On ti, 24 joulu 2019, Kevin Olbrich via FreeIPA-users wrote:
Hi Alexander,
Thanks for your input. Indeed, Debian still compiles against Heimdal.
I've added both devel MLs for Debian, maybe someone can give some
input whats needed to get "freeipa-server-trust-ad" working.
@Debian Team:
If there is something I can test, please let me know!
I know Sid is not for production but I would like to see FreeIPA in Bullseye.
Ref.: https://packages.debian.org/en/sid/freeipa-server-trust-ad
Debian makes Samba AD DC available, that's priority over FreeIPA. Once
we get MIT Kerberos to support all required features for Samba AD DC,
I'm sure Debian will consider unifying their build too.
Fedora 31:
HAVE_LIBKADM5SRV_MIT
SAMBA_USES_MITKDC
Debian Sid:
SAMBA4_USES_HEIMDAL
I will try Fedora 31 / CentOS 8 then.
Kind regards
Kevin
Am Di., 24. Dez. 2019 um 08:57 Uhr schrieb Alexander Bokovoy
<[email protected]>:
On ti, 24 joulu 2019, Kevin Olbrich via FreeIPA-users wrote:
>Hi!
>
>This is my first FreeIPA setup that needs to be trusted against AD.
>I spent some hours to debug my issue but I need some help:
>
>root@auth1 ~ # ipa trust-add --two-way=true --type=ad intra.example.com
>--admin administrator --password
>Active Directory domain administrator's password:
>ipa: ERROR: CIFS server communication error: code "3221225581", message
>"The attempted logon is invalid. This is either due to a bad username or
>authentication information." (both may be "None")
>
>I've also tried "[email protected]" as well as another
>administrative account with domain admin privileges.
>The password is 100% fine and works for ldapadmin (windows tool) as well as
>windows logons.
>
>DNS is also fine: I set up forwarding of "intra.example.com" from IPA to
>the AD domain and reverse "auth.example.com" from AD to IPA.
>
>WORKS:
>ldapsearch -H ldap://192.168.80.1:389 -x -W -D "
>[email protected]" -b "dc=intra,dc=example,dc=com" -d8
>
>Environment: Debian Sid, FreeIPA 4.7.2
>
>Did I miss something? What am I doing wrong here?
Do not use Debian/Ubuntu for IPA master with trust controller role.
Samba in Debian/Ubuntu is built against Heimdal Kerberos implementation
while 'ipasam' component of FreeIPA (a plugin to Samba) can only be
compiled against MIT Kerberos. The two implementations cannot be mixed
in the same address space when 'smbd' or 'winbindd' processes are
operating, thus it is not possible to use IPA master with trust
controller role on Debian/Ubuntu distributions right now.
This might change when Samba upstream will fully switch to MIT Kerberos
and Debian/Ubuntu would stop building against Heimdal, but this is not
going to happen any time soon for technical reasons as there are few
important fixes that need to be developed in both MIT Kerberos and
Samba first. This work is ongoing and even though it all affects the
configuration of Samba that FreeIPA is not using, distributions
generally do not ship two different versions of Samba (each built
against own Kerberos implementation), so the end result is that
Debian/Ubuntu version of Samba is not suitable for FreeIPA integration.
An older bug https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1552249
was used to track it in Ubuntu but the actual work is happening Samba
and MIT Kerberos upstream, not downstream. Thus, you wouldn't get any
move on Ubuntu or Debian side here.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
