another thing i notice is:

[root@kwtpocpbis01 ~]# kinit admin
Password for admin@SOLARIS.LOCAL:
[root@kwtpocpbis01 ~]# ipa trust-fetch-domains infra.com
ipa: DEBUG: importing all plugin modules in
'/usr/lib/python2.7/site-packages/ipalib/plugins'...
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/automember.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/automount.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/batch.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/config.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/delegation.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/group.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/hbacrule.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvc.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvcgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/hbactest.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/host.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/idrange.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/idviews.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/kerberos.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/krbtpolicy.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/misc.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/netgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/otpconfig.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/otptoken_yubikey.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/passwd.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/permission.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/ping.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/pkinit.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/privilege.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/pwpolicy.py'
ipa: DEBUG: Starting external process
ipa: DEBUG: args='klist' '-V'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=Kerberos 5 version 1.12.2

ipa: DEBUG: stderr=
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/radiusproxy.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/realmdomains.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/role.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/rpcclient.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/selfservice.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/selinuxusermap.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/service.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmd.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmdgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/sudorule.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/user.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.7/site-packages/ipalib/plugins/virtual.py'
ipa: DEBUG: Starting external process
ipa: DEBUG: args='keyctl' 'search' '@s' 'user'
'ipa_session_cookie:admin@SOLARIS.LOCAL'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=35095713

ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args='keyctl' 'pipe' '35095713'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=ipa_session=cf8484a2b0ee0f8f3fe2cac8c6ad7570;
Domain=kwtpocpbis01.solaris.local; Path=/ipa; Expires=Tue, 17 Mar 2015
10:23:58 GMT; Secure; HttpOnly
ipa: DEBUG: stderr=
ipa: DEBUG: found session_cookie in persistent storage for principal
'admin@SOLARIS.LOCAL', cookie:
'ipa_session=cf8484a2b0ee0f8f3fe2cac8c6ad7570;
Domain=kwtpocpbis01.solaris.local; Path=/ipa; Expires=Tue, 17 Mar 2015
10:23:58 GMT; Secure; HttpOnly'
ipa: DEBUG: setting session_cookie into context
'ipa_session=cf8484a2b0ee0f8f3fe2cac8c6ad7570;'
ipa: INFO: trying https://kwtpocpbis01.solaris.local/ipa/session/json
ipa: DEBUG: Created connection context.rpcclient
ipa: DEBUG: raw: trust_fetch_domains(u'infra.com', rights=False, all=False,
raw=False, version=u'2.113')
ipa: DEBUG: trust_fetch_domains(u'infra.com', rights=False, all=False,
raw=False, version=u'2.113')
ipa: INFO: Forwarding 'trust_fetch_domains' to json server '
https://kwtpocpbis01.solaris.local/ipa/session/json'
ipa: DEBUG: NSSConnection init kwtpocpbis01.solaris.local
ipa: DEBUG: Connecting: 172.16.107.244:0
ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
Data:
        Version:       3 (0x2)
        Serial Number: 9 (0x9)
        Signature Algorithm:
            Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: CN=Certificate Authority,O=SOLARIS.LOCAL
        Validity:
            Not Before: Wed Mar 04 16:08:30 2015 UTC
            Not After:  Sat Mar 04 16:08:30 2017 UTC
        Subject: CN=kwtpocpbis01.solaris.local,O=SOLARIS.LOCAL
        Subject Public Key Info:
            Public Key Algorithm:
                Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    b7:bd:18:57:5f:27:23:87:78:32:51:25:25:2f:32:eb:
                    b7:d7:7e:3d:91:e0:58:26:24:92:3c:c7:f3:f9:88:b6:
                    e6:d1:61:b7:d3:f7:30:61:4e:d7:59:70:bd:62:86:a3:
                    51:ae:8e:ed:bc:7e:df:4d:5f:40:89:82:50:ad:a7:76:
                    8a:2c:83:a7:51:41:8d:d9:0f:06:6e:f9:a8:f3:7c:38:
                    bc:af:28:14:cb:d1:ee:49:75:a0:07:c0:45:44:81:b1:
                    48:3d:ab:be:69:12:d2:e1:07:c7:e8:62:32:ac:88:19:
                    22:c5:4c:04:f8:b8:c1:57:71:c2:fc:13:fd:51:67:6d:
                    2a:6a:1e:f6:4a:28:95:b2:90:83:9f:f9:ca:f8:0e:10:
                    aa:49:a4:00:76:1a:22:16:25:91:f2:d1:c7:f4:23:a5:
                    da:40:f6:e4:5a:b3:17:56:aa:e3:3c:74:d5:30:85:1c:
                    54:99:0d:dc:1e:62:46:cf:a9:dc:96:82:06:08:8d:92:
                    56:5d:02:fe:de:00:f2:5f:c7:07:e3:ee:1c:51:32:73:
                    f4:5c:94:c1:6d:04:ae:6d:2c:f4:4d:21:c2:da:42:db:
                    76:fe:f0:01:6d:69:94:25:20:68:54:20:16:be:11:51:
                    00:3b:2f:d8:e8:5a:6b:b8:91:ec:41:e1:8f:f6:14:eb
                Exponent:
                    65537 (0x10001)
    Signed Extensions: (6 total)
        Name:     Certificate Authority Key Identifier
        Critical: False
        Key ID:
            52:ae:39:5b:0b:ea:85:4d:5e:11:08:7e:55:49:c9:1c:
            04:e8:76:ea
        Serial Number: None
        General Names: [0 total]

        Name:     Authority Information Access
        Critical: False
        Authority Information Access: [1 total]
            Info [1]:
                Method:   PKIX Online Certificate Status Protocol
                Location: URI: http://ipa-ca.solaris.local/ca/ocsp

        Name:     Certificate Key Usage
        Critical: True
        Usages:
            Digital Signature
            Non-Repudiation
            Key Encipherment
            Data Encipherment

        Name:     Extended Key Usage
        Critical: False
        Usages:
            TLS Web Server Authentication Certificate
            TLS Web Client Authentication Certificate

        Name:     CRL Distribution Points
        Critical: False
        CRL Distribution Points: [1 total]
            Point [1]:
                General Names: [1 total]
                    http://ipa-ca.solaris.local/ipa/crl/MasterCRL.bin
                Issuer:  Directory Name: CN=Certificate Authority,O=ipaca
                Reasons: ()

        Name:     Certificate Subject Key ID
        Critical: False
        Data:
            29:0f:9e:4d:a1:62:bf:ae:67:ca:82:f1:c2:6b:18:20:
            fb:40:db:c9

    Signature:
        Signature Algorithm:
            Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Signature:
            b7:76:76:ab:bf:ca:b0:4a:a3:7b:db:a8:fd:b3:15:4f:
            b6:6a:28:b5:e9:1b:55:2d:e2:f6:dc:f1:16:ee:4d:8e:
            b6:5b:5c:fc:0d:32:5f:07:69:92:92:01:45:f5:c5:e0:
            15:b7:30:62:d2:46:c0:d7:2f:74:e8:9a:5c:99:ba:01:
            dc:a2:fb:02:f8:3f:31:9f:15:51:87:c0:38:c2:86:5b:
            1e:dc:ab:10:a2:93:6b:88:b2:31:35:9d:ac:09:38:1b:
            d8:ad:19:67:96:e4:55:8e:f6:9e:e3:99:be:cd:28:16:
            69:16:3d:57:b4:23:43:79:f4:22:6d:a7:07:55:59:6e:
            a0:b7:23:99:7c:4d:28:55:fb:88:88:e8:24:f0:67:af:
            4a:f5:b8:60:b6:d1:5d:42:10:6f:9f:83:c0:9c:db:d2:
            12:4d:ac:18:d0:17:c1:e3:77:83:c7:14:13:1f:73:d0:
            f3:ee:25:bb:72:cb:6d:bb:da:4b:ca:fc:25:ea:09:0a:
            09:5f:6e:51:3d:e2:5e:63:9c:0f:d5:4f:cb:d8:88:be:
            4c:e6:b2:05:74:ed:2e:25:72:c4:0a:c7:84:47:97:28:
            79:a5:a0:1d:6d:b4:86:55:e7:61:3f:df:db:1c:cc:37:
            24:a7:3e:40:35:12:f9:45:08:d6:3f:ca:74:34:51:ee
        Fingerprint (MD5):
            73:b9:df:20:b1:f5:b7:29:55:de:88:88:9f:8b:ab:e7
        Fingerprint (SHA1):
            91:83:4b:fa:2f:c0:dc:3e:cc:e4:35:bf:69:f3:db:6c:
            7f:ca:1b:21
ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
ipa: DEBUG: cert valid True for
"CN=kwtpocpbis01.solaris.local,O=SOLARIS.LOCAL"
ipa: DEBUG: handshake complete, peer = 172.16.107.244:443
ipa: DEBUG: received Set-Cookie
'ipa_session=cf8484a2b0ee0f8f3fe2cac8c6ad7570;
Domain=kwtpocpbis01.solaris.local; Path=/ipa; Expires=Tue, 17 Mar 2015
10:24:32 GMT; Secure; HttpOnly'
ipa: DEBUG: storing cookie 'ipa_session=cf8484a2b0ee0f8f3fe2cac8c6ad7570;
Domain=kwtpocpbis01.solaris.local; Path=/ipa; Expires=Tue, 17 Mar 2015
10:24:32 GMT; Secure; HttpOnly' for principal admin@SOLARIS.LOCAL
ipa: DEBUG: Starting external process
ipa: DEBUG: args='keyctl' 'search' '@s' 'user'
'ipa_session_cookie:admin@SOLARIS.LOCAL'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=35095713

ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args='keyctl' 'search' '@s' 'user'
'ipa_session_cookie:admin@SOLARIS.LOCAL'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=35095713

ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args='keyctl' 'pupdate' '35095713'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: DEBUG: Destroyed connection context.rpcclient
ipa: ERROR: Insufficient access: CIFS server denied your credentials



and it accepting password for admin and i can able to see tickets:

[root@kwtpocpbis01 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@SOLARIS.LOCAL

Valid starting       Expires              Service principal
03/17/2015 13:04:29  03/18/2015 13:04:26  krbtgt/SOLARIS.LOCAL@SOLARIS.LOCAL



On Tue, Mar 17, 2015 at 12:57 PM, Ben .T.George <bentech4...@gmail.com>
wrote:

> HI
>
> i have enabled debug
>
> here is my sssd.conf
>
> [root@kwtpocpbis01 ~]# cat /etc/sssd/sssd.conf
> [domain/solaris.local]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = solaris.local
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = kwtpocpbis01.solaris.local
> chpass_provider = ipa
> ipa_server = kwtpocpbis01.solaris.local
> ipa_server_mode = True
> ldap_tls_cacert = /etc/ipa/ca.crt
> [sssd]
> services = nss, sudo, pam, ssh
> config_file_version = 2
>
> domains = solaris.local
> debug_level = 6
> [nss]
> homedir_substring = /home
> debug_level = 6
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
>
> [ifp]
>
>
> LOGS:
>
> sssd.log:
>
> (Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging
> solaris.local
> (Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging nss
> (Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging
> sudo
> (Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging pam
> (Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging ssh
> (Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging pac
> (Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service nss
> replied to ping
> (Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service sudo
> replied to ping
> (Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service pam
> replied to ping
> (Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service ssh
> replied to ping
> (Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service
> solaris.local replied to ping
> (Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service pac
> replied to ping
>
>
> error_log:
>
> [root@kwtpocpbis01 ~]# tail -f /var/log/httpd/error_log
> [Tue Mar 17 11:26:25.458878 2015] [:error] [pid 15175] ipa: INFO: ***
> PROCESS START ***
> [Tue Mar 17 11:26:25.603536 2015] [:error] [pid 15176] ipa: DEBUG:
> session_auth_duration: 0:20:00
> [Tue Mar 17 11:26:25.609112 2015] [:error] [pid 15176] ipa: DEBUG:
> session_auth_duration: 0:20:00
> [Tue Mar 17 11:26:25.655477 2015] [:error] [pid 15176] ipa: DEBUG:
> Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos'
> [Tue Mar 17 11:26:25.655597 2015] [:error] [pid 15176] ipa: DEBUG:
> session_auth_duration: 0:20:00
> [Tue Mar 17 11:26:25.681652 2015] [:error] [pid 15176] ipa: DEBUG:
> Mounting ipaserver.rpcserver.login_password() at '/session/login_password'
> [Tue Mar 17 11:26:25.681849 2015] [:error] [pid 15176] ipa: DEBUG:
> session_auth_duration: 0:20:00
> [Tue Mar 17 11:26:25.754351 2015] [:error] [pid 15176] ipa: INFO: ***
> PROCESS START ***
> p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute
> [Tue Mar 17 11:26:28.847563 2015] [:warn] [pid 15377] NSSProtocol:
>  Unknown protocol 'tlsv1.2' not supported
>
> secure:
> [root@kwtpocpbis01 log]# tail -f secure
> Mar 17 12:35:41 kwtpocpbis01 sshd[15714]: subsystem request for sftp by
> user root
> Mar 17 12:35:44 kwtpocpbis01 sshd[15736]: Accepted password for root from
> 10.18.2.130 port 64141 ssh2
> Mar 17 12:35:44 kwtpocpbis01 sshd[15736]: pam_unix(sshd:session): session
> opened for user root by (uid=0)
> Mar 17 12:35:44 kwtpocpbis01 sshd[15736]: subsystem request for sftp by
> user root
> Mar 17 12:39:12 kwtpocpbis01 sshd[14507]: pam_unix(sshd:session): session
> closed for user root
> Mar 17 12:40:57 kwtpocpbis01 sshd[15816]: Invalid user bo...@infra.com
> from 10.18.2.130
> Mar 17 12:40:57 kwtpocpbis01 sshd[15816]: input_userauth_request: invalid
> user bo...@infra.com [preauth]
> Mar 17 12:41:02 kwtpocpbis01 sshd[15816]: pam_unix(sshd:auth): check pass;
> user unknown
> Mar 17 12:41:02 kwtpocpbis01 sshd[15816]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.18.2.130
> Mar 17 12:41:04 kwtpocpbis01 sshd[15816]: Failed password for invalid user
> bo...@infra.com from 10.18.2.130 port 64470 ssh2
>
> Mar 17 12:44:56 kwtpocpbis01 sshd[15840]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.18.2.130  user=b...@infra.com
> Mar 17 12:44:57 kwtpocpbis01 sshd[15840]: pam_sss(sshd:auth):
> authentication success; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.18.2.130 user=b...@infra.com
> Mar 17 12:44:57 kwtpocpbis01 sshd[15840]: Accepted password for
> b...@infra.com from 10.18.2.130 port 64782 ssh2
> Mar 17 12:44:59 kwtpocpbis01 sshd[15840]: pam_unix(sshd:session): session
> opened for user b...@infra.com by (uid=0)
>
>
>
> On Tue, Mar 17, 2015 at 12:09 PM, Jakub Hrozek <jhro...@redhat.com> wrote:
>
>> On Tue, Mar 17, 2015 at 11:37:24AM +0300, Ben .T.George wrote:
>> > HI List
>> >
>> > i was following this link :
>> > http://www.freeipa.org/page/Active_Directory_trust_setup#Assumptions
>> > to setup IPA server
>> >
>> > my IPA version is 4.1.2
>> >
>> > every setps in this tutorials was passed without any error
>> >
>> > even "*Allow access for users from AD domain to protected resources*"
>> > went successfully
>> > my current issue is only one user called ben can able to login to ipa
>> > server.please check below:
>> >
>> > [root@kwtpocpbis01 ~]# getent passwd b...@infra.com
>> > b...@infra.com:*:531001104:531001104:ben:/home/infra.com/ben:
>> > [root@kwtpocpbis01 ~]# getent passwd bo...@infra.com
>> > [root@kwtpocpbis01 ~]# getent passwd administra...@infra.com
>> > [root@kwtpocpbis01 ~]#
>> >
>> > the users ben & bobby are on same group (Domain users). but bobby cannot
>> > able to login to IPA and not getting any information while querying
>> > please help me to fix this issue. i don't know where i need to
>> troubleshoot
>> > this issue.
>>
>> Can you increase debug_level in both [nss] and [domain] sections on the
>> server and paste the logs here?
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to