‎Evening,

‎I have been trying to get IPA server working using AD users and I think I need 
some assistance as I have run into the wall.  Below is some background 
information.  The active directory domain is called example.local and the IPA 
domain is called example.loc.  My plan is to map domain users on AD to ad_users 
on IPA servers.  I am using CentOS Linux release 7.0.1406 (Core) with below RPM

[root@ipa3-yyz-int ~]# rpm -qa | grep ipa
ipa-client-3.3.3-28.el7.centos.1.x86_64
iniparser-3.1-5.el7.x86_64
ipa-server-trust-ad-3.3.3-28.el7.centos.1.x86_64
sssd-ipa-1.11.2-68.el7_0.5.x86_64
ipa-python-3.3.3-28.el7.centos.1.x86_64
ipa-server-3.3.3-28.el7.centos.1.x86_64
libipa_hbac-1.11.2-68.el7_0.5.x86_64
python-iniparse-0.4-9.el7.noarch
libipa_hbac-python-1.11.2-68.el7_0.5.x86_64
ipa-admintools-3.3.3-28.el7.centos.1.x86_64

I have two groups 

[root@ipa3-yyz-int ~]# ipa group-show --all ad_users
  dn: cn=ad_users,cn=groups,cn=accounts,dc=example,dc=loc
  Group name: ad_users
  Description: ad_domain users
  GID: 1963800005
  Member users: williamm_user, wmuriithi_user
  Member of HBAC rule: dev-systems-rules
  ipantsecurityidentifier: S-1-5-21-3033893191-3803153583-4018222701-1005
  ipauniqueid: eec320c2-650b-11e4-bc2c-000c29c42447
  objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject, 
posixgroup, ipantgroupattrs

[root@ipa3-yyz-int ~]# ipa group-show --all ad_users_external
  dn: cn=ad_users_external,cn=groups,cn=accounts,dc=example,dc=loc
  Group name: ad_users_external
  Description: ad_domain users external map
  External member: S-1-5-21-205922407-570005376-4065188459-513
  ipauniqueid: d3b2759e-650b-11e4-8518-000c29c42447
  objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject, 
ipaexternalgroup

I am certain the problem has something to do with trust as I have created a 
local account on FreeIPA (wmuriithi_user) and it works as expected.  However 
active directory users in the same posix group fails and have not been able to 
nail where my mistake.  How would one go about debugging this issue?  I have 
looked at logs and the looks as below.

cat /var/log/secure

Nov 10 12:12:05 datagroup-dev sshd[30150]: Invalid user wmuriithi@example.local 
from 10.10.10.15
Nov 10 12:12:05 datagroup-dev sshd[30151]: input_userauth_request: invalid user 
wmuriithi@example.local
Nov 10 12:12:09 datagroup-dev sshd[30150]: pam_unix(sshd:auth): check pass; 
user unknown
Nov 10 12:12:09 datagroup-dev sshd[30150]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.15
Nov 10 12:12:09 datagroup-dev sshd[30150]: pam_succeed_if(sshd:auth): error 
retrieving information about user wmuriithi@example.local
Nov 10 12:12:11 datagroup-dev sshd[30150]: Failed password for invalid user 
wmuriithi@example.local from 10.10.10.15 port 52792 ssh2
Nov 10 12:12:17 datagroup-dev sshd[30151]: Connection closed by 10.10.10.15

cat /var/log/sssd/sssd_ssh.log


(Mon Nov 10 12:34:01 2014) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): 
name 'wmuriithi@example.local' matched expression for domain 'EXAMPLE.local', 
user is wmuriithi
(Mon Nov 10 12:34:01 2014) [sssd[ssh]] [ssh_user_pubkeys_search_dp_callback] 
(0x0040): Unable to get information from Data Provider
Error: 3, 1432158221, Account info lookup failed
(Mon Nov 10 12:34:01 2014) [sssd[ssh]] [ssh_user_pubkeys_search_next] (0x0040): 
No attributes for user [wmuriithi] found.
(Mon Nov 10 12:34:01 2014) [sssd[ssh]] [client_recv] (0x0200): Client 
disconnected!
(Mon Nov 10 15:16:44 2014) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received 
client version [0].
(Mon Nov 10 15:16:44 2014) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered 
version [0].
(Mon Nov 10 15:16:44 2014) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): 
name 'wmuriithi@example.local' matched expression for domain 'EXAMPLE.local', 
user is wmuriithi
(Mon Nov 10 15:16:44 2014) [sssd[ssh]] [ssh_user_pubkeys_search_dp_callback] 
(0x0040): Unable to get information from Data Provider
Error: 3, 1432158221, Account info lookup failed


less /var/log/sssd/sssd_example.loc.log

(Mon Nov 10 15:58:21 2014) [sssd[be[example.loc]]] [fo_set_port_status] 
(0x0100): Marking port 389 of server 'ipa3-yyz-int.example.loc' as 'working'
(Mon Nov 10 15:58:21 2014) [sssd[be[example.loc]]] [set_server_common_status] 
(0x0100): Marking server 'ipa3-yyz-int.example.loc' as 'working'
(Mon Nov 10 16:01:44 2014) [sssd[be[example.loc]]] [be_get_account_info] 
(0x0100): Got request for [4097][1][name=wmuriithi]
(Mon Nov 10 16:01:44 2014) [sssd[be[example.loc]]] [ipa_s2n_get_user_done] 
(0x0040): s2n exop request failed.
(Mon Nov 10 16:01:44 2014) [sssd[be[example.loc]]] [acctinfo_callback] 
(0x0100): Request processed. Returned 3,1432158221,Account info lookup failed
(Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [be_get_account_info] 
(0x0100): Got request for [4097][1][name=wmuriithi]
(Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [ipa_s2n_get_user_done] 
(0x0040): s2n exop request failed.
(Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [acctinfo_callback] 
(0x0100): Request processed. Returned 3,1432158221,Account info lookup failed
(Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [be_get_account_info] 
(0x0100): Got request for [4097][1][name=wmuriithi]
(Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [ipa_s2n_get_user_done] 
(0x0040): s2n exop request failed.
(Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [acctinfo_callback] 
(0x0100): Request processed. Returned 3,1432158221,Account info lookup failed
(Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [be_get_account_info] 
(0x0100): Got request for [4097][1][name=wmuriithi]
(Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [ipa_s2n_get_user_done] 
(0x0040): s2n exop request failed.

Does this mean I have to recreate the trust relationship?  I didn't get any 
error when I set up the trust last week and uncertain recreating the trust 
would help.  Would highly appreciate any pointers on what would be best way 
forward.

William‎

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to