I followed the directions from https://access.redhat.com/solutions/1354543
pretty much to the letter.

Everything was successful and seems to work well aside from the last step
of trying to resolve an AD user with the ID command on an IPA client.

[gould@mid-ipa-vp02 ~]$ id farus@test.osuwmc
id: farus@test.osuwmc: no such user

I enabled debugging in sssd. Here¹s what I saw in the lookup for ³id
farus@test.osuwmc². It looks like the AD is returning no match when the
account exists.

(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[be_get_account_info] (0x0200): Got request for [0x1001][1][name=farus]
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[ipa_idmap_check_posix_child] (0x0080): No forest available for domain
[S-1-5-21-226267946-722566613-1883572810].
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[ipa_idmap_get_ranges_from_sysdb] (0x0040): ipa_idmap_check_posix_child
failed.
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not add new
domain for sid [S-1-5-21-226267946-722566613-1883572810]
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'test.osuwmc'
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [resolve_srv_send]
(0x0200): The status of SRV lookup is resolved
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[be_resolve_server_process] (0x0200): Found address for server
svr-addc-vt02.test.osuwmc: [10.80.5.240] TTL 3600
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility
level to [4]
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'test.osuwmc'
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [resolve_srv_send]
(0x0200): The status of SRV lookup is resolved
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[be_resolve_server_process] (0x0200): Found address for server
svr-addc-vt02.test.osuwmc: [10.80.5.240] TTL 3600
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[child_sig_handler] (0x0100): child [4587] finished successfully.
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[sdap_cli_auth_step] (0x0100): expire timeout is 900
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [sasl_bind_send]
(0x0100): Executing sasl bind mech: gssapi, user:
host/mid-ipa-vp01.unix.test.osuwmc
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[fo_set_port_status] (0x0100): Marking port 389 of server
'svr-addc-vt02.test.osuwmc' as 'working'
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[set_server_common_status] (0x0100): Marking server
'svr-addc-vt02.test.osuwmc' as 'working'
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[sdap_get_users_done] (0x0040): Failed to retrieve users
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[ipa_get_ad_acct_ad_part_done] (0x0080): Object not found, ending request
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success

The trust looks good.

[gould@mid-ipa-vp01 ~]$ kinit admin
Password for ad...@unix.test.OSUWMC:
[gould@mid-ipa-vp01 ~]$ ipa trust-show
Realm name: TEST.OSUWMC
  Realm name: test.osuwmc
  Domain NetBIOS name: TEST
  Domain Security Identifier: S-1-5-21-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX
  Trust direction: Two-way trust
  Trust type: Active Directory domain
[gould@mid-ipa-vp01 ~]$


Any idea why it can¹t find the match?

Also, we¹re curious why it tries to resolve POSIX when we added the trust
with --range-type=ipa-ad-trust  and not --range-type=ipa-ad-trust-posix.

Other question is how do you set or default to a one way trust when
installing instead of a two way? We know how to modify the trust in IPA
and AD, but are a bit leery since we¹re not sure what all might break or
if we¹re modifying all that truly needs to be modified in IPA.


  Joshua



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to