Am Thu, Nov 14, 2024 at 12:35:06PM -0000 schrieb chagai nota via FreeIPA-users:
> Hi
> I'm new to here hope to ask the question in correct way.
>
> We are trying use IPA to replace our NIS and it works great, now we also
> enable integration with our AD and I have some question regard it.
> The structure of the AD domain is like the follow: exmaple.com a.exmaple.com
> b.exmaple.com etc, but all users upn is only exmaple.com.
> samaccoutname and upn are not the same.
> so user can be [email protected] but its samaccountname will be 1234 or
> something else
>
> we create one way forest trust with IPA and samaccountname works for all
> users from all subdomains, but when I'm trying to use upn it works only for
> the root domain,
> when I'm trying to authenticate with user from a.exmaple.com domain but his
> UPN its exmaple.com ([email protected]) it success to understand who is the
> user
> but failed to authenticate, PAM trying to perform authentication with wrong
> domain it goes to exmaple.com domain instead of a.exmaple.com.
>
> the bottom line:
> search user perform with multi domain search and success but authentication
> goes to wrong domain and failed
>
> can you assist with this? can it work?
Hi,
krb5_child.log and the backend logs would be useful as well.
A typical issue in this area is that SSSD fails to detect that the IPA
server supports enterprise principals, so please try to add
krb5_use_enterprise_principal = True
manually to the [domain/...] section of sssd.conf, restart SSSD and try
again.
HTH
bye,
Sumit
>
> error message:
> (2024-11-14 14:03:13): [pam] [sss_domain_get_state] (0x1000): [CID#6] Domain
> example.com is Active
> (2024-11-14 14:03:13): [pam] [cache_req_search_cache] (0x0400): [CID#6] CR
> #11: Looking up [[email protected]] in cache
> (2024-11-14 14:03:13): [pam] [cache_req_search_cache] (0x0400): [CID#6] CR
> #11: Object [[email protected]] was not found in cache
> (2024-11-14 14:03:13): [pam] [cache_req_search_ncache_add_to_domain]
> (0x0400): [CID#6] CR #11: Adding [[email protected]] to negative cache
> (2024-11-14 14:03:13): [pam] [sss_ncache_set_str] (0x0400): [CID#6] Adding
> [NCE/USER/example.com/[email protected]] to negative cache
> (2024-11-14 14:03:13): [pam] [cache_req_set_plugin] (0x2000): [CID#6] CR #11:
> Setting "Initgroups by UPN" plugin
> (2024-11-14 14:03:13): [pam] [cache_req_set_name] (0x0400): [CID#6] CR #11:
> Setting name [[email protected]]
> (2024-11-14 14:03:13): [pam] [cache_req_assume_upn] (0x0400): [CID#6] CR #11:
> Assuming UPN [[email protected]]
> (2024-11-14 14:03:13): [pam] [cache_req_select_domains] (0x0400): [CID#6] CR
> #11: Performing a multi-domain search
> (2024-11-14 14:03:13): [pam] [cache_req_search_domains] (0x0400): [CID#6] CR
> #11: Search will bypass the cache and check the data provider
> (2024-11-14 14:03:13): [pam] [cache_req_validate_domain_type] (0x2000):
> [CID#6] Request type POSIX-only for domain a.example.com type POSIX is valid
> (2024-11-14 14:03:13): [pam] [cache_req_set_domain] (0x0400): [CID#6] CR #11:
> Using domain [a.example.com]
> (2024-11-14 14:03:13): [pam] [cache_req_prepare_domain_data] (0x0400):
> [CID#6] CR #11: Preparing input data for domain [a.example.com] rules
> (2024-11-14 14:03:13): [pam] [cache_req_search_send] (0x0400): [CID#6] CR
> #11: Looking up [email protected]
> (2024-11-14 14:03:13): [pam] [cache_req_search_ncache] (0x0400): [CID#6] CR
> #11: Checking negative cache for [[email protected]]
> (2024-11-14 14:03:13): [pam] [sss_ncache_check_str] (0x2000): [CID#6]
> Checking negative cache for [NCE/USER/a.example.com/@[email protected]]
> (2024-11-14 14:03:13): [pam] [cache_req_search_ncache] (0x0400): [CID#6] CR
> #11: [[email protected]] is not present in negative cache
> (2024-11-14 14:03:13): [pam] [cache_req_search_dp] (0x0400): [CID#6] CR #11:
> Looking up [[email protected]] in data provider
> (2024-11-14 14:03:13): [pam] [sss_dp_get_account_send] (0x0400): [CID#6]
> Creating request for
> [a.example.com][0x3][BE_REQ_INITGROUPS][[email protected]:U]
> (2024-11-14 14:03:13): [pam] [sbus_dispatch] (0x4000): Dispatching.
> (2024-11-14 14:03:13): [pam] [sss_domain_get_state] (0x1000): [CID#6] Domain
> a.example.com is Active
> (2024-11-14 14:03:13): [pam] [cache_req_search_cache] (0x0400): [CID#6] CR
> #11: Looking up [[email protected]] in cache
> (2024-11-14 14:03:13): [pam] [cache_req_search_ncache_filter] (0x0400):
> [CID#6] CR #11: This request type does not support filtering result by
> negative cache
> (2024-11-14 14:03:13): [pam] [cache_req_search_done] (0x0400): [CID#6] CR
> #11: Returning updated object [[email protected]]
> (2024-11-14 14:03:13): [pam] [cache_req_create_and_add_result] (0x0400):
> [CID#6] CR #11: Found 3 entries in domain a.example.com
> (2024-11-14 14:03:13): [pam] [cache_req_done] (0x0400): [CID#6] CR #11:
> Finished: Success
> (2024-11-14 14:03:13): [pam] [pd_set_primary_name] (0x0400): [CID#6] User's
> primary name is [email protected]
> (2024-11-14 14:03:13): [pam] [pam_initgr_check_timeout] (0x4000): [CID#6]
> User [[email protected]] not found in PAM cache.
> (2024-11-14 14:03:13): [pam] [pam_initgr_cache_set] (0x2000): [CID#6]
> [[email protected]] added to PAM initgroup cache
> (2024-11-14 14:03:13): [pam] [pam_dp_send_req] (0x0100): [CID#6] Sending
> request with the following data:
> (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] command:
> SSS_PAM_AUTHENTICATE
> (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] domain:
> exmaple.com
> (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] user:
> [email protected]
> (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] service: sshd
> (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] tty: ssh
> (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] ruser: not set
> (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] rhost:
> 192.168.1.15
> (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] authtok type:
> 1 (Password)
> (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] newauthtok
> type: 0 (No authentication token available)
> (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] priv: 1
> (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] cli_pid: 8350
> (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] logon name:
> [email protected]
> (2024-11-14 14:03:13): [pam] [pam_print_data] (0x0100): [CID#6] flags: 1
> (2024-11-14 14:03:13): [pam] [pam_dom_forwarder] (0x0100): [CID#6]
> pam_dp_send_req returned 0
> (2024-11-14 14:03:13): [pam] [sbus_dispatch] (0x4000): Dispatching.
> (2024-11-14 14:03:13): [pam] [pam_dp_send_req_done] (0x0200): [CID#6]
> received: [4 (System error)][exmaple.com]
> (2024-11-14 14:03:13): [pam] [pam_reply] (0x4000): [CID#6] pam_reply
> initially called with result [4]: System error. this result might be changed
> during processing
> (2024-11-14 14:03:13): [pam] [pam_reply] (0x0200): [CID#6] blen: 30
> (2024-11-14 14:03:13): [pam] [pam_reply] (0x0200): [CID#6] Returning [4]:
> System error to the client
> (2024-11-14 14:03:16): [pam] [client_recv] (0x0200): [CID#6] Client
> disconnected!
> (2024-11-14 14:03:16): [pam] [client_close_fn] (0x2000): Terminated client
> [0x5bcfb8a297c0][19]
> (2024-11-14 14:03:18): [pam] [pam_initgr_cache_remove] (0x2000): [CID#6]
> [[email protected]] removed from PAM initgroup cache
> --
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
