On Mon, Dec 15, 2014 at 05:38:05PM +0100, Manuel Lopes wrote: > Attached the sssd_linux.com.log file > > Regards
Thank you, there is no request logged in the logs, did you run ipa group-add-member after restarting SSSD? Nevertheless I think I know what is happening, you hit an issue which should be fixed in SSSD 1.12.2, which version of SSSD are you running on which platform? bye, Sumit > > 2014-12-15 17:03 GMT+01:00 Sumit Bose <sb...@redhat.com>: > > > > On Mon, Dec 15, 2014 at 04:39:29PM +0100, Manuel Lopes wrote: > > > The file sssd_linux.com.log is empty. > > > > please add > > > > debug_level = 10 > > > > to the [domain/...] section in sssd.conf to enable logging for this part > > of SSSD. > > > > bye, > > Sumit > > > > > > > > > > > > 2014-12-15 15:42 GMT+01:00 Sumit Bose <sb...@redhat.com>: > > > > > > > > On Sat, Dec 13, 2014 at 02:13:30PM +0100, Manuel Lopes wrote: > > > > > Hi, > > > > > > > > > > As explained in the previous email, the getent is successful. > > > > > > > > > > > > > > > *[root@support1 ~]# getent group 'ACME\Domain Users' domain > > > > > us...@acme.windows.com:*:**365600513:administra...@acme.windows.com > > > > > <365600513%3aadministra...@acme.windows.com>* > > > > > > > > > > > > > > > > > > > > In fact, our real problem is not the “wbinfo –n” but the following > > > > command: > > > > > > > > > > *[root@support1 sssd]# ipa group-add-member ad_users_external > > --external > > > > > "ACME\Domain Users"* > > > > > > > > > > *[member user]:* > > > > > > > > > > *[member group]:* > > > > > > > > > > * Group name: ad_users_external* > > > > > > > > > > * Description: AD users external map* > > > > > > > > > > * External member: * > > > > > > > > > > * Member of groups: ad_users* > > > > > > > > > > * Failed members:* > > > > > > > > > > * member user:* > > > > > > > > > > * member group: ACME\Domain Users: Cannot find specified domain or > > > > > server name* > > > > > > > > > > *-------------------------* > > > > > > > > > > *Number of members added 0* > > > > > > > > > > *-------------------------* > > > > > > > > > > > > > > > > > > > > We cannot add ACME’s domain users in the ad_users_external. > > > > > > > > > > > > > > > > > > > > I attached the sssd logs. > > > > > > > > Can you send the corresponding domain log file as well, it should be > > > > called sssd_linux.com.log or similar. > > > > > > > > bye, > > > > Sumit > > > > > > > > > > > > > > > > > > > > > > > > Regards > > > > > > > > > > 2014-12-12 21:51 GMT+01:00 Manuel Lopes <manuel.lope...@gmail.com>: > > > > > > > > > > > > OK. > > > > > > > > > > > > Command successful > > > > > > [root@support1 ~]# getent group 'ACME\Domain Users' > > > > > > domain us...@acme.windows.com:*: > > > > 365600513:administra...@acme.windows.com > > > > > > > > > > > > Log files attached > > > > > > > > > > > > Thanks > > > > > > > > > > > > 2014-12-12 21:32 GMT+01:00 Sumit Bose <sb...@redhat.com>: > > > > > >> > > > > > >> On Fri, Dec 12, 2014 at 08:41:27PM +0100, Manuel Lopes wrote: > > > > > >> > [root@support1 ~]# ipa idrange-find > > > > > >> > ---------------- > > > > > >> > 3 ranges matched > > > > > >> > ---------------- > > > > > >> > Range name: LINUX.COM_id_range > > > > > >> > First Posix ID of the range: 1066000000 > > > > > >> > Number of IDs in the range: 200000 > > > > > >> > First RID of the corresponding RID range: 1000 > > > > > >> > First RID of the secondary RID range: 100000000 > > > > > >> > Range type: local domain range > > > > > >> > > > > > > >> > Range name: WINDOWS.COM_id_range > > > > > >> > First Posix ID of the range: 730200000 > > > > > >> > Number of IDs in the range: 200000 > > > > > >> > First RID of the corresponding RID range: 0 > > > > > >> > Domain SID of the trusted domain: > > > > > >> S-1-5-21-1701591335-3855227394-3044674468 > > > > > >> > Range type: Active Directory domain range > > > > > >> > > > > > > >> > Range name: ACME.WINDOWS.COM_id_range > > > > > >> > First Posix ID of the range: 365600000 > > > > > >> > Number of IDs in the range: 200000 > > > > > >> > First RID of the corresponding RID range: 0 > > > > > >> > Domain SID of the trusted domain: > > > > > >> S-1-5-21-1215373191-1991333051-3772904882 > > > > > >> > Range type: Active Directory domain range > > > > > >> > ---------------------------- > > > > > >> > Number of entries returned 3 > > > > > >> > ---------------------------- > > > > > >> > > > > > > >> > > > > > > >> > As we can see in the ouput of the command, the range type is "ad > > > > POSIX > > > > > >> > attributes". > > > > > >> > > > > > >> no, it's only 'Active Directory domain range', this is good > > because > > > > with > > > > > >> this type we generate the UIDs and GIDs algorithmically. > > > > > >> > > > > > >> > In our case, the gidNumber is not set in the "ACME\Domain > > Users" AD > > > > > >> group, > > > > > >> > nor in the " WINDOWS\Domain Users". > > > > > >> > With a gidNumber attribute value, the 'wbinfo -n "ACME\Domain > > > > Users"' > > > > > >> still > > > > > >> > command fails. > > > > > >> > > > > > >> no need to set the ID attributes in AD. But I should have > > mentioned > > > > > >> that wbinfo is quite useless nowadays with FreeIPA because > > winbind is > > > > > >> only used to assure some types of communication with AD. All user > > and > > > > > >> group lookups and IP-mapping is done by SSSD. Please try > > > > > >> > > > > > >> getent group 'ACME\Domain Users' > > > > > >> > > > > > >> > > > > > >> and send the sssd_nss.log and sssd_example.com.log files. > > > > > >> > > > > > >> bye, > > > > > >> Sumit > > > > > >> > > > > > >> > > > > > > >> > Thanks > > > > > >> > > > > > > >> > 2014-12-12 19:51 GMT+01:00 Manuel Lopes < > > manuel.lope...@gmail.com>: > > > > > >> > > > > > > > >> > > [root@support1 ~]# ipa idrange-find > > > > > >> > > ---------------- > > > > > >> > > 3 ranges matched > > > > > >> > > ---------------- > > > > > >> > > Range name: LINUX.COM_id_range > > > > > >> > > First Posix ID of the range: 1066000000 > > > > > >> > > Number of IDs in the range: 200000 > > > > > >> > > First RID of the corresponding RID range: 1000 > > > > > >> > > First RID of the secondary RID range: 100000000 > > > > > >> > > Range type: local domain range > > > > > >> > > > > > > > >> > > Range name: WINDOWS.COM_id_range > > > > > >> > > First Posix ID of the range: 730200000 > > > > > >> > > Number of IDs in the range: 200000 > > > > > >> > > First RID of the corresponding RID range: 0 > > > > > >> > > Domain SID of the trusted domain: > > > > > >> > > S-1-5-21-1701591335-3855227394-3044674468 > > > > > >> > > Range type: Active Directory domain range > > > > > >> > > > > > > > >> > > Range name: ACME.WINDOWS.COM_id_range > > > > > >> > > First Posix ID of the range: 365600000 > > > > > >> > > Number of IDs in the range: 200000 > > > > > >> > > First RID of the corresponding RID range: 0 > > > > > >> > > Domain SID of the trusted domain: > > > > > >> > > S-1-5-21-1215373191-1991333051-3772904882 > > > > > >> > > Range type: Active Directory domain range > > > > > >> > > ---------------------------- > > > > > >> > > Number of entries returned 3 > > > > > >> > > ---------------------------- > > > > > >> > > > > > > > >> > > > > > > > >> > > As we can see in the ouput of the command, the range type is > > "ad > > > > POSIX > > > > > >> > > attributes". > > > > > >> > > In our case, the gidNumber is not set in the "ACME\Domain > > Users" > > > > AD > > > > > >> group, > > > > > >> > > nor in the " WINDOWS\Domain Users". > > > > > >> > > With a gidNumber attribute value, the 'wbinfo -n "ACME\Domain > > > > Users"' > > > > > >> > > still command fails. > > > > > >> > > > > > > > >> > > Thanks > > > > > >> > > > > > > > >> > > > > > > > >> > > 2014-12-12 10:33 GMT+01:00 Sumit Bose <sb...@redhat.com>: > > > > > >> > >> > > > > > >> > >> On Fri, Dec 12, 2014 at 02:06:05AM +0100, Manuel Lopes wrote: > > > > > >> > >> > Hi Sumit, > > > > > >> > >> > > > > > > >> > >> > Thank you very much for the prompt reply > > > > > >> > >> > > > > > > >> > >> > [root@support1 ~]# ipa trustdomain-find windows.com > > > > > >> > >> > Domain name: windows.com > > > > > >> > >> > Domain NetBIOS name: WINDOWS > > > > > >> > >> > Domain Security Identifier: > > > > > >> S-1-5-21-1701591335-3855227394-3044674468 > > > > > >> > >> > Domain enabled: True > > > > > >> > >> > > > > > > >> > >> > Domain name: acme.windows.com > > > > > >> > >> > Domain NetBIOS name: ACME > > > > > >> > >> > Domain Security Identifier: > > > > > >> S-1-5-21-1215373191-1991333051-3772904882 > > > > > >> > >> > Domain enabled: True > > > > > >> > >> > ---------------------------- > > > > > >> > >> > Number of entries returned 2 > > > > > >> > >> > ---------------------------- > > > > > >> > >> > > > > > >> > >> ok, so ACME was discovered successful, can you check next the > > > > output > > > > > >> of > > > > > >> > >> > > > > > >> > >> ipa idrange-find > > > > > >> > >> > > > > > >> > >> The important attribute is the 'Range type' for the AD > > domains. > > > > If > > > > > >> it is > > > > > >> > >> 'Active Directory trust range with POSIX attributes' it is > > > > expected > > > > > >> that > > > > > >> > >> users and groups in the AD forest have the POSIX UID and GID > > > > > >> attributes > > > > > >> > >> set and only those users and groups will be available in the > > IPA > > > > > >> domain. > > > > > >> > >> In this case please check if 'ACME\Domain Users' have the GID > > > > > >> attribute > > > > > >> > >> set. > > > > > >> > >> > > > > > >> > >> If this does not help (please mind the negative cache of > > SSSD) > > > > please > > > > > >> > >> send the SSSD logs in /var/log/sssd on the IPA server. You > > might > > > > > >> need to > > > > > >> > >> enable logging in sssd.conf by setting 'debug_level = 10' in > > the > > > > > >> > >> [domain/..] and [nss] section of sssd.conf. > > > > > >> > >> > > > > > >> > >> bye, > > > > > >> > >> Sumit > > > > > >> > >> > > > > > >> > >> > > > > > > >> > >> > [root@support1 ~]# ipa trust-fetch-domains windows.com > > > > > >> > >> > ------------------------------- > > > > > >> > >> > No new trust domains were found > > > > > >> > >> > ------------------------------- > > > > > >> > >> > ---------------------------- > > > > > >> > >> > Number of entries returned 0 > > > > > >> > >> > ---------------------------- > > > > > >> > >> > > > > > > >> > >> > Regards > > > > > >> > >> > Le 11 déc. 2014 20:08, "Sumit Bose" <sb...@redhat.com > > > > > >> > >> > <javascript:_e(%7B%7D,'cvml','sb...@redhat.com');>> a > > écrit : > > > > > >> > >> > > > > > > >> > >> > > On Thu, Dec 11, 2014 at 06:45:49PM +0100, Manuel Lopes > > wrote: > > > > > >> > >> > > > Hello, > > > > > >> > >> > > > > > > > > >> > >> > > > > > > > > >> > >> > > > We have been following the AD integration guide for > > IPAv3: > > > > > >> > >> > > > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup > > > > > >> > >> > > > > > > > > >> > >> > > > > > > > > >> > >> > > > > > > > > >> > >> > > > Our setup is: > > > > > >> > >> > > > > > > > > >> > >> > > > • 2 domain controllers with Windows 2008 R2 AD DC -> > > > > > >> windows.com > > > > > >> > >> > > > <http://example.com/> as Forest Root Domain and > > > > > >> acme.windows.com > > > > > >> > >> > > > <http://acme.example.com/> as transitive child domain > > > > > >> > >> > > > > > > > > >> > >> > > > • RHEL7 as IPA server with domain: linux.com > > > > > >> > >> > > > <http://linux.acme.example.com/> > > > > > >> > >> > > > > > > > > >> > >> > > > > > > > > >> > >> > > > > > > > > >> > >> > > > We have established a forest trust between windows.com > > and > > > > > >> > >> linux.com and > > > > > >> > >> > > > everything seems OK from an IPA perspective. > > > > > >> > >> > > > > > > > > >> > >> > > > > > > > > >> > >> > > > > > > > > >> > >> > > > We can work with Kerberos tickets without any issue > > from > > > > > >> “windows” > > > > > >> > >> domain > > > > > >> > >> > > > or his child domain “acme”. (kinit, kvno…) > > > > > >> > >> > > > > > > > > >> > >> > > > > > > > > >> > >> > > > > > > > > >> > >> > > > When we use samba tools, the following command is > > working > > > > fine. > > > > > >> > >> > > > > > > > > >> > >> > > > *[root@support1 ]# wbinfo -n 'WINDOWS\Domain Admins'* > > > > > >> > >> > > > > > > > > >> > >> > > > *S-1-5-21-1701591335-3855227394-3044674468-512 > > > > SID_DOM_GROUP > > > > > >> (2)* > > > > > >> > >> > > > > > > > > >> > >> > > > > > > > > >> > >> > > > > > > > > >> > >> > > > But, the same command against the acme domain returns > > an > > > > error. > > > > > >> > >> > > > > > > > > >> > >> > > > *[root@support1 ]# wbinfo -n 'ACME\Domain Admins'* > > > > > >> > >> > > > > > > > > >> > >> > > > *failed to call wbcLookupName: > > WBC_ERR_DOMAIN_NOT_FOUND* > > > > > >> > >> > > > > > > > > >> > >> > > > *Could not lookup name ACME\Domain Admins* > > > > > >> > >> > > > > > > > > >> > >> > > > > > > > > >> > >> > > > > > > > > >> > >> > > > Same problem with the following command: > > > > > >> > >> > > > > > > > > >> > >> > > > *[root@support1]# ipa group-add-member > > ad_users_external > > > > > >> --external > > > > > >> > >> > > > "ACME\Domain Users"* > > > > > >> > >> > > > > > > > > >> > >> > > > *[member user]:* > > > > > >> > >> > > > > > > > > >> > >> > > > *[member group]:* > > > > > >> > >> > > > > > > > > >> > >> > > > * Group name: ad_users_external* > > > > > >> > >> > > > > > > > > >> > >> > > > * Description: AD users external map* > > > > > >> > >> > > > > > > > > >> > >> > > > * External member: * > > > > > >> > >> > > > > > > > > >> > >> > > > * Member of groups: ad_users* > > > > > >> > >> > > > > > > > > >> > >> > > > * Failed members:* > > > > > >> > >> > > > > > > > > >> > >> > > > * member user:* > > > > > >> > >> > > > > > > > > >> > >> > > > * member group: ACME\Domain Users: Cannot find > > specified > > > > > >> domain > > > > > >> > >> or > > > > > >> > >> > > > server name* > > > > > >> > >> > > > > > > > > >> > >> > > > *-------------------------* > > > > > >> > >> > > > > > > > > >> > >> > > > *Number of members added 0* > > > > > >> > >> > > > > > > > > >> > >> > > > > > > > > >> > >> > > > > > > > > >> > >> > > > > > > > > >> > >> > > > > > > > > >> > >> > > > Any help would be appreciated > > > > > >> > >> > > > > > > > >> > >> > > Does > > > > > >> > >> > > > > > > > >> > >> > > ipa trustdomain-find windows.com > > > > > >> > >> > > > > > > > >> > >> > > show acme.windows.com as well ? > > > > > >> > >> > > > > > > > >> > >> > > Does > > > > > >> > >> > > > > > > > >> > >> > > ipa trust-fetch-domains ad.devel > > > > > >> > >> > > > > > > > >> > >> > > help to retrieve the child domain? > > > > > >> > >> > > > > > > > >> > >> > > Please note that if acme.windows.com now shows up you > > might > > > > > >> have to > > > > > >> > >> wait > > > > > >> > >> > > 1-2 minutes until SSSD's negative caches are flushed and > > the > > > > new > > > > > >> > >> domains > > > > > >> > >> > > is discovered by SSSD, as an alternative you can just > > restart > > > > > >> SSSD. > > > > > >> > >> > > > > > > > >> > >> > > HTH > > > > > >> > >> > > > > > > > >> > >> > > bye, > > > > > >> > >> > > Sumit > > > > > >> > >> > > > > > > > >> > >> > > > > > > > > >> > >> > > > > > > > > >> > >> > > > > > > > > >> > >> > > > Regards > > > > > >> > >> > > > > > > > >> > >> > > > -- > > > > > >> > >> > > > Manage your subscription for the Freeipa-users mailing > > > > list: > > > > > >> > >> > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > >> > >> > > > Go To http://freeipa.org for more info on the project > > > > > >> > >> > > > > > > > >> > >> > > -- > > > > > >> > >> > > Manage your subscription for the Freeipa-users mailing > > list: > > > > > >> > >> > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > >> > >> > > Go To http://freeipa.org for more info on the project > > > > > >> > >> > > > > > >> > >> > -- > > > > > >> > >> > Manage your subscription for the Freeipa-users mailing > > list: > > > > > >> > >> > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > >> > >> > Go To http://freeipa.org for more info on the project > > > > > >> > >> > > > > > >> > >> -- > > > > > >> > >> Manage your subscription for the Freeipa-users mailing list: > > > > > >> > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > >> > >> Go To http://freeipa.org for more info on the project > > > > > >> > >> > > > > > >> > > > > > > > >> > > > > > >> > > > > > >> > > > > > >> > > > > > > > > > > > > > > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project