On Wed, 03 Aug 2016, Jake wrote:
Hello All,
I'm new to FreeIPA and am having some issues with my endpoints.

First attempts to login as usern...@legacy.example.org always fail with:
Logs on client:
sshd[3771]: Invalid user usern...@legacy.example.org from 192.168.1.123
sshd[3771]: input_userauth_request: invalid user usern...@legacy.example.org 
[preauth]

[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for 
[0x1001][1][name=username]
[sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): 
ldap_extended_operation result: No such object(32), (null).
[sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request 
failed.
[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. 
Returned 0,0,Success (Success)
[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for 
[0x1003][1][name=NOUSER]
[sssd[be[ipa.example.com]]] [sysdb_get_real_name] (0x0040): 
sysdb_search_object_by_uuid did not return a single result.
[sssd[be[ipa.example.com]]] [groups_by_user_done] (0x0040): Failed to 
canonicalize name, using [NOUSER].
[sssd[be[ipa.example.com]]] [ipa_id_get_account_info_orig_done] (0x0080): 
Object not found, ending request
[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. 
Returned 3,0,Account info lookup failed
[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for 
[0x1001][1][idnumber=1644425765]
[sssd[be[ipa.example.com]]] [sdap_get_users_done] (0x0040): Failed to retrieve 
users
[sssd[be[ipa.example.com]]] [ipa_id_get_account_info_orig_done] (0x0080): 
Object not found, ending request
[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. 
Returned 3,0,Account info lookup failed
[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for 
[0x1001][1][idnumber=1644425765]
[sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): 
ldap_extended_operation result: No such object(32), (null).
[sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request 
failed.
[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. 
Returned 0,0,Success (Success)
[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for 
[0x1001][1][idnumber=1644425765]
[sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): 
ldap_extended_operation result: No such object(32), (null).
[sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request 
failed.
[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. 
Returned 0,0,Success (Success)
[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for 
[0x1001][1][idnumber=1644425765]
[sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): 
ldap_extended_operation result: No such object(32), (null).
[sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request 
failed.
[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. 
Returned 0,0,Success (Success)

running the command 'getent password usern...@legacy.example.org' on the ipa 
server works fine

Logs from server:
[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for 
[0x1001][1][name=username]
[sssd[be[ipa.example.com]]] [ipa_srv_ad_acct_lookup_done] (0x0080): Sudomain 
lookup failed, will try to reset sudomain..
[sssd[be[ipa.example.com]]] [child_sig_handler] (0x0100): child [26269] 
finished successfully.
[sssd[be[ipa.example.com]]] [set_srv_data_status] (0x0100): Marking SRV lookup 
of service 'legacy.example.org' as 'neutral'
[sssd[be[ipa.example.com]]] [fo_set_port_status] (0x0100): Marking port 0 of 
server '(no name)' as 'neutral'
[sssd[be[ipa.example.com]]] [ipa_srv_ad_acct_lookup_done] (0x0040): 
ipa_get_*_acct request failed: [1432158262]: Subdomain is inactive.
[sssd[be[ipa.example.com]]] [ipa_subdomain_account_done] (0x0040): 
ipa_get_*_acct request failed: 1432158262
[sssd[be[ipa.example.com]]] [ipa_account_info_error_text] (0x0020): Bug: 
dp_error is OK on failed request
[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. 
Returned 3,1432158262,Account info lookup failed


Stuff:
(4) IPA Masters at ipa.example.com
(4) root domain controllers in example.com
(4) child domain controllers in new.example.com
(4) second domain in legacy.example.org

There is a (1) way trust between ipa.example.com and example.com (forest trust)
There is a (1) way trust between ipa.example.com and legacy.example.org (forest 
with single domain)
There is a (2) way trust between example.com and legacy.example.org (forest 
transitive trust)
Was the trust between example.com and legacy.example.org established
before establishing trust between IPA and any of those forest roots?

Can you check in the trust properties on AD side for both forest roots,
what is the state of name suffix routing to IPA domain? It should be
enabled for both.

If not, you need to solve conflicts.

There is a documentation reference on Microsoft side how to add
exclusion entries for name routing suffixes. This is the detailed
instruction:
https://msdn.microsoft.com/it-it/library/cc786254%28v=ws.10%29.aspx

For configuration where:
 - AD example.com trusts IPA at ipa.example.com
 - AD example.org trusts AD example.com
 - a trust is tried to be established between ipa.example.com and
   example.org and a conflict is generated in example.org for
   example.com namespace.

A sequence might be like a following one:
  1. Establish trust between example.com and ipa.example.com
  2. Establish trust between example.com and example.org
  3. Now, as Administrator in example.org, do what
https://msdn.microsoft.com/it-it/library/cc786254%28v=ws.10%29.aspx
describes for the trust 'example.com' and add exclusion entry for
ipa.example.com
  4. Establish trust between ipa.example.com and example.org

It is important to add the exclusion entry before step 4 or there will
be conflict recorded which cannot be cleared easily right now due to a
combination of bugs in both IPA and Active Directory.



Users are in legacy.example.org and new.example.com
User Computers are in new .example.com
Linux Servers are in ipa.example.com as hostname linux.example.com

Gist for kbr5.conf 
https://gist.github.com/JakeDEvans/8e787bc5751d3d0e8f3b18943d63f00b
Gist for sssd.conf 
https://gist.github.com/JakeDEvans/ed34098b96b6e061095da85e1db58d70

all other configs unmodified.

Also, is it normal that the login is very slow?

Thanks All,
-Jake



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to