On Mon, Jun 29, 2015 at 11:24:00AM +0200, Giorgio Biacchi wrote: > On 06/29/2015 10:30 AM, Sumit Bose wrote: > > On Mon, Jun 29, 2015 at 10:04:04AM +0200, Giorgio Biacchi wrote: > >> On 06/26/2015 08:06 PM, Sumit Bose wrote: > >>> On Fri, Jun 26, 2015 at 04:34:05PM +0200, Giorgio Biacchi wrote: > >>>> > >>>> > >>>> On 06/26/2015 02:38 PM, Sumit Bose wrote: > >>>>> On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote: > >>>>>> On 06/25/2015 05:44 PM, Sumit Bose wrote: > >>>>>>> On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: > >>>>>>>> On 06/25/2015 02:10 PM, Sumit Bose wrote: > >>>>>>>>> On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: > >>>>>>>>>> On 06/25/2015 12:56 PM, Sumit Bose wrote: > >>>>>>>>>>> On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: > >>>>>>>>>>>> On 06/24/2015 06:45 PM, Sumit Bose wrote: > >>>>>>>>>>>>> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: > >>>>>>>>>>>>>> Hi everybody, > >>>>>>>>>>>>>> I established a bidirectional trust between an IPA server > >>>>>>>>>>>>>> (version 4.1.0 on > >>>>>>>>>>>>>> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), > >>>>>>>>>>>>>> mydomain.local. > >>>>>>>>>>>>>> Everything is working fine, and I'm able to authenticate and > >>>>>>>>>>>>>> logon on a linux > >>>>>>>>>>>>>> host joined to IPA server using AD credentials > >>>>>>>>>>>>>> (username@mydomain.local). > >>>>>>>>>>>>>> But active directory is configured with two more UPN suffixes > >>>>>>>>>>>>>> (otherdomain.com > >>>>>>>>>>>>>> and sub.otherdomain.com), and I cannot logon with credentials > >>>>>>>>>>>>>> using alternative > >>>>>>>>>>>>>> UPN (example: john....@otherdomain.com). > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> How can I make this possible? Another trust (ipa trust-add) > >>>>>>>>>>>>>> with the same AD? > >>>>>>>>>>>>>> Manual configuration of krb5 and/or sssd? > >>>>>>>>>>>>> > >>>>>>>>>>>>> Have you tried to login to an IPA client or the server? Please > >>>>>>>>>>>>> try with > >>>>>>>>>>>>> an IPA server first. If this does not work it would be nice if > >>>>>>>>>>>>> you can > >>>>>>>>>>>>> send the SSSD log files from the IPA server which are generated > >>>>>>>>>>>>> during > >>>>>>>>>>>>> the logon attempt. Please call 'sss_cache -E' before to > >>>>>>>>>>>>> invalidate all > >>>>>>>>>>>>> cached entries so that the logs will contain all needed calls > >>>>>>>>>>>>> to AD. > >>>>>>>>>>>>> > >>>>>>>>>>>>> Using UPN suffixes were added to the AD provider some time ago > >>>>>>>>>>>>> and the > >>>>>>>>>>>>> code is available in the IPA provider as well, but I guess no > >>>>>>>>>>>>> one has > >>>>>>>>>>>>> actually tried this before. > >>>>>>>>>>>>> > >>>>>>>>>>>>> bye, > >>>>>>>>>>>>> Sumit > >>>>>>>>>>>> > >>>>>>>>>>>> First of all let me say that i feel like I'm missing some config > >>>>>>>>>>>> somewhere.. > >>>>>>>>>>>> Changes tried in krb5.conf to support UPN suffixes didn't helped. > >>>>>>>>>>>> I can only access the server vi ssh so I've attached the logs > >>>>>>>>>>>> for a successful > >>>>>>>>>>>> login for account1@mydomain.local and an unsuccessful login for > >>>>>>>>>>>> accou...@otherdomain.com done via ssh. > >>>>>>>>>>>> > >>>>>>>>>>>> Bye and thanks for your help > >>>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> It looks like the request is not properly propagated to > >>>>>>>>>>> sub-domains (the > >>>>>>>>>>> trusted AD domain) but only send to the IPA domain. > >>>>>>>>>>> > >>>>>>>>>>> Would it be possible for you to run a test build of SSSD which > >>>>>>>>>>> might fix > >>>>>>>>>>> this? If yes, which version of SSSD are you currently using? Then > >>>>>>>>>>> I can > >>>>>>>>>>> prepare a test build with the patch on top of this version. > >>>>>>>>>>> > >>>>>>>>>>> bye, > >>>>>>>>>>> Sumit > >>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> Hi, > >>>>>>>>>> I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm > >>>>>>>>>> available for > >>>>>>>>>> any test. > >>>>>>>>>> > >>>>>>>>>> Here's the packages version for sssd: > >>>>>>>>>> > >>>>>>>>>> sssd-common-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>> sssd-krb5-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>> python-sssdconfig-1.12.2-58.el7_1.6.noarch > >>>>>>>>>> sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>> sssd-ipa-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>> sssd-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>> sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>> sssd-ad-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>> sssd-ldap-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>> sssd-common-pac-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>> sssd-proxy-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>>> sssd-client-1.12.2-58.el7_1.6.x86_64 > >>>>>>>>> > >>>>>>>>> Please try the packages at > >>>>>>>>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 . > >>>>>>>>> > >>>>>>>>> bye, > >>>>>>>>> Sumit > >>>>>>>> > >>>>>>>> Hi, > >>>>>>>> I've installed the new RPMs, now if I run on the server: > >>>>>>>> > >>>>>>>> id account1@mydomain.local > >>>>>>>> id accou...@otherdomain.com > >>>>>>>> id accou...@sub.otherdomain.com > >>>>>>>> > >>>>>>>> all the users are found but I'm still unable to log in via ssh with > >>>>>>>> the accounts > >>>>>>>> @otherdomain.com and @sub.otherdomain.com. > >>>>>>>> > >>>>>>>> In attachment the logs for unsuccessful login for user > >>>>>>>> accou...@otherdomain.com. > >>>>>>> > >>>>>>> Bother, I forgot to add the fix to the pam responder as well, please > >>>>>>> try > >>>>>>> new packages from > >>>>>>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 . > >>>>>>> > >>>>>>> bye, > >>>>>>> Sumit > >>>>>>> > >>>>>> > >>>>>> Hi, > >>>>>> I've updated all the packages but still no login. > >>>>>> > >>>>>> Logs follows. > >>>>> > >>>>> I found another issue in the logs which should be fixed by the build > >>>>> from http://koji.fedoraproject.org/koji/taskinfo?taskID=10217756 . > >>>>> > >>>>> Please send the sssd_pam log file as well it might contain more details > >>>>> about what goes wrong during authentication. > >>>>> > >>>>> bye, > >>>>> Sumit > >>>>> > >>>> > >>>> Hi, > >>>> packages update, sssd and kerberos services restarted, cache flushed but > >>>> still > >>>> no login on the IPA server. > >>>> > >>>> As before, logs attached. I've also included the logs generated by the > >>>> restart > >>>> of sssd service because there were no logs in sssd_pam.log when trying to > >>>> authenticate. > >>>> > >>>> Debug level is set to 6 in the sections: > >>>> > >>>> [domain/ipa.mydomain.local] > >>>> [sssd] > >>>> [nss] > >>>> [pam] > >>>> > >>>> of /etc/sssd/sssd.conf, please tell me if this is enough or if I have to > >>>> increase it. > >>>> > >>> > >>> so far it is sufficient. I have another build for you to try at > >>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10219343 > >>> > >>> Thank you for your patience. > >> > >> Thanks for your help!! > >> > >> Still no successful login.. Logs attached > > > > Please increase the debug level at least for the domain log to 9 and > > attach the krb5_child log as well. > > > > Debug level increased and logs attached.. > > I'm sending this email again because I forgot to reply to the list...
Unfortunately the IPA KDC cannot redirect the Kerberos request to the AD realm because of https://fedorahosted.org/freeipa/ticket/3559. I'll try to figure out if this can be bypassed by tuning sssd.conf and krb5.conf. Please allow 2 days for setting up a suitable environment and testing different configurations. bye, Sumit -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project