On Thu, Jul 17, 2014 at 6:12 PM, tizo <tiz...@gmail.com> wrote: > > > > On Tue, Jul 15, 2014 at 11:59 AM, tizo <tiz...@gmail.com> wrote: > >> >> >> >> On Tue, Jul 15, 2014 at 11:16 AM, Jakub Hrozek <jhro...@redhat.com> >> wrote: >> >>> On Tue, Jul 15, 2014 at 11:04:23AM -0300, tizo wrote: >>> > On Tue, Jul 15, 2014 at 7:16 AM, Jakub Hrozek <jhro...@redhat.com> >>> wrote: >>> > >>> > > On Mon, Jul 14, 2014 at 02:02:16PM -0300, tizo wrote: >>> > > > On Mon, Jul 14, 2014 at 5:57 AM, Jakub Hrozek <jhro...@redhat.com> >>> > > wrote: >>> > > > >>> > > > > On Fri, Jul 11, 2014 at 05:22:59PM -0300, tizo wrote: >>> > > > > > On Fri, Jul 11, 2014 at 4:54 PM, Dmitri Pal <d...@redhat.com> >>> wrote: >>> > > > > > >>> > > > > > > On 07/11/2014 03:27 PM, tizo wrote: >>> > > > > > > >>> > > > > > > >>> > > > > > > On Fri, Jul 4, 2014 at 5:09 PM, tizo <tiz...@gmail.com> >>> wrote: >>> > > > > > > >>> > > > > > >> I have seen in >>> > > > > > >> >>> > > > > >>> > > >>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Trusts_and_Windows_Server_2003_R2 >>> > > > > > >> that trusts can be configured with Windows Server 2003 R2. >>> > > > > > >> >>> > > > > > >> We have a Windows Server 2003 (not R2). Before starting to >>> make >>> > > some >>> > > > > > >> tests, does anyone know if trusts can be configured with >>> this >>> > > version >>> > > > > of >>> > > > > > >> Windows Server 2003?. >>> > > > > > >> >>> > > > > > >> Thanks very much. >>> > > > > > >> >>> > > > > > >> >>> > > > > > > As I have not received any answer, I decided to give it a >>> try. I >>> > > > > follow >>> > > > > > > the document step by step with our Windows 2003, and >>> everything >>> > > looks >>> > > > > good, >>> > > > > > > except when I try to login to the FreeIPA server with an AD >>> user >>> > > (ssh >>> > > > > or >>> > > > > > > tty). >>> > > > > > > >>> > > > > > > Does anyone know how could I debug this problem?. >>> > > > > > > >>> > > > > > > >>> > > > > > > Sorry that you did not get a response. It is a hot time, a >>> lot of >>> > > > > people >>> > > > > > > on vacation and we also got 4.0 just out of the door. >>> > > > > > > >>> > > > > > > Set debug_level to 10 in the sssd.conf. It will create a lot >>> of >>> > > output >>> > > > > and >>> > > > > > > this might give you a hint of what is going on. From there >>> you >>> > > will see >>> > > > > > > whether the user is processed by SSSD or SSH is not >>> configured and >>> > > > > user do >>> > > > > > > not hit SSSD at all (unlikely), and if user is processed >>> what the >>> > > > > problem >>> > > > > > > is. >>> > > > > > > >>> > > > > > > >>> > > > > > Thanks Dmitri. I set the debug_level to 10, and the file >>> > > > > > sssd_my.domain.com.log is telling something about the AD user >>> trying >>> > > to >>> > > > > > connect with SSH. I am sending it to you privately, because it >>> > > contains >>> > > > > > some sensitive information. >>> > > > > >>> > > > > Hi, >>> > > > > >>> > > > > I realize you were following our own documentation, which >>> originated >>> > > > > from this thread: >>> > > > > >>> https://www.redhat.com/archives/freeipa-users/2013-June/msg00119.html >>> > > > > >>> > > > > Maybe it would be helpful to read it, too, at least to see how >>> some >>> > > other >>> > > > > users were setting up the trust and what their problems were. >>> > > > > >>> > > > > -- >>> > > > > Manage your subscription for the Freeipa-users mailing list: >>> > > > > https://www.redhat.com/mailman/listinfo/freeipa-users >>> > > > > Go To http://freeipa.org for more info on the project >>> > > > > >>> > > > >>> > > > >>> > > > Dmitri and Jakub, thanks very much for your help. >>> > > > >>> > > > Jakub, I took a look in the thread, but I couldn't find anything >>> that >>> > > could >>> > > > help us with our problem. >>> > > > >>> > > > I am attaching the logs from sssd with the sensitive information >>> removed. >>> > > > Any help is really appreciated; I don't really know where should I >>> > > continue >>> > > > searching for the problem. >>> > > >>> > > Thanks, the logs don't show what the error is, but do tell us that >>> the >>> > > error is on the server side: >>> > > >>> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]] >>> > > [ipa_s2n_exop_send] (0x0400): Executing extended operation >>> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]] >>> > > [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 8 >>> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]] >>> > > [sdap_process_result] (0x2000): Trace: sh[0x2293ed0], connected[1], >>> > > ops[0x2293680], ldap[0x2293b40] >>> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]] >>> > > [sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED] >>> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]] >>> > > [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: >>> Operations >>> > > error(1), (null) >>> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]] >>> > > [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. >>> > > >>> > > What IPA version are you testing with? The debugging procedure >>> differs >>> > > for versions with winbind on the server side and with sssd.. >>> > > >>> > >>> > I am testing with an updated CentOS 6 and all the software versions of >>> its >>> > repositories. In detail: >>> > >>> > * OS: CentOS release 6.5 (Final) >>> > * IPA server: 3.0.0-37 >>> > * SSSD: 1.9.2-129 >>> > * Winbind: 4.0.0-61 >>> >>> OK, so there's Winbind on the server side. Can you run: >>> * smbcontrol winbindd debug 100 >>> * run the test on the client, check if you see the s2n exop failing >>> in the logs >>> * attach /var/log/samba/log.w* >>> * reset the winbind logging back with: smbcontrol all debug 1 >>> otherwise you'll run out of disk space :-) >>> >> >> Jakub, >> >> I am sending the logs that you ask for. I don't know what do you mean >> when you say "run the test on the client, check if you see the s2n exop >> faiiling in the logs". The test that I am trying to do, is to connect to >> the FreeIPA server via ssh with an AD user. What logs should I check? >> >> Anyway, I found something wrong in the samba logs. In some of them, the >> server ADPRODSERVER is mentioned, which is our AD production server, with >> the domain xxx.com.uy. Our AD test server, the one that we are using for >> FreeIPA testing, is not mentioned there (its name is windows2003xxx). I >> don't really know how the microsoft world works, but here is our test >> scenario: >> >> * Al servers (AD production, AD testing and FreeIPA testing), are at the >> same network (192.168.100.0/24). >> >> * The AD domain is the same in production and in testing: xxx.com.uy. >> >> * The AD testing server has its own DNS server, and is using it. >> >> * The FreeIPA testing server has its own DNS server, and is using it. >> >> So, as a first though, I am thinking that beyond the DNS, FreeIPA is >> using something else to find the AD domain xxx.com.uy. Can that be >> possible?. >> >> Thanks very much. >> > > I have created a new and isolated environment to test the integration. > Although Samba logs now are referencing the right AD server > (windows2003xxx), the problem is the same than before when trying to access > to the FreeIPA server with an AD user by ssh. I am attaching the logs of > the new scenario. Some useful information: > > * Network: 192.168.99.0/24 > * IPA Domain: fi.xxx.com.uy > * AD Domain: xxx.com.uy > * IPA Server: freeipa.fi.xxx.com.uy, 192.168.99.50 > * AD Server: windows2003xxx.xxx.com.uy 192.168.99.51 > * AD user for the test: usuad > > I don't know if the following could help, but when I try to obtain a > Kerberos ticket in FreeIPA server with "kinit us...@xxx.com.uy" and type > a wrong password, the message is "kinit: Preauthentication failed while > getting initial credentials". When I do the same thing but with the correct > password the message is "kinit: KDC reply did not match expectations while > getting initial credentials". > > Any help is really appreciated. Thanks very much. >
I have noted that kinit with the AD domain in uppercase is working (kinit us...@xxx.com.uy). However, ssh is not working neither with uppercase nor with lowercase. Maybe is a misconfiguration on /etc/krb5.conf?. I have added the following two line there (as in http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Edit_.2Fetc.2Fkrb5.conf ): [realms] FI.XXX.COM.UY = { .... auth_to_local = RULE:[1:$1@$0](^.*@XXX.COM.UY$)s/@XXX.COM.UY/@xxx.com.uy/ auth_to_local = DEFAULT }
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project