) on file >> (/var/run/ipa/ccaches/ad...@idm.test.net >> <mailto:var/run/ipa/ccaches/ad...@idm.test.net>)!, referer: >> https://ipaserver.idm.test.net/ipa/xml >> <https://ipaserver.idm.test.net/ipa/xml> >> string_to_sid: SID AD2\Domain Users is not in a valid format > > btw did you try also a lookup of a name qualified with the full AD domain > name (i.e. username@ad.domain <mailto:username@ad.domain> instead of > ad\\username)? I wonder if just > the flatname is acting up.. I’ve tested both without luck. > >> lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty >> Processing section "[global]" >> INFO: Current debug levels: >> all: 11 >> tdb: 11 >> printdrivers: 11 >> lanman: 11 >> smb: 11 >> rpc_parse: 11 >> rpc_srv: 11 >> rpc_cli: 11 >> passdb: 11 >> sam: 11 >> auth: 11 >> winbind: 11 >> vfs: 11 >> idmap: 11 >> quota: 11 >> acls: 11 >> locking: 11 >> msdfs: 11 >> dmapi: 11 >> registry: 11 >> scavenger: 11 >> dns: 11 >> ldb: 11 >> tevent: 11 >> pm_process() returned Yes >> added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 >> netmask=255.255.255.0 >> added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 >> netmask=255.255.255.0 >> added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 >> netmask=255.255.255.0 >> added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 >> netmask=255.255.255.0 >> added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 >> netmask=255.255.255.0 >> added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 >> netmask=255.255.255.0 >> added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 >> netmask=255.255.255.0 >> added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 >> netmask=255.255.255.0 >> finddcs: searching for a DC by DNS domain ad2.test.net >> finddcs: looking for SRV records for _ldap._tcp.ad2.test.net >> resolve_lmhosts: Attempting lmhosts lookup for name >> _ldap._tcp.ad2.test.net<0x0> >> getlmhostsent: lmhost entry: 127.0.0.1 localhost >> ads_dns_lookup_srv: 2 records returned in the answer section. >> ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389] >> ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389] >> Addrs = 192.168.5.158@389/adserver,192.168.5.104@389/adserver >> finddcs: DNS SRV response 0 at '192.168.5.158' >> finddcs: DNS SRV response 1 at '192.168.5.104' >> finddcs: performing CLDAP query on 192.168.5.158 >> &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX >> command : LOGON_SAM_LOGON_RESPONSE_EX (23) >> sbz : 0x0000 (0) >> server_type : 0x0001f1fc (127484) >> 0: NBT_SERVER_PDC >> 1: NBT_SERVER_GC >> 1: NBT_SERVER_LDAP >> 1: NBT_SERVER_DS >> 1: NBT_SERVER_KDC >> 1: NBT_SERVER_TIMESERV >> 1: NBT_SERVER_CLOSEST >> 1: NBT_SERVER_WRITABLE >> 0: NBT_SERVER_GOOD_TIMESERV >> 0: NBT_SERVER_NDNC >> 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6 >> 1: NBT_SERVER_FULL_SECRET_DOMAIN_6 >> 1: NBT_SERVER_ADS_WEB_SERVICE >> 1: NBT_SERVER_DS_8 >> 0: NBT_SERVER_HAS_DNS_NAME >> 0: NBT_SERVER_IS_DEFAULT_NC >> 0: NBT_SERVER_FOREST_ROOT >> domain_uuid : 63c3a477-85f9-5f01-96e8-2597a5c48978 >> forest : 'ad2.test.net' >> dns_domain : 'ad2.test.net' >> pdc_dns_name : 'adserver.ad2.test.net' >> domain_name : 'AD2' >> pdc_name : 'adserver' >> user_name : '' >> server_site : 'AS001' >> client_site : 'AS002' >> sockaddr_size : 0x00 (0) >> sockaddr: struct nbt_sockaddr >> sockaddr_family : 0x00000000 (0) >> pdc_ip : (null) >> remaining : DATA_BLOB length=0 >> next_closest_site : NULL >> nt_version : 0x00000005 (5) >> 1: NETLOGON_NT_VERSION_1 >> 0: NETLOGON_NT_VERSION_5 >> 1: NETLOGON_NT_VERSION_5EX >> 0: NETLOGON_NT_VERSION_5EX_WITH_IP >> 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE >> 0: NETLOGON_NT_VERSION_AVOID_NT4EMUL >> 0: NETLOGON_NT_VERSION_PDC >> 0: NETLOGON_NT_VERSION_IP >> 0: NETLOGON_NT_VERSION_LOCAL >> 0: NETLOGON_NT_VERSION_GC >> lmnt_token : 0xffff (65535) >> lm20_token : 0xffff (65535) >> finddcs: Found matching DC 192.168.5.158 with server_type=0x0001f1fc >> [Tue Nov 21 13:10:42.740320 2017] [:error] [pid 26496] ipa: INFO: >> [jsonserver_session] ad...@idm.test.net: >> group_add_member/1(u'ad_users_external', ipaexternalmember=(u'AD2\\\\Domain >> Users',), version=u'2.228'): SUCCESS > >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> <mailto:freeipa-users@lists.fedorahosted.org> >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> <mailto:freeipa-users-le...@lists.fedorahosted.org> > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org>
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org