Re: [Freeipa-users] Authenticating with tree root trusted domain of root DC in which the ipa trust is configured with

[Jakub Hrozek]

On Wed, Jul 27, 2016 at 05:02:59PM +0000, Kimery, Roger wrote:
> Hello,
> 
> 
> We are running IPA version: 4.2.0, API_version: 2.156 on CentOS 7.2.1511 
> (Core)
> 
> 
> Trust is configured with Windows 2008 R2 Enterprise Domain roottest1.com
> 
> 
> Below is output from ipa trustdomain-find
> 
> Realm name: ROOTTEST1.COM
>   Domain name: deluxetest1.com
>   Domain NetBIOS name: DELUXETEST1
>   Domain Security Identifier: S-1-5-21-254737954-3826080811-539560843
>   Domain enabled: True
> 
>   Domain name: roottest1.com
>   Domain NetBIOS name: ROOTTEST1
>   Domain Security Identifier: S-1-5-21-3637171213-1932491363-3141112745
>   Domain enabled: True
> ----------------------------
> Number of entries returned 2
> ----------------------------
> 
> Users from roottest1.com domain work fine but users from deluxetest1.com 
> domain can not authenticate. As root you can su to users from both domains 
> and run id with the expected output. Below is output from running id from a 
> user in each domain:
> 
> id t4431...@roottest1.com
> uid=908601177(t4431...@roottest1.com) gid=908601177(t4431...@roottest1.com) 
> groups=908601177(t4431...@roottest1.com),908601174(hbac-on-root-glo...@roottest1.com),908601175(lsar-on-root-glo...@roottest1.com),908600513(domain
>  
> us...@roottest1.com),1114800007(hbac-on-root-global),1114800006(lsar-on-root-global)
> 
> id t443...@deluxetest1.com
> uid=959201836(t443...@deluxetest1.com) gid=959201836(t443...@deluxetest1.com) 
> groups=959201836(t443...@deluxetest1.com),908601174(hbac-on-root-glo...@roottest1.com),908601175(lsar-on-root-glo...@roottest1.com),959202271(hbac-on-glo...@deluxetest1.com),959202270(lsar-on-glo...@deluxetest1.com),959200512(domain
>  adm...@deluxetest1.com),959200513(domain 
> us...@deluxetest1.com),1114800007(hbac-on-root-global),1114800006(lsar-on-root-global),1114800010(lsar-on-global),1114800009(hbac-on-global)
> 
> I have tried to make the groups in AD universal groups and have the groups 
> from deluxetest1 as members to the related groups in roottest1 with no change 
> in the results. These groups can be seen in the output above.
> 
> Is there a way to get users from deluxetest1.com domain to function with the 
> same results as users from roottest1.com?
> 
> Please let me know what other information you need.

We need the SSSD logs:
    https://fedorahosted.org/sssd/wiki/Troubleshooting

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project