> On 3 Aug 2016, at 20:14, Jake <free...@jacobdevans.com> wrote: > > Hello All, > I'm new to FreeIPA and am having some issues with my endpoints. > > First attempts to login as usern...@legacy.example.org always fail with: > Logs on client: > sshd[3771]: Invalid user usern...@legacy.example.org from 192.168.1.123 > sshd[3771]: input_userauth_request: invalid user usern...@legacy.example.org > [preauth] > > [sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for > [0x1001][1][name=username] > [sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): > ldap_extended_operation result: No such object(32), (null). > [sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop > request failed. > [sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. > Returned 0,0,Success (Success) > [sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for > [0x1003][1][name=NOUSER] > [sssd[be[ipa.example.com]]] [sysdb_get_real_name] (0x0040): > sysdb_search_object_by_uuid did not return a single result. > [sssd[be[ipa.example.com]]] [groups_by_user_done] (0x0040): Failed to > canonicalize name, using [NOUSER]. > [sssd[be[ipa.example.com]]] [ipa_id_get_account_info_orig_done] (0x0080): > Object not found, ending request > [sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. > Returned 3,0,Account info lookup failed > [sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for > [0x1001][1][idnumber=1644425765] > [sssd[be[ipa.example.com]]] [sdap_get_users_done] (0x0040): Failed to > retrieve users > [sssd[be[ipa.example.com]]] [ipa_id_get_account_info_orig_done] (0x0080): > Object not found, ending request > [sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. > Returned 3,0,Account info lookup failed > [sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for > [0x1001][1][idnumber=1644425765] > [sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): > ldap_extended_operation result: No such object(32), (null). > [sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop > request failed. > [sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. > Returned 0,0,Success (Success) > [sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for > [0x1001][1][idnumber=1644425765] > [sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): > ldap_extended_operation result: No such object(32), (null). > [sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop > request failed. > [sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. > Returned 0,0,Success (Success) > [sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for > [0x1001][1][idnumber=1644425765] > [sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): > ldap_extended_operation result: No such object(32), (null). > [sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop > request failed.
OK, here looking up an ID failed. It would be interesting to see what happened with this lookup on the server. Normally I try to truncate the logs on both the server and the client, then run: date; id $username; date that allows to correlate logs from the server and the client and better pinpoint what fails.. > [sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. > Returned 0,0,Success (Success) > > running the command 'getent password usern...@legacy.example.org' on the ipa > server works fine > > Logs from server: > [sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for > [0x1001][1][name=username] > [sssd[be[ipa.example.com]]] [ipa_srv_ad_acct_lookup_done] (0x0080): Sudomain > lookup failed, will try to reset sudomain.. This log line doesn't look so successful :-) but as long as the server returns 'something' from the cache, the client should grab it > [sssd[be[ipa.example.com]]] [child_sig_handler] (0x0100): child [26269] > finished successfully. > [sssd[be[ipa.example.com]]] [set_srv_data_status] (0x0100): Marking SRV > lookup of service 'legacy.example.org' as 'neutral' > [sssd[be[ipa.example.com]]] [fo_set_port_status] (0x0100): Marking port 0 of > server '(no name)' as 'neutral' > [sssd[be[ipa.example.com]]] [ipa_srv_ad_acct_lookup_done] (0x0040): > ipa_get_*_acct request failed: [1432158262]: Subdomain is inactive. > [sssd[be[ipa.example.com]]] [ipa_subdomain_account_done] (0x0040): > ipa_get_*_acct request failed: 1432158262 > [sssd[be[ipa.example.com]]] [ipa_account_info_error_text] (0x0020): Bug: > dp_error is OK on failed request > [sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. > Returned 3,1432158262,Account info lookup failed > > > Stuff: > (4) IPA Masters at ipa.example.com > (4) root domain controllers in example.com > (4) child domain controllers in new.example.com > (4) second domain in legacy.example.org > > There is a (1) way trust between ipa.example.com and example.com (forest > trust) Are all the replicas either trust masters or was ipa-adtrust-install ran on all of them? > There is a (1) way trust between ipa.example.com and legacy.example.org > (forest with single domain) > There is a (2) way trust between example.com and legacy.example.org (forest > transitive trust) > > Users are in legacy.example.org and new.example.com > User Computers are in new.example.com > Linux Servers are in ipa.example.com as hostname linux.example.com > > Gist for kbr5.conf > https://gist.github.com/JakeDEvans/8e787bc5751d3d0e8f3b18943d63f00b > Gist for sssd.conf > https://gist.github.com/JakeDEvans/ed34098b96b6e061095da85e1db58d70 > > all other configs unmodified. > > Also, is it normal that the login is very slow? If there is a lot of large groups the login can be very slow. We summarized the known workarounds here: https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/ and improved the performance quite a bit in rhel-7.3 > > Thanks All, > -Jake > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project