Hello All, 
I'm new to FreeIPA and am having some issues with my endpoints. 

First attempts to login as usern...@legacy.example.org always fail with: 
Logs on client: 
sshd[3771]: Invalid user usern...@legacy.example.org from 192.168.1.123 
sshd[3771]: input_userauth_request: invalid user usern...@legacy.example.org 
[preauth] 

[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for 
[0x1001][1][name=username] 
[sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): 
ldap_extended_operation result: No such object(32), (null). 
[sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request 
failed. 
[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. 
Returned 0,0,Success (Success) 
[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for 
[0x1003][1][name=NOUSER] 
[sssd[be[ipa.example.com]]] [sysdb_get_real_name] (0x0040): 
sysdb_search_object_by_uuid did not return a single result. 
[sssd[be[ipa.example.com]]] [groups_by_user_done] (0x0040): Failed to 
canonicalize name, using [NOUSER]. 
[sssd[be[ipa.example.com]]] [ipa_id_get_account_info_orig_done] (0x0080): 
Object not found, ending request 
[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. 
Returned 3,0,Account info lookup failed 
[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for 
[0x1001][1][idnumber=1644425765] 
[sssd[be[ipa.example.com]]] [sdap_get_users_done] (0x0040): Failed to retrieve 
users 
[sssd[be[ipa.example.com]]] [ipa_id_get_account_info_orig_done] (0x0080): 
Object not found, ending request 
[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. 
Returned 3,0,Account info lookup failed 
[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for 
[0x1001][1][idnumber=1644425765] 
[sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): 
ldap_extended_operation result: No such object(32), (null). 
[sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request 
failed. 
[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. 
Returned 0,0,Success (Success) 
[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for 
[0x1001][1][idnumber=1644425765] 
[sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): 
ldap_extended_operation result: No such object(32), (null). 
[sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request 
failed. 
[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. 
Returned 0,0,Success (Success) 
[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for 
[0x1001][1][idnumber=1644425765] 
[sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): 
ldap_extended_operation result: No such object(32), (null). 
[sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request 
failed. 
[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. 
Returned 0,0,Success (Success) 

running the command 'getent password usern...@legacy.example.org' on the ipa 
server works fine 

Logs from server: 
[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for 
[0x1001][1][name=username] 
[sssd[be[ipa.example.com]]] [ipa_srv_ad_acct_lookup_done] (0x0080): Sudomain 
lookup failed, will try to reset sudomain.. 
[sssd[be[ipa.example.com]]] [child_sig_handler] (0x0100): child [26269] 
finished successfully. 
[sssd[be[ipa.example.com]]] [set_srv_data_status] (0x0100): Marking SRV lookup 
of service 'legacy.example.org' as 'neutral' 
[sssd[be[ipa.example.com]]] [fo_set_port_status] (0x0100): Marking port 0 of 
server '(no name)' as 'neutral' 
[sssd[be[ipa.example.com]]] [ipa_srv_ad_acct_lookup_done] (0x0040): 
ipa_get_*_acct request failed: [1432158262]: Subdomain is inactive. 
[sssd[be[ipa.example.com]]] [ipa_subdomain_account_done] (0x0040): 
ipa_get_*_acct request failed: 1432158262 
[sssd[be[ipa.example.com]]] [ipa_account_info_error_text] (0x0020): Bug: 
dp_error is OK on failed request 
[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. 
Returned 3,1432158262,Account info lookup failed 


Stuff: 
(4) IPA Masters at ipa.example.com 
(4) root domain controllers in example.com 
(4) child domain controllers in new.example.com 
(4) second domain in legacy.example.org 

There is a (1) way trust between ipa.example.com and example.com (forest trust) 
There is a (1) way trust between ipa.example.com and legacy.example.org (forest 
with single domain) 
There is a (2) way trust between example.com and legacy.example.org (forest 
transitive trust) 

Users are in legacy.example.org and new.example.com 
User Computers are in new .example.com 
Linux Servers are in ipa.example.com as hostname linux.example.com 

Gist for kbr5.conf 
https://gist.github.com/JakeDEvans/8e787bc5751d3d0e8f3b18943d63f00b 
Gist for sssd.conf 
https://gist.github.com/JakeDEvans/ed34098b96b6e061095da85e1db58d70 

all other configs unmodified. 

Also, is it normal that the login is very slow? 

Thanks All, 
-Jake 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to