On 03/13/2015 04:19 PM, Gould, Joshua wrote:
I followed the directions from https://access.redhat.com/solutions/1354543
pretty much to the letter.

Everything was successful and seems to work well aside from the last step
of trying to resolve an AD user with the ID command on an IPA client.

[gould@mid-ipa-vp02 ~]$ id farus@test.osuwmc
id: farus@test.osuwmc: no such user

I enabled debugging in sssd. Here¹s what I saw in the lookup for ³id
farus@test.osuwmc². It looks like the AD is returning no match when the
account exists.

(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[be_get_account_info] (0x0200): Got request for [0x1001][1][name=farus]
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[ipa_idmap_check_posix_child] (0x0080): No forest available for domain
[S-1-5-21-226267946-722566613-1883572810].
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[ipa_idmap_get_ranges_from_sysdb] (0x0040): ipa_idmap_check_posix_child
failed.
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not add new
domain for sid [S-1-5-21-226267946-722566613-1883572810]
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'test.osuwmc'
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [resolve_srv_send]
(0x0200): The status of SRV lookup is resolved
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[be_resolve_server_process] (0x0200): Found address for server
svr-addc-vt02.test.osuwmc: [10.80.5.240] TTL 3600
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility
level to [4]
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'test.osuwmc'
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [resolve_srv_send]
(0x0200): The status of SRV lookup is resolved
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[be_resolve_server_process] (0x0200): Found address for server
svr-addc-vt02.test.osuwmc: [10.80.5.240] TTL 3600
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[child_sig_handler] (0x0100): child [4587] finished successfully.
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[sdap_cli_auth_step] (0x0100): expire timeout is 900
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]] [sasl_bind_send]
(0x0100): Executing sasl bind mech: gssapi, user:
host/mid-ipa-vp01.unix.test.osuwmc
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[fo_set_port_status] (0x0100): Marking port 389 of server
'svr-addc-vt02.test.osuwmc' as 'working'
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[set_server_common_status] (0x0100): Marking server
'svr-addc-vt02.test.osuwmc' as 'working'
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[sdap_get_users_done] (0x0040): Failed to retrieve users
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[ipa_get_ad_acct_ad_part_done] (0x0080): Object not found, ending request
(Fri Mar 13 15:13:24 2015) [sssd[be[unix.test.osuwmc]]]
[acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success

The trust looks good.

[gould@mid-ipa-vp01 ~]$ kinit admin
Password for ad...@unix.test.OSUWMC:
[gould@mid-ipa-vp01 ~]$ ipa trust-show
Realm name: TEST.OSUWMC
   Realm name: test.osuwmc
   Domain NetBIOS name: TEST
   Domain Security Identifier: S-1-5-21-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX
   Trust direction: Two-way trust
   Trust type: Active Directory domain
[gould@mid-ipa-vp01 ~]$


Any idea why it can¹t find the match?

Also, we¹re curious why it tries to resolve POSIX when we added the trust
with --range-type=ipa-ad-trust  and not --range-type=ipa-ad-trust-posix.

I would leave to AD trust gurus to reply to the above.

Here are the upstream pointers may be there is somethign that will give you a hint
http://www.freeipa.org/page/Active_Directory_trust_setup


Other question is how do you set or default to a one way trust when
installing instead of a two way? We know how to modify the trust in IPA
and AD, but are a bit leery since we¹re not sure what all might break or
if we¹re modifying all that truly needs to be modified in IPA.

There is no way to turn the trust off in the current version however there is no harm in that because IPA users would not be authorized to do anything in the AD domain. They can authenticate but can not really do anything with any AD resources because those would try to get user resolved to SID to check the ACLs and IPA does not have global catalog support yet to respond to those queries.

We are working to make one way trusts possible before providing global catalog service in IPA.



   Joshua





--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to