Hello.

My mission is to install an FreeIPA instance as subdomain of AD, and to allow AD users to login to some Linux servers. I Installed and configured it, but i meet a problem, AD users are not allowed to login to FreeIPA .


A piece of everything:

AD = adexample.com ( 2008R2 )
IPA =ipa.adexample.com

# ipa --version
VERSION: 4.1.0, API_VERSION: 2.112

# sssd --version
1.12.2

# hostname
otp1tst86.ipa.adexample.com

# uname -a
Linux otp1tst86.ipa.adexample.com 3.10.0-229.7.2.el7.x86_64 #1 SMP Tue Jun 23 22:06:11 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_1nRCjmt
Default principal: administra...@adexample.com

Valid starting       Expires              Service principal
08/05/2015 16:30:32 08/06/2015 02:14:53 krbtgt/ipa.adexample....@adexample.com
        renew until 08/06/2015 16:14:50
08/05/2015 16:14:53  08/06/2015 02:14:53 krbtgt/adexample....@adexample.com
        renew until 08/06/2015 16:14:50


# cat sssd.conf
[domain/ipa.adexample.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.adexample.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = otp1tst86.ipa.adexample.com
chpass_provider = ipa
ipa_server = otp1tst86.ipa.adexample.com
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
subdomains_provider = ipa
[sssd]
services = nss, sudo, pam, ssh, pac
config_file_version = 2


sudo_provider = ldap
ldap_uri = ldap://otp1tst86.ipa.adexample.com
ldap_sudo_search_base = ou=sudoers,dc=ipa, dc=adexample,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/otp1tst86.ipa.adexample.com
ldap_sasl_realm = IPA.ADEXAMPLE.COM
krb5_server = otp1tst86.ipa.adexample.com

domains = ipa.adexample.com
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]




# egrep "^[^#]" /etc/nsswitch.conf
passwd:     files sss
shadow:     files sss
group:      files sss
hosts:      files dns wins
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss
netgroup:   files sss
publickey:  nisplus
automount:  files sss
aliases:    files nisplus
sudoers: files sss


Here I can see AD users.
# wbinfo -ug
ADEXAMPLE\administrator
ADEXAMPLE\guest
ADEXAMPLE\krbtgt
ADEXAMPLE\abrajnicov
ADEXAMPLE\ipa$
ADEXAMPLE\kuzea
admins
editors
default smb group
ad_admins
ADEXAMPLE\domain computers
ADEXAMPLE\domain controllers
ADEXAMPLE\schema admins
ADEXAMPLE\enterprise admins
ADEXAMPLE\domain admins
ADEXAMPLE\domain users
ADEXAMPLE\domain guests
ADEXAMPLE\group policy creator owners
ADEXAMPLE\read-only domain controllers
ADEXAMPLE\enterprise read-only domain controllers
ADEXAMPLE\dnsupdateproxy


[root@otp1tst86 ~]# id ad...@ipa.adexample.com
uid=1466400000(admin) gid=1466400000(admins) groups=1466400000(admins)
[root@otp1tst86 ~]# id ku...@adexample.com
id: ku...@adexample.com: no such user

So you can see that AD users is not visible to sssd.




# cat /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = IPA.ADEXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes
 udp_preference_limit = 0
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 IPA.ADEXAMPLE.COM = {
  kdc = otp1tst86.ipa.adexample.com:88
  master_kdc = otp1tst86.ipa.adexample.com:88
  admin_server = otp1tst86.ipa.adexample.com:749
  default_domain = ipa.adexample.com
  pkinit_anchors = FILE:/etc/ipa/ca.crt
auth_to_local = RULE:[1:$1@$0](^.*@ADEXAMPLE.COM$)s/@ADEXAMPLE.COM/@adexample.com/
  auth_to_local = DEFAULT
}


[domain_realm]
 .ipa.adexample.com = IPA.ADEXAMPLE.COM
 ipa.adexample.com = IPA.ADEXAMPLE.COM
 .adexample.com = ADEXAMPLE.COM
 adexample.com = ADEXAMPLE.COM

[dbmodules]
  IPA.ADEXAMPLE.COM = {
    db_library = ipadb.so
  }


# wbinfo -n 'adexample\Domain Admins'
S-1-5-21-4094320520-3357938610-121029971-512 SID_DOM_GROUP (2)


But when I try to login to a server using ssh I meet these error:
Aug 05 16:40:28 otp1tst86.ipa.adexample.com sshd[3997]: Invalid user ku...@adexample.com from ::1 Aug 05 16:40:28 otp1tst86.ipa.adexample.com sshd[3997]: input_userauth_request: invalid user ku...@adexample.com [preauth] Aug 05 16:40:34 otp1tst86.ipa.adexample.com sshd[3997]: pam_unix(sshd:auth): check pass; user unknown Aug 05 16:40:34 otp1tst86.ipa.adexample.com sshd[3997]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost Aug 05 16:40:37 otp1tst86.ipa.adexample.com sshd[3997]: Failed password for invalid user ku...@adexample.com from ::1 port 32809 ssh2


I don't know if these information is sufficient. But I hope that someone will help me to troubleshoot the problem.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to