On Tue, Jul 22, 2014 at 1:20 PM, tizo <[email protected]> wrote: > > On Thu, Jul 17, 2014 at 6:12 PM, tizo <[email protected]> wrote: > >> >> >> >> On Tue, Jul 15, 2014 at 11:59 AM, tizo <[email protected]> wrote: >> >>> >>> >>> >>> On Tue, Jul 15, 2014 at 11:16 AM, Jakub Hrozek <[email protected]> >>> wrote: >>> >>>> On Tue, Jul 15, 2014 at 11:04:23AM -0300, tizo wrote: >>>> > On Tue, Jul 15, 2014 at 7:16 AM, Jakub Hrozek <[email protected]> >>>> wrote: >>>> > >>>> > > On Mon, Jul 14, 2014 at 02:02:16PM -0300, tizo wrote: >>>> > > > On Mon, Jul 14, 2014 at 5:57 AM, Jakub Hrozek <[email protected] >>>> > >>>> > > wrote: >>>> > > > >>>> > > > > On Fri, Jul 11, 2014 at 05:22:59PM -0300, tizo wrote: >>>> > > > > > On Fri, Jul 11, 2014 at 4:54 PM, Dmitri Pal <[email protected]> >>>> wrote: >>>> > > > > > >>>> > > > > > > On 07/11/2014 03:27 PM, tizo wrote: >>>> > > > > > > >>>> > > > > > > >>>> > > > > > > On Fri, Jul 4, 2014 at 5:09 PM, tizo <[email protected]> >>>> wrote: >>>> > > > > > > >>>> > > > > > >> I have seen in >>>> > > > > > >> >>>> > > > > >>>> > > >>>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Trusts_and_Windows_Server_2003_R2 >>>> > > > > > >> that trusts can be configured with Windows Server 2003 R2. >>>> > > > > > >> >>>> > > > > > >> We have a Windows Server 2003 (not R2). Before starting >>>> to make >>>> > > some >>>> > > > > > >> tests, does anyone know if trusts can be configured with >>>> this >>>> > > version >>>> > > > > of >>>> > > > > > >> Windows Server 2003?. >>>> > > > > > >> >>>> > > > > > >> Thanks very much. >>>> > > > > > >> >>>> > > > > > >> >>>> > > > > > > As I have not received any answer, I decided to give it a >>>> try. I >>>> > > > > follow >>>> > > > > > > the document step by step with our Windows 2003, and >>>> everything >>>> > > looks >>>> > > > > good, >>>> > > > > > > except when I try to login to the FreeIPA server with an AD >>>> user >>>> > > (ssh >>>> > > > > or >>>> > > > > > > tty). >>>> > > > > > > >>>> > > > > > > Does anyone know how could I debug this problem?. >>>> > > > > > > >>>> > > > > > > >>>> > > > > > > Sorry that you did not get a response. It is a hot time, a >>>> lot of >>>> > > > > people >>>> > > > > > > on vacation and we also got 4.0 just out of the door. >>>> > > > > > > >>>> > > > > > > Set debug_level to 10 in the sssd.conf. It will create a >>>> lot of >>>> > > output >>>> > > > > and >>>> > > > > > > this might give you a hint of what is going on. From there >>>> you >>>> > > will see >>>> > > > > > > whether the user is processed by SSSD or SSH is not >>>> configured and >>>> > > > > user do >>>> > > > > > > not hit SSSD at all (unlikely), and if user is processed >>>> what the >>>> > > > > problem >>>> > > > > > > is. >>>> > > > > > > >>>> > > > > > > >>>> > > > > > Thanks Dmitri. I set the debug_level to 10, and the file >>>> > > > > > sssd_my.domain.com.log is telling something about the AD user >>>> trying >>>> > > to >>>> > > > > > connect with SSH. I am sending it to you privately, because it >>>> > > contains >>>> > > > > > some sensitive information. >>>> > > > > >>>> > > > > Hi, >>>> > > > > >>>> > > > > I realize you were following our own documentation, which >>>> originated >>>> > > > > from this thread: >>>> > > > > >>>> https://www.redhat.com/archives/freeipa-users/2013-June/msg00119.html >>>> > > > > >>>> > > > > Maybe it would be helpful to read it, too, at least to see how >>>> some >>>> > > other >>>> > > > > users were setting up the trust and what their problems were. >>>> > > > > >>>> > > > > -- >>>> > > > > Manage your subscription for the Freeipa-users mailing list: >>>> > > > > https://www.redhat.com/mailman/listinfo/freeipa-users >>>> > > > > Go To http://freeipa.org for more info on the project >>>> > > > > >>>> > > > >>>> > > > >>>> > > > Dmitri and Jakub, thanks very much for your help. >>>> > > > >>>> > > > Jakub, I took a look in the thread, but I couldn't find anything >>>> that >>>> > > could >>>> > > > help us with our problem. >>>> > > > >>>> > > > I am attaching the logs from sssd with the sensitive information >>>> removed. >>>> > > > Any help is really appreciated; I don't really know where should I >>>> > > continue >>>> > > > searching for the problem. >>>> > > >>>> > > Thanks, the logs don't show what the error is, but do tell us that >>>> the >>>> > > error is on the server side: >>>> > > >>>> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]] >>>> > > [ipa_s2n_exop_send] (0x0400): Executing extended operation >>>> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]] >>>> > > [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = >>>> 8 >>>> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]] >>>> > > [sdap_process_result] (0x2000): Trace: sh[0x2293ed0], connected[1], >>>> > > ops[0x2293680], ldap[0x2293b40] >>>> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]] >>>> > > [sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED] >>>> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]] >>>> > > [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: >>>> Operations >>>> > > error(1), (null) >>>> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]] >>>> > > [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. >>>> > > >>>> > > What IPA version are you testing with? The debugging procedure >>>> differs >>>> > > for versions with winbind on the server side and with sssd.. >>>> > > >>>> > >>>> > I am testing with an updated CentOS 6 and all the software versions >>>> of its >>>> > repositories. In detail: >>>> > >>>> > * OS: CentOS release 6.5 (Final) >>>> > * IPA server: 3.0.0-37 >>>> > * SSSD: 1.9.2-129 >>>> > * Winbind: 4.0.0-61 >>>> >>>> OK, so there's Winbind on the server side. Can you run: >>>> * smbcontrol winbindd debug 100 >>>> * run the test on the client, check if you see the s2n exop failing >>>> in the logs >>>> * attach /var/log/samba/log.w* >>>> * reset the winbind logging back with: smbcontrol all debug 1 >>>> otherwise you'll run out of disk space :-) >>>> >>> >>> Jakub, >>> >>> I am sending the logs that you ask for. I don't know what do you mean >>> when you say "run the test on the client, check if you see the s2n exop >>> faiiling in the logs". The test that I am trying to do, is to connect to >>> the FreeIPA server via ssh with an AD user. What logs should I check? >>> >>> Anyway, I found something wrong in the samba logs. In some of them, the >>> server ADPRODSERVER is mentioned, which is our AD production server, with >>> the domain xxx.com.uy. Our AD test server, the one that we are using >>> for FreeIPA testing, is not mentioned there (its name is windows2003xxx). I >>> don't really know how the microsoft world works, but here is our test >>> scenario: >>> >>> * Al servers (AD production, AD testing and FreeIPA testing), are at >>> the same network (192.168.100.0/24). >>> >>> * The AD domain is the same in production and in testing: xxx.com.uy. >>> >>> * The AD testing server has its own DNS server, and is using it. >>> >>> * The FreeIPA testing server has its own DNS server, and is using it. >>> >>> So, as a first though, I am thinking that beyond the DNS, FreeIPA is >>> using something else to find the AD domain xxx.com.uy. Can that be >>> possible?. >>> >>> Thanks very much. >>> >> >> I have created a new and isolated environment to test the integration. >> Although Samba logs now are referencing the right AD server >> (windows2003xxx), the problem is the same than before when trying to access >> to the FreeIPA server with an AD user by ssh. I am attaching the logs of >> the new scenario. Some useful information: >> >> * Network: 192.168.99.0/24 >> * IPA Domain: fi.xxx.com.uy >> * AD Domain: xxx.com.uy >> * IPA Server: freeipa.fi.xxx.com.uy, 192.168.99.50 >> * AD Server: windows2003xxx.xxx.com.uy 192.168.99.51 >> * AD user for the test: usuad >> >> I don't know if the following could help, but when I try to obtain a >> Kerberos ticket in FreeIPA server with "kinit [email protected]" and type >> a wrong password, the message is "kinit: Preauthentication failed while >> getting initial credentials". When I do the same thing but with the correct >> password the message is "kinit: KDC reply did not match expectations while >> getting initial credentials". >> >> Any help is really appreciated. Thanks very much. >> > > I have noted that kinit with the AD domain in uppercase is working (kinit > [email protected]). However, ssh is not working neither with uppercase nor > with lowercase. Maybe is a misconfiguration on /etc/krb5.conf?. I have > added the following two line there (as in > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Edit_.2Fetc.2Fkrb5.conf > ): > > [realms] > FI.XXX.COM.UY = { > .... > auth_to_local = RULE:[1:$1@$0](^.*@XXX.COM.UY$)s/@ > XXX.COM.UY/@xxx.com.uy/ > auth_to_local = DEFAULT > } > > Yessss, at last!. It is working now after downgrading samba packages to its 4.0.0-58 versions, as it was suggested in https://www.redhat.com/archives/freeipa-users/2014-February/msg00261.html
Thanks very much!
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
