On 08/10/2016 05:19 PM, Guy Knights wrote:
Ok, I increased the debug level as you recommended and it's given me a
lot of useful info. Before I go any further trying to troubleshoot
that mass of info on this mailing list though, I would like to double
check something I came across. In the debug output I noticed this line:
"No ccache file for user [[email protected] <mailto:[email protected]>]
found."
I would not dwell much on this error message, I see the same error from
the krb5_auth_prepare_ccache_name function when I successfully logged in
as an AD user on my IPA client(I suspect the ccache gets created shortly
after). Higher debug logs means there will be a lot of log messages that
look like errors but may not be.
I then searched this error and found this thread in which the OP seems
to have basically the same setup as me:
https://lists.fedorahosted.org/pipermail/sssd-users/2013-January/000379.html
I started playing with kinit on the ubuntu machine that I'm trying to
log into, and got this error:
"kinit: Cannot find KDC for realm "AD.BBG.NET <http://AD.BBG.NET>"
while getting initial credentials"
After reading through some of the replies on the above thread, I saw a
post that basically says that while the initial user info lookup is
via FreeIPA, to actually authenticate a user the ipa client machine
must connect directly to the AD controller. If this is true, it
basically means the setup I was planning to use (FreeIPA in the cloud
replicating/proxying local AD user accounts) is not going to work as
I'd hoped. Could you confirm if this behaviour is in fact correct?
Yes, the IPA client at some points needs to communicate directly with AD
for kerberos communication - you should see this in
/var/log/sssd/krb5_child.log
This is explained better than I could here:
The anatomy of a trusted identity lookup
https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/
Kind regards,
Justin Stephenson
Thanks,
Guy
On 9 August 2016 at 18:47, Justin Stephenson <[email protected]
<mailto:[email protected]>> wrote:
Hello,
You may need to increase the debug level to 9 and look in the
sssd_<ipadomain>.log for failures after the failed login attempt -
i would look in between log messages 'Got request for bobt...' and
'Backend returned' messages
https://fedorahosted.org/sssd/wiki/Troubleshooting
<https://fedorahosted.org/sssd/wiki/Troubleshooting>
You can also send the debug logs here for review.
Make sure logins and lookups are working on the IPA server first
before troubleshooting the IPA client.
Kind regards,
Justin Stephenson
On 08/09/2016 07:32 PM, Guy Knights wrote:
I've set up a freeipa server on a centos 7 machine and have
successfully configured a 2-way trust between it and our active
directory domain controller. I've also installed ipa-client on an
ubuntu 14.04 machine and have run ipa-client-install, which has
apparently successfully joined the FreeIPA domain.
So far, I can successfully do the following:
1. Log into the FreeIPA machine with an AD user account.
2. Log into the Ubuntu machine with a FreeIPA account.
3. Run 'getent passwd <freeipa username>' on the Ubuntu machine
and have it return the associated FreeIPA user account details
(eg. "jackt:*:1131000005:1131000005:Jack
Test:/home/ipa.bbg.net/jackt:/bin/bash
<http://ipa.bbg.net/jackt:/bin/bash>")
4. Run 'getent passwd <ad username>' on the Ubuntu machine and
have it return the associated AD user account details (eg.
"[email protected]:*:1946801107:1946801107::/home/
<mailto:[email protected]:*:1946801107:1946801107::/home/>ad.bbg.net/bobt:/bin/bash
<http://ad.bbg.net/bobt:/bin/bash>")
What I can't do is log into the Ubuntu machine with the AD user.
I'm using the following SSH command from the command line on my mac:
ssh -o [email protected] <mailto:[email protected]> vm1.bbg.com
<http://vm1.bbg.com>
It asks me for the password, I enter it and it says permissions
denied, please try again. I set the debug level in SSSD on the
ubuntu client to 5 and this is what shows up in the log during
the login attempt:
(Tue Aug 9 16:25:56 2016) [sssd[be[ipa.bbg.net
<http://ipa.bbg.net>]]] [be_get_account_info] (0x0100): Got
request for [4097][1][name=bobt]
(Tue Aug 9 16:25:56 2016) [sssd[be[ipa.bbg.net
<http://ipa.bbg.net>]]] [acctinfo_callback] (0x0100): Request
processed. Returned 3,95,Account info lookup failed
(Tue Aug 9 16:25:57 2016) [sssd[be[ipa.bbg.net
<http://ipa.bbg.net>]]] [acctinfo_callback] (0x0100): Request
processed. Returned 0,0,Success
(Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net
<http://ipa.bbg.net>]]] [be_get_account_info] (0x0100): Got
request for [3][1][name=bobt]
(Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net
<http://ipa.bbg.net>]]] [acctinfo_callback] (0x0100): Request
processed. Returned 3,95,Account info lookup failed
(Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net
<http://ipa.bbg.net>]]] [be_pam_handler] (0x0100): Got request
with the following data
(Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net
<http://ipa.bbg.net>]]] [pam_print_data] (0x0100): command:
PAM_AUTHENTICATE
(Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net
<http://ipa.bbg.net>]]] [pam_print_data] (0x0100): domain:
ad.bbg.net <http://ad.bbg.net>
(Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net
<http://ipa.bbg.net>]]] [pam_print_data] (0x0100): user:
[email protected] <mailto:[email protected]>
(Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net
<http://ipa.bbg.net>]]] [pam_print_data] (0x0100): service: sshd
(Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net
<http://ipa.bbg.net>]]] [pam_print_data] (0x0100): tty: ssh
(Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net
<http://ipa.bbg.net>]]] [pam_print_data] (0x0100): ruser:
(Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net
<http://ipa.bbg.net>]]] [pam_print_data] (0x0100): rhost:
192.168.100.157
(Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net
<http://ipa.bbg.net>]]] [pam_print_data] (0x0100): authtok type: 1
(Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net
<http://ipa.bbg.net>]]] [pam_print_data] (0x0100): newauthtok type: 0
(Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net
<http://ipa.bbg.net>]]] [pam_print_data] (0x0100): priv: 1
(Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net
<http://ipa.bbg.net>]]] [pam_print_data] (0x0100): cli_pid: 16230
(Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net
<http://ipa.bbg.net>]]] [krb5_auth_send] (0x0100): No ccache file
for user [[email protected] <mailto:[email protected]>] found.
(Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net
<http://ipa.bbg.net>]]] [fo_resolve_service_send] (0x0100):
Trying to resolve service 'IPA'
(Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net
<http://ipa.bbg.net>]]] [be_resolve_server_process] (0x0200):
Found address for server dc.ipa.bbg.net <http://dc.ipa.bbg.net>:
[192.168.100.14] TTL 3600
(Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net
<http://ipa.bbg.net>]]] [be_pam_handler_callback] (0x0100):
Backend returned: (0, 4, <NULL>) [Success]
(Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net
<http://ipa.bbg.net>]]] [be_pam_handler_callback] (0x0100):
Sending result [4][ad.bbg.net <http://ad.bbg.net>]
(Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net
<http://ipa.bbg.net>]]] [be_pam_handler_callback] (0x0100): Sent
result [4][ad.bbg.net <http://ad.bbg.net>]
(Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net
<http://ipa.bbg.net>]]] [child_sig_handler] (0x0100): child
[16313] finished successfully.
Can anyone explain why it's saying account info lookup failed
when it can get the account info fine via getent?
Thanks,
Guy
--
*
*Guy Knights*
*
Senior Systems Engineer
BlueBat Games Inc.
Ph: 778-379-5120
Email: [email protected] <mailto:[email protected]>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
