I have seen threads where opened on trust issues: "AD - Freeipa trust confusion" "Cross domain trust" "Cannot loging via SSH with AD user TO IPA Domain" - which I opened.
It looks like after creation of trust, TGT ticket can be issued from AD, but "su" and "ssh" do not allow a log in with AD user. I'm not sure if a conclusion has been reached on this subject. I gave it a try again and attempted to create a trust with IPA as a DNS subdomain of AD. I followed : https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ipa-subdomain.html AD domain: ADEXAMPLE.COM IPA subdoamin: LINUX.ADEXAMPLE.COM When i finished the necessary steps i attempted to retrieve a TGT from AD (while logged in to IPA server): [root@ipaserver1 sbin]# kinit administra...@adexample.com Password for administra...@adexample.com: [root@ipaserver1 sbin]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@adexample.com Valid starting Expires Service principal 02/14/14 07:50:21 02/14/14 17:50:20 krbtgt/adexample....@adexample.com renew until 02/15/14 07:50:21 But logging in by "ssh" and "su" ended in failure: login as: administra...@adexample.com administra...@addc.com@192.168.227.201's password: Access denied After reading http://www.freeipa.org/page/IPAv3_testing_AD_trust#Create_a_trust_to_an_AD_domaini did the following on the AD server: Administrative Tools -> Active Directory Domains and Trust -> adexample.com(right click) -> Properties -> Trust -> Domain Trusted by this domain (outgoing trust) -> Properties -> General -> Validate *After doing this i was able to login via "ssh" and "su" with "Administrator" **user :* login as: administra...@adexample.com administra...@adexample.com@192.168.227.201's password: Last login: Wed Feb 12 14:39:49 2014 from 192.168.227.1 Could not chdir to home directory /home/adexample.com/administrator: No such file or directory /usr/bin/xauth: error in locking authority file /home/ adexample.com/administrator/.Xauthority -sh-4.1$ *But still not able to login with other AD accounts:* [root@ipaserver1 sbin]# su gen...@adexample.com su: user gen...@adexample.com does not exist After reading the other threads, ill try and provide as much information as i can: *wbinfo -u does not return values.* [root@ipaserver1 sbin]# wbinfo -u [root@ipaserver1 sbin]# *wbinfo -u output:* [root@ipaserver1 sbin]# wbinfo -g admins editors default smb group ad_users *wbinfo --online-status shows ADEXAMPLE is offline* [root@ipaserver1 ~]# wbinfo --online-status BUILTIN : online LINUX : online ADEXAMPLE : offline *getent for Administrator does return value.* [root@ipaserver1 sbin]# getent passwd administra...@adexample.com administra...@adexample.com:*:699000500:699000500::/home/ adexample.com/administrator: *getent for other AD users does not return value.* [root@ipaserver1 sbin]# getent passwd gen...@adexample.com [root@ipaserver1 sbin]# *System info/configurations:* [root@ipaserver1 ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.2 Beta (Santiago) [root@ipaserver1 sbin]# rpm -qa | grep ipa ipa-python-3.0.0-37.el6.x86_64 ipa-client-3.0.0-37.el6.x86_64 libipa_hbac-python-1.9.2-129.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-server-trust-ad-3.0.0-37.el6.x86_64 libipa_hbac-1.9.2-129.el6.x86_64 ipa-admintools-3.0.0-37.el6.x86_64 ipa-server-selinux-3.0.0-37.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-server-3.0.0-37.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch [root@ipaserver1 ~]# rpm -qa | grep sssd sssd-1.9.2-129.el6.x86_64 sssd-client-1.9.2-129.el6.x86_64 [root@ipaserver1 sbin]# rpm -qa | grep samb samba4-common-4.0.0-60.el6_5.rc4.x86_64 samba4-winbind-clients-4.0.0-60.el6_5.rc4.x86_64 samba4-libs-4.0.0-60.el6_5.rc4.x86_64 samba4-python-4.0.0-60.el6_5.rc4.x86_64 samba4-4.0.0-60.el6_5.rc4.x86_64 samba4-client-4.0.0-60.el6_5.rc4.x86_64 samba4-winbind-4.0.0-60.el6_5.rc4.x86_64 *SSSD* [root@ipaserver1 ~]# cat /etc/sssd/sssd.conf [domain/linux.adexample.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = linux.adexample.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipaserver1.linux.adexample.com chpass_provider = ipa ipa_server = ipaserver1.linux.adexample.com ldap_tls_cacert = /etc/ipa/ca.crt subdomains_provider = ipa debug_level = 6 [sssd] services = nss, pam, ssh, pac config_file_version = 2 domains = linux.adexample.com debug_level = 6 [nss] debug_level = 6 [pam] debug_level = 6 [sudo] debug_level = 6 [autofs] debug_level = 6 [ssh] debug_level = 6 [pac] debug_level = 6 *KRB5* [root@ipaserver1 ~]# cat /etc/krb5.conf includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = LINUX.ADEXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] LINUX.ADEXAMPLE.COM = { kdc = ipaserver1.linux.adexample.com:88 master_kdc = ipaserver1.linux.adexample.com:88 admin_server = ipaserver1.linux.adexample.com:749 default_domain = linux.adexample.com pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[1:$1@$0](^.*@ADEXAMPLE.COM$)s/@ ADEXAMPLE.COM/@adexample.com/ auth_to_local = DEFAULT } [domain_realm] .linux.adexample.com = LINUX.ADEXAMPLE.COM linux.adexample.com = LINUX.ADEXAMPLE.COM [dbmodules] LINUX.ADEXAMPLE.COM = { db_library = ipadb.so } I have increased the debug level of the IPA components. Here are the logs (*krb5_child.log, **ldap_child.log, **log.smbd, **log.wb-ADEXAMPLE, **log.wb-LINUX, **log.winbindd, **log.winbindd-dc-connect, log.winbindd-idmap*, *sssd.log*, *sssd_linux.adexample.com.log*,*sssd_nss.log, **sssd_pac.log*, *sssd_pam.log, * *sssd_ssh.log, /var/log/secure):https://gist.github.com/anonymous/9006532 <https://gist.github.com/anonymous/9006532>* Any insights on why only Administrator is recognized by the Trust? And why extra step on AD was needed?
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
