On 03/04/2015 08:55 PM, Nathan Peters wrote:
I am using FreeIPA 4.1.2 on CentOS 7.
Yes, AD users can login to all Linux / Centos machines.
Also, when I'm at a shell prompt on the FreeIPA DC, I can getent
passwd <aduser> and I see their info properly.
The guide you linked below is the first thing I read while trying to
troubleshoot this. It seems aimed toward older sssd clients < 1.9 and
not Solaris clients.
I will try this again tomorrow and confirm that the request is being
passed to the FreeIPA DC and rejected there. I was assuming that it
was being rejected by the Solaris machine.
Good that everything else works. That narrows things down.
Let us see whether the auth request hits SSSD and what happens then.
May be it is on Solaris. The password line should in fact point to the
compat tree as you noticed. But authentication should work.
May be it ts NS_LDAP_OBJECTCLASSMAP, the mention of shadow looks suspicious.
Also NS_LDAP_AUTH= none ... may be it should be some other value.
Also the configuration seems to be different from one described here:
http://www.freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Configuring_Solaris_as_an_IPA_Client.html
or here
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html
Those are old guides but still should be relevant to Solaris configuration.
Just use compat tree as recent docs prescribe.
-----Original Message----- From: Dmitri Pal
Sent: Wednesday, March 04, 2015 4:36 PM
To: [email protected]
Subject: Re: [Freeipa-users] AD trust users cannot login to Solaris
On 03/04/2015 07:24 PM, [email protected] wrote:
I have successfully setup a Solaris 10 client so that internal FreeIPA
users can login, get the correct shell, and can sudo to root using ldap.
The problem is that the AD trusted users cannot login. I have read all
the freeIPA docs about enabling legacy clients, and they say to use the
compat tree. I'm pretty sure I'm already doing this. Here is the
contents of the ldap_client_file from my Solaris machine (which was
downloaded automatically when I did ldapclient init):
#
# Do not edit this file manually; your changes will be lost.Please use
ldapclient (1M) instead.
#
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= ipadc1.mydomain.net
NS_LDAP_SEARCH_BASEDN= dc=mydomain,dc=net
NS_LDAP_AUTH= none
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_TIME= 15
NS_LDAP_PROFILE= default
NS_LDAP_SERVICE_SEARCH_DESC=
group:cn=groups,cn=compat,dc=mydomain,dc=net
NS_LDAP_SERVICE_SEARCH_DESC=
passwd:cn=users,cn=accounts,dc=mydomain,dc=net
NS_LDAP_BIND_TIME= 5
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount
I see that the users are coming from the accounts tree and the groups
are
coming from the compat tree. Is this right? The trust was created with
--enable-compat so I'm surprised that only the groups are coming from
the
compat tree.
Does FreeIPA serve up an improperly configured DefaultDUAProfile?
I couldn't login with this configuration, so I switched the passwd
line to
cn=compat just to test, but that didn't seem to work.
Here is the result of getent passwd on solaris (last 2 lines):
admin:x:375200000:375200000:Administrator:/home/admin:/bin/bash
ipauser1:x:375200006:375200006:ipa user1:/home/ipauser1:/bin/bash
So once again, we can see FreeIPA users, but not AD users.
I don't think this is a Solaris problem because when I go onto my
windows
desktop and load ldp.exe and view the ldap tree, I can view
cn=compat,dc=mydomain,dc=net
However, the compat tree has a users section that only includes my
FreeIPA
internal users. So my questions are :
1.)What is the point of a compat tree in FreeIPA if it doesn't list
AD users?
2.)How do I get my compat tree to list my AD users?
3.)If there is something manual I have to do to make my compat tree show
AD users, why is this not done when enable the trust with
--enable-compat.
>From what I can see, my compat tree basically contains the exact same
users and groups as my regular tree, so it will never allow a client
using
ldap only auth to see the AD users?
What version of IPA are you using?
Have you verified that trust actually works by looking up or
authenticating with the AD users on the SSSD client or on the server
itself?
The compat tree fills the data dynamically as you need it. When an AD
user accesses Solaris box Solaris would authenticate against the compat
tree. Compat tree will use SSSD on the server to authenticate against
the AD. It seems that this part is failing. SSSD logs from the IPA
server with high debug level would be helpful.
More info is here:
http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
