On Mon, Jun 29, 2015 at 03:49:37PM +0200, Jakub Hrozek wrote: > On Mon, Jun 29, 2015 at 03:11:57PM +0200, Sumit Bose wrote: > > On Mon, Jun 29, 2015 at 11:24:00AM +0200, Giorgio Biacchi wrote: > > > On 06/29/2015 10:30 AM, Sumit Bose wrote: > > > > On Mon, Jun 29, 2015 at 10:04:04AM +0200, Giorgio Biacchi wrote: > > > >> On 06/26/2015 08:06 PM, Sumit Bose wrote: > > > >>> On Fri, Jun 26, 2015 at 04:34:05PM +0200, Giorgio Biacchi wrote: > > > >>>> > > > >>>> > > > >>>> On 06/26/2015 02:38 PM, Sumit Bose wrote: > > > >>>>> On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote: > > > >>>>>> On 06/25/2015 05:44 PM, Sumit Bose wrote: > > > >>>>>>> On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: > > > >>>>>>>> On 06/25/2015 02:10 PM, Sumit Bose wrote: > > > >>>>>>>>> On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: > > > >>>>>>>>>> On 06/25/2015 12:56 PM, Sumit Bose wrote: > > > >>>>>>>>>>> On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi > > > >>>>>>>>>>> wrote: > > > >>>>>>>>>>>> On 06/24/2015 06:45 PM, Sumit Bose wrote: > > > >>>>>>>>>>>>> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi > > > >>>>>>>>>>>>> wrote: > > > >>>>>>>>>>>>>> Hi everybody, > > > >>>>>>>>>>>>>> I established a bidirectional trust between an IPA server > > > >>>>>>>>>>>>>> (version 4.1.0 on > > > >>>>>>>>>>>>>> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 > > > >>>>>>>>>>>>>> r2), mydomain.local. > > > >>>>>>>>>>>>>> Everything is working fine, and I'm able to authenticate > > > >>>>>>>>>>>>>> and logon on a linux > > > >>>>>>>>>>>>>> host joined to IPA server using AD credentials > > > >>>>>>>>>>>>>> (username@mydomain.local). > > > >>>>>>>>>>>>>> But active directory is configured with two more UPN > > > >>>>>>>>>>>>>> suffixes (otherdomain.com > > > >>>>>>>>>>>>>> and sub.otherdomain.com), and I cannot logon with > > > >>>>>>>>>>>>>> credentials using alternative > > > >>>>>>>>>>>>>> UPN (example: john....@otherdomain.com). > > > >>>>>>>>>>>>>> > > > >>>>>>>>>>>>>> How can I make this possible? Another trust (ipa > > > >>>>>>>>>>>>>> trust-add) with the same AD? > > > >>>>>>>>>>>>>> Manual configuration of krb5 and/or sssd? > > > >>>>>>>>>>>>> > > > >>>>>>>>>>>>> Have you tried to login to an IPA client or the server? > > > >>>>>>>>>>>>> Please try with > > > >>>>>>>>>>>>> an IPA server first. If this does not work it would be nice > > > >>>>>>>>>>>>> if you can > > > >>>>>>>>>>>>> send the SSSD log files from the IPA server which are > > > >>>>>>>>>>>>> generated during > > > >>>>>>>>>>>>> the logon attempt. Please call 'sss_cache -E' before to > > > >>>>>>>>>>>>> invalidate all > > > >>>>>>>>>>>>> cached entries so that the logs will contain all needed > > > >>>>>>>>>>>>> calls to AD. > > > >>>>>>>>>>>>> > > > >>>>>>>>>>>>> Using UPN suffixes were added to the AD provider some time > > > >>>>>>>>>>>>> ago and the > > > >>>>>>>>>>>>> code is available in the IPA provider as well, but I guess > > > >>>>>>>>>>>>> no one has > > > >>>>>>>>>>>>> actually tried this before. > > > >>>>>>>>>>>>> > > > >>>>>>>>>>>>> bye, > > > >>>>>>>>>>>>> Sumit > > > >>>>>>>>>>>> > > > >>>>>>>>>>>> First of all let me say that i feel like I'm missing some > > > >>>>>>>>>>>> config somewhere.. > > > >>>>>>>>>>>> Changes tried in krb5.conf to support UPN suffixes didn't > > > >>>>>>>>>>>> helped. > > > >>>>>>>>>>>> I can only access the server vi ssh so I've attached the > > > >>>>>>>>>>>> logs for a successful > > > >>>>>>>>>>>> login for account1@mydomain.local and an unsuccessful login > > > >>>>>>>>>>>> for > > > >>>>>>>>>>>> accou...@otherdomain.com done via ssh. > > > >>>>>>>>>>>> > > > >>>>>>>>>>>> Bye and thanks for your help > > > >>>>>>>>>>>> > > > >>>>>>>>>>> > > > >>>>>>>>>>> It looks like the request is not properly propagated to > > > >>>>>>>>>>> sub-domains (the > > > >>>>>>>>>>> trusted AD domain) but only send to the IPA domain. > > > >>>>>>>>>>> > > > >>>>>>>>>>> Would it be possible for you to run a test build of SSSD > > > >>>>>>>>>>> which might fix > > > >>>>>>>>>>> this? If yes, which version of SSSD are you currently using? > > > >>>>>>>>>>> Then I can > > > >>>>>>>>>>> prepare a test build with the patch on top of this version. > > > >>>>>>>>>>> > > > >>>>>>>>>>> bye, > > > >>>>>>>>>>> Sumit > > > >>>>>>>>>>> > > > >>>>>>>>>> > > > >>>>>>>>>> Hi, > > > >>>>>>>>>> I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and > > > >>>>>>>>>> I'm available for > > > >>>>>>>>>> any test. > > > >>>>>>>>>> > > > >>>>>>>>>> Here's the packages version for sssd: > > > >>>>>>>>>> > > > >>>>>>>>>> sssd-common-1.12.2-58.el7_1.6.x86_64 > > > >>>>>>>>>> sssd-krb5-1.12.2-58.el7_1.6.x86_64 > > > >>>>>>>>>> python-sssdconfig-1.12.2-58.el7_1.6.noarch > > > >>>>>>>>>> sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 > > > >>>>>>>>>> sssd-ipa-1.12.2-58.el7_1.6.x86_64 > > > >>>>>>>>>> sssd-1.12.2-58.el7_1.6.x86_64 > > > >>>>>>>>>> sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 > > > >>>>>>>>>> sssd-ad-1.12.2-58.el7_1.6.x86_64 > > > >>>>>>>>>> sssd-ldap-1.12.2-58.el7_1.6.x86_64 > > > >>>>>>>>>> sssd-common-pac-1.12.2-58.el7_1.6.x86_64 > > > >>>>>>>>>> sssd-proxy-1.12.2-58.el7_1.6.x86_64 > > > >>>>>>>>>> sssd-client-1.12.2-58.el7_1.6.x86_64 > > > >>>>>>>>> > > > >>>>>>>>> Please try the packages at > > > >>>>>>>>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 . > > > >>>>>>>>> > > > >>>>>>>>> bye, > > > >>>>>>>>> Sumit > > > >>>>>>>> > > > >>>>>>>> Hi, > > > >>>>>>>> I've installed the new RPMs, now if I run on the server: > > > >>>>>>>> > > > >>>>>>>> id account1@mydomain.local > > > >>>>>>>> id accou...@otherdomain.com > > > >>>>>>>> id accou...@sub.otherdomain.com > > > >>>>>>>> > > > >>>>>>>> all the users are found but I'm still unable to log in via ssh > > > >>>>>>>> with the accounts > > > >>>>>>>> @otherdomain.com and @sub.otherdomain.com. > > > >>>>>>>> > > > >>>>>>>> In attachment the logs for unsuccessful login for user > > > >>>>>>>> accou...@otherdomain.com. > > > >>>>>>> > > > >>>>>>> Bother, I forgot to add the fix to the pam responder as well, > > > >>>>>>> please try > > > >>>>>>> new packages from > > > >>>>>>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 . > > > >>>>>>> > > > >>>>>>> bye, > > > >>>>>>> Sumit > > > >>>>>>> > > > >>>>>> > > > >>>>>> Hi, > > > >>>>>> I've updated all the packages but still no login. > > > >>>>>> > > > >>>>>> Logs follows. > > > >>>>> > > > >>>>> I found another issue in the logs which should be fixed by the build > > > >>>>> from http://koji.fedoraproject.org/koji/taskinfo?taskID=10217756 . > > > >>>>> > > > >>>>> Please send the sssd_pam log file as well it might contain more > > > >>>>> details > > > >>>>> about what goes wrong during authentication. > > > >>>>> > > > >>>>> bye, > > > >>>>> Sumit > > > >>>>> > > > >>>> > > > >>>> Hi, > > > >>>> packages update, sssd and kerberos services restarted, cache flushed > > > >>>> but still > > > >>>> no login on the IPA server. > > > >>>> > > > >>>> As before, logs attached. I've also included the logs generated by > > > >>>> the restart > > > >>>> of sssd service because there were no logs in sssd_pam.log when > > > >>>> trying to > > > >>>> authenticate. > > > >>>> > > > >>>> Debug level is set to 6 in the sections: > > > >>>> > > > >>>> [domain/ipa.mydomain.local] > > > >>>> [sssd] > > > >>>> [nss] > > > >>>> [pam] > > > >>>> > > > >>>> of /etc/sssd/sssd.conf, please tell me if this is enough or if I > > > >>>> have to > > > >>>> increase it. > > > >>>> > > > >>> > > > >>> so far it is sufficient. I have another build for you to try at > > > >>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10219343 > > > >>> > > > >>> Thank you for your patience. > > > >> > > > >> Thanks for your help!! > > > >> > > > >> Still no successful login.. Logs attached > > > > > > > > Please increase the debug level at least for the domain log to 9 and > > > > attach the krb5_child log as well. > > > > > > > > > > Debug level increased and logs attached.. > > > > > > I'm sending this email again because I forgot to reply to the list... > > > > Unfortunately the IPA KDC cannot redirect the Kerberos request to the > > AD realm because of https://fedorahosted.org/freeipa/ticket/3559. I'll > > try to figure out if this can be bypassed by tuning sssd.conf and > > krb5.conf. > > (Without seeing the logs, just throwing in an idea) > > Would it help to try out the subdomain_inherit option to point principal > to something that doesn't exist for a subdomain and let sssd guess the > principal based on the realm name?
Unfortunately not for this use case, because the principals should be used at the login prompt and to recognize them we have to read them first. bye, Sumit > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
