Hi I'm new to here hope to ask the question in correct way. We are trying use IPA to replace our NIS and it works great, now we also enable integration with our AD and I have some question regard it. The structure of the AD domain is like the follow: exmaple.com a.exmaple.com b.exmaple.com etc, but all users upn is only exmaple.com. samaccoutname and upn are not the same. so user can be [email protected] but its samaccountname will be 1234 or something else
we create one way forest trust with IPA and samaccountname works for all users from all subdomains, but when I'm trying to use upn it works only for the root domain, when I'm trying to authenticate with user from a.exmaple.com domain but his UPN its exmaple.com ([email protected]) it success to understand who is the user but failed to authenticate, PAM trying to perform authentication with wrong domain it goes to exmaple.com domain instead of a.exmaple.com. the bottom line: search user perform with multi domain search and success but authentication goes to wrong domain and failed can you assist with this? can it work? error message: (2024-11-14 14:03:13): [pam] [sss_domain_get_state] (0x1000): [CID#6] Domain example.com is Active (2024-11-14 14:03:13): [pam] [cache_req_search_cache] (0x0400): [CID#6] CR #11: Looking up [[email protected]] in cache (2024-11-14 14:03:13): [pam] [cache_req_search_cache] (0x0400): [CID#6] CR #11: Object [[email protected]] was not found in cache (2024-11-14 14:03:13): [pam] [cache_req_search_ncache_add_to_domain] (0x0400): [CID#6] CR #11: Adding [[email protected]] to negative cache (2024-11-14 14:03:13): [pam] [sss_ncache_set_str] (0x0400): [CID#6] Adding [NCE/USER/example.com/[email protected]] to negative cache (2024-11-14 14:03:13): [pam] [cache_req_set_plugin] (0x2000): [CID#6] CR #11: Setting "Initgroups by UPN" plugin (2024-11-14 14:03:13): [pam] [cache_req_set_name] (0x0400): [CID#6] CR #11: Setting name [[email protected]] (2024-11-14 14:03:13): [pam] [cache_req_assume_upn] (0x0400): [CID#6] CR #11: Assuming UPN [[email protected]] (2024-11-14 14:03:13): [pam] [cache_req_select_domains] (0x0400): [CID#6] CR #11: Performing a multi-domain search (2024-11-14 14:03:13): [pam] [cache_req_search_domains] (0x0400): [CID#6] CR #11: Search will bypass the cache and check the data provider (2024-11-14 14:03:13): [pam] [cache_req_validate_domain_type] (0x2000): [CID#6] Request type POSIX-only for domain a.example.com type POSIX is valid (2024-11-14 14:03:13): [pam] [cache_req_set_domain] (0x0400): [CID#6] CR #11: Using domain [a.example.com] (2024-11-14 14:03:13): [pam] [cache_req_prepare_domain_data] (0x0400): [CID#6] CR #11: Preparing input data for domain [a.example.com] rules (2024-11-14 14:03:13): [pam] [cache_req_search_send] (0x0400): [CID#6] CR #11: Looking up [email protected] (2024-11-14 14:03:13): [pam] [cache_req_search_ncache] (0x0400): [CID#6] CR #11: Checking negative cache for [[email protected]] (2024-11-14 14:03:13): [pam] [sss_ncache_check_str] (0x2000): [CID#6] Checking negative cache for [NCE/USER/a.example.com/@[email protected]] (2024-11-14 14:03:13): [pam] [cache_req_search_ncache] (0x0400): [CID#6] CR #11: [[email protected]] is not present in negative cache (2024-11-14 14:03:13): [pam] [cache_req_search_dp] (0x0400): [CID#6] CR #11: Looking up [[email protected]] in data provider (2024-11-14 14:03:13): [pam] [sss_dp_get_account_send] (0x0400): [CID#6] Creating request for [a.example.com][0x3][BE_REQ_INITGROUPS][[email protected]:U] (2024-11-14 14:03:13): [pam] [sbus_dispatch] (0x4000): Dispatching. (2024-11-14 14:03:13): [pam] [sss_domain_get_state] (0x1000): [CID#6] Domain a.example.com is Active (2024-11-14 14:03:13): [pam] [cache_req_search_cache] (0x0400): [CID#6] CR #11: Looking up [[email protected]] in cache (2024-11-14 14:03:13): [pam] [cache_req_search_ncache_filter] (0x0400): [CID#6] CR #11: This request type does not support filtering result by negative cache (2024-11-14 14:03:13): [pam] [cache_req_search_done] (0x0400): [CID#6] CR #11: Returning updated object [[email protected]] (2024-11-14 14:03:13): [pam] [cache_req_create_and_add_result] (0x0400): [CID#6] CR #11: Found 3 entries in domain a.example.com (2024-11-14 14:03:13): [pam] [cache_req_done] (0x0400): [CID#6] CR #11: Finished: Success (2024-11-14 14:03:13): [pam] [pd_set_primary_name] (0x0400): [CID#6] User's primary name is [email protected] (2024-11-14 14:03:13): [pam] [pam_initgr_check_timeout] (0x4000): [CID#6] User [[email protected]] not found in PAM cache. (2024-11-14 14:03:13): [pam] [pam_initgr_cache_set] (0x2000): [CID#6] [[email protected]] added to PAM initgroup cache (2024-11-14 14:03:13): [pam] [pam_dp_send_req] (0x0100): [CID#6] Sending request with the following data: (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] command: SSS_PAM_AUTHENTICATE (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] domain: exmaple.com (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] user: [email protected] (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] service: sshd (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] tty: ssh (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] ruser: not set (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] rhost: 192.168.1.15 (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] authtok type: 1 (Password) (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] newauthtok type: 0 (No authentication token available) (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] priv: 1 (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] cli_pid: 8350 (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] logon name: [email protected] (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] flags: 1 (2024-11-14 14:03:13): [pam] [pam_dom_forwarder] (0x0100): [CID#6] pam_dp_send_req returned 0 (2024-11-14 14:03:13): [pam] [sbus_dispatch] (0x4000): Dispatching. (2024-11-14 14:03:13): [pam] [pam_dp_send_req_done] (0x0200): [CID#6] received: [4 (System error)][exmaple.com] (2024-11-14 14:03:13): [pam] [pam_reply] (0x4000): [CID#6] pam_reply initially called with result [4]: System error. this result might be changed during processing (2024-11-14 14:03:13): [pam] [pam_reply] (0x0200): [CID#6] blen: 30 (2024-11-14 14:03:13): [pam] [pam_reply] (0x0200): [CID#6] Returning [4]: System error to the client (2024-11-14 14:03:16): [pam] [client_recv] (0x0200): [CID#6] Client disconnected! (2024-11-14 14:03:16): [pam] [client_close_fn] (0x2000): Terminated client [0x5bcfb8a297c0][19] (2024-11-14 14:03:18): [pam] [pam_initgr_cache_remove] (0x2000): [CID#6] [[email protected]] removed from PAM initgroup cache -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
