On Fri, 02 Oct 2015, Simo Sorce wrote:
On 02/10/15 04:06, Alexander Bokovoy wrote:
On Thu, 01 Oct 2015, Simo Sorce wrote:
On 01/10/15 03:15, Petr Spacek wrote:
On 30.9.2015 20:36, Matt Wells wrote:
Hi all, I hoped I may glean some brilliance from the group.
I have a Freeipa Server sitting atop a Fedora 21 server.  The
initial plan
was to replicate users+passwords with Windows 2012R2 server but
following
some of the information in the other posts and docs we've moved to a
trust.  The trust has been setup using the documentation and in
short it's
worked without issue.  I'm able to get principles from the Windows
realm (
marvel.comics.com).  So what I'm attempting and failing to do is
authenticating my IPA users to the Windows 8 desktops.  Ideally I don't
want any users in AD, it's simply there to deliver a GPO and in the
next
year it will be phased out and we'll be replacing Windows 8 with linux
desktops.

So
marvel.comics.com = windows
dc.comics.com = freeipa

# rpm -qi freeipa-server
Name        : freeipa-server
Version     : 4.1.4
Release     : 1.fc21
Architecture: x86_64
Install Date: Tue 25 Aug 2015 08:17:56 PM UTC
Group       : System Environment/Base
Size        : 4521059
License     : GPLv3+
Signature   : RSA/SHA256, Thu 26 Mar 2015 10:58:02 PM UTC, Key ID
89ad4e8795a43f54
Source RPM  : freeipa-4.1.4-1.fc21.src.rpm
Build Date  : Thu 26 Mar 2015 03:16:19 PM UTC
Build Host  : buildhw-07.phx2.fedoraproject.org
[root@freeipaServer slapd-DEV-MOSAIC451-COM]# uname -a
Linux freeipaServer.dc.comics.com 4.1.6-100.fc21.x86_64 #1 SMP Mon
Aug 17
22:20:37 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[root@freeipaServer slapd-DEV-MOSAIC451-COM]# cat /etc/redhat-release
Fedora release 21 (Twenty One)

To cut to the chase here's me logging into a Windows 8 desktop
system.  I
try to login 3 different ways; this system is a member of the marvel
domain.  Time is extremely close, close enough that I feel really good
about ruling it out.  Any light you all could shed on this would be
outstanding.  Thank you all for your time on this, I really
appreciate all
the time and effort this team puts into reading these posts.

Username: dc/greenlantern
Password: ************

[root@freeipaServer slapd-DC-COMICS-COM]# tail -f * | egrep --color -i
greenlantern
[30/Sep/2015:17:55:33 +0000] conn=1172 op=46 SRCH
base="dc=dc,dc=comics,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern@dc

)(krbPrincipalName=greenlantern@dc)))" attrs="krbPrincipalName
krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType
ipatokenRadiusConfigLink
objectClass"

Username: greenlanter@dc
Password: ************


[30/Sep/2015:17:59:48 +0000] conn=1172 op=86 SRCH
base="dc=dc,dc=comics,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern@dc

)(krbPrincipalName=greenlantern@dc)))" attrs="krbPrincipalName
krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType
ipatokenRadiusConfigLink
objectClass"


Username: greenlan...@dc.comics.com
Password: ************

[30/Sep/2015:17:59:35 +0000] conn=1172 op=84 SRCH
base="dc=dc,dc=comics,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern\5...@dc.comics.com

@DC.COMICS.COM <http://dc.comics.com/>
)(krbPrincipalName=greenlantern\5...@dc.comics.com@DC.COMICS.COM
<http://dc.comics.com/>)))" attrs="krbPrincipalName krbCanonicalName
ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
krbExtraData
krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
ipaUserAuthType ipatokenRadiusConfigLink objectClass"


From what I can tell, everything looks good to wbinfo; we see the
domain
and he see's us.  In the AD trust I can go under the trust and
validate the
trust with no issues.
[root@freeipaServer slapd-MARVEL-COMICS-COM]#  wbinfo --online-status
BUILTIN : online
DC : online
MARVEL : online
[root@freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --domain-info
marvel.comics.com
Name              : MARVEL
Alt_Name          : marvel.comics.com
SID               : S-1-5-21-3495301974-2766379234-3984916731
Active Directory  : Yes
Native            : Yes
Primary           : No
[root@freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo -n
'MARVEL.COMICS.COM\Domain
Admins'
S-1-5-21-3495301974-2766379234-3984916731-512 SID_DOM_GROUP (2)
[root@freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --domain-info
marvel.comics.com
Name              : MARVEL
Alt_Name          : marvel.comics.com
SID               : S-1-5-21-3495301974-2766379234-3984916731
Active Directory  : Yes
Native            : Yes
Primary           : No

Unfortunately you will not be able to log into Windows workstations
using IPA
users because FreeIPA is (at the moment) missing Global Catalog
component
which prevents Windows from working with IPA users.

It should work the other way around, but there is nothing you can do
at the
moment to make it working with IPA users in Windows. Global Catalog
is several
months away in the best case.

This is not entirely true.
There is no way to add IPA SIDs to the relevant authorization groups
using the GUI tools in AD, but technically you can do that using
command line tools and pasting in SIDs directly.
Authentication would be possible then, however Windows clients will
never be able to resolve SID to Names, so looking at file permissions
you will not be able to see user names, but only SIDs for IPA users.
Some tools that may depend on SID->Name translation may also fail in
unexpected ways.
practically, you will not be able to login into Windows workstations
because login screen will have to do Name->SID translation which it
wouldn't be able to do.

I do not think this is really true, I tested a while back that the PAC is used for Name -> SID of the logging in user, but I do not know if all versions of Windows will work flawlessly this way.
At least Windows Server 2012 does following when I try to login
interactively as EXAMPLE\admin (IPA admin) or ad...@example.com:

16:34:20.903405 IP (tos 0x2,ECT(0), ttl 128, id 18136, offset 0, flags [DF], 
proto TCP (6), length 52)
   wdc.adx.test.63757 > m1.example.com.kerberos: Flags [SEW], cksum 0xe350 
(correct), seq 713019514, win 8192, options [mss 1460,nop,wscale 
8,nop,nop,sackOK], length 0
16:34:20.903539 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), 
length 52)
   m1.example.com.kerberos > wdc.adx.test.63757: Flags [S.], cksum 0x76c6 
(incorrect -> 0xb654), seq 1716548939, ack 713019515, win 29200, options [mss 
1460,nop,nop,sackOK,nop,wscale 7], length 0
16:34:20.903674 IP (tos 0x0, ttl 128, id 18137, offset 0, flags [DF], proto TCP 
(6), length 40)
wdc.adx.test.63757 > m1.example.com.kerberos: Flags [.], cksum 0x6837 (correct), seq 1, ack 1, win 256, length 0 16:34:20.903788 IP (tos 0x0, ttl 128, id 18138, offset 0, flags [DF], proto TCP (6), length 259)
   wdc.adx.test.63757 > m1.example.com.kerberos: Flags [P.], cksum 0xe08f 
(correct), seq 1:220, ack 1, win 256, length 219
16:34:20.903821 IP (tos 0x0, ttl 64, id 40856, offset 0, flags [DF], proto TCP 
(6), length 40)
   m1.example.com.kerberos > wdc.adx.test.63757: Flags [.], cksum 0x76ba 
(incorrect -> 0x676f), seq 1, ack 220, win 237, length 0
16:34:20.904727 IP (tos 0x0, ttl 64, id 40857, offset 0, flags [DF] proto TCP 
(6), length 202)
   m1.example.com.kerberos > wdc.adx.test.63757: Flags [P.], cksum 0x775c 
(incorrect -> 0x89b3), seq 1:163, ack 220, win 237, length 162
16:34:20.904778 IP (tos 0x0, ttl 64, id 40858, offset 0, flags [DF], proto TCP 
(6), length 40)
   m1.example.com.kerberos > wdc.adx.test.63757: Flags [F.], cksum 0x76ba 
(incorrect -> 0x66cc), seq 163, ack 220, win 237, length 0
16:34:20.904917 IP (tos 0x0, ttl 128, id 18139, offset 0, flags [DF], proto TCP 
(6), length 40)
   wdc.adx.test.63757 > m1.example.com.kerberos: Flags [.], cksum 0x66b9 
(correct), seq 220, ack 164, win 256, length 0
16:34:20.905073 IP (tos 0x0, ttl 128, id 18140, offset 0, flags [DF], proto TCP 
(6), length 40)
   wdc.adx.test.63757 > m1.example.com.kerberos: Flags [F.], cksum 0x66b8 
(correct), seq 220, ack 164, win 256, length 0
16:34:20.905133 IP (tos 0x0, ttl 64, id 33156, offset 0, flags [DF], proto TCP 
(6), length 40)
   m1.example.com.kerberos > wdc.adx.test.63757: Flags [.], cksum 0x66cb 
(correct), seq 164, ack 221, win 237, length 0
16:34:20.906033 IP (tos 0x0, ttl 128, id 18141, offset 0, flags [none], proto 
UDP (17), length 217)
   wdc.adx.test.50485 > m1.example.com.ldap: [udp sum ok] UDP, length 189
16:34:20.906434 IP (tos 0x0, ttl 64, id 64131, offset 0, flags [DF], proto UDP 
(17), length 190)
   m1.example.com.ldap > wdc.adx.test.50485: [bad udp cksum 0x775b -> 0xa778!] 
UDP, length 162

E.g. it tried to talk to IPA KDC and when failed, it did CLDAP ping to
pick up information about IPA domain.

KDC log has following:
Oct 02 13:33:41 m1.example.com krb5kdc[924](info): AS_REQ (6 etypes {18 17 23 
24 -135 3}) 192.168.122.235: CLIENT_NOT_FOUND: admin@EXAMPLE for 
krbtgt/EXAMPLE@EXAMPLE, Client not found in Kerberos database
Oct 02 13:33:41 m1.example.com krb5kdc[924](info): closing down fd 12
Oct 02 13:34:20 m1.example.com krb5kdc[924](info): AS_REQ (6 etypes {18 17 23 
24 -135 3}) 192.168.122.235: CLIENT_NOT_FOUND: admin@EXAMPLE for 
krbtgt/EXAMPLE@EXAMPLE, Client not found in Kerberos database
Oct 02 13:34:20 m1.example.com krb5kdc[924](info): closing down fd 12
Oct 02 13:35:08 m1.example.com krb5kdc[924](info): AS_REQ (6 etypes {18 17 23 
24 -135 3}) 192.168.122.235: CLIENT_NOT_FOUND: admin\@example....@example.com 
for krbtgt/example....@example.com, Client not found in Kerberos database
Oct 02 13:35:08 m1.example.com krb5kdc[924](info): closing down fd 12

This is something more reasonable -- e.g. our DAL driver doesn't support
domain flat name as a realm and doesn't support proper handling of
enterprise principals. This is something I have patches for to cover
trusted forests' realms but not our own. Maybe this is worth to
investigate first.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to