On 08/10/2016 05:19 PM, Guy Knights wrote:
Ok, I increased the debug level as you recommended and it's given me a lot of useful info. Before I go any further trying to troubleshoot that mass of info on this mailing list though, I would like to double check something I came across. In the debug output I noticed this line:


"No ccache file for user [b...@ad.bbg.net <mailto:b...@ad.bbg.net>] found."

I would not dwell much on this error message, I see the same error from the krb5_auth_prepare_ccache_name function when I successfully logged in as an AD user on my IPA client(I suspect the ccache gets created shortly after). Higher debug logs means there will be a lot of log messages that look like errors but may not be.

I then searched this error and found this thread in which the OP seems to have basically the same setup as me:

https://lists.fedorahosted.org/pipermail/sssd-users/2013-January/000379.html

I started playing with kinit on the ubuntu machine that I'm trying to log into, and got this error:

"kinit: Cannot find KDC for realm "AD.BBG.NET <http://AD.BBG.NET>" while getting initial credentials"

After reading through some of the replies on the above thread, I saw a post that basically says that while the initial user info lookup is via FreeIPA, to actually authenticate a user the ipa client machine must connect directly to the AD controller. If this is true, it basically means the setup I was planning to use (FreeIPA in the cloud replicating/proxying local AD user accounts) is not going to work as I'd hoped. Could you confirm if this behaviour is in fact correct?

Yes, the IPA client at some points needs to communicate directly with AD for kerberos communication - you should see this in /var/log/sssd/krb5_child.log

This is explained better than I could here:


       The anatomy of a trusted identity lookup

   
https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/


Kind regards,
Justin Stephenson
Thanks,
Guy

On 9 August 2016 at 18:47, Justin Stephenson <jstep...@redhat.com <mailto:jstep...@redhat.com>> wrote:

    Hello,

    You may need to increase the debug level to 9 and look in the
    sssd_<ipadomain>.log for failures after the failed login attempt -
    i would look in between log messages 'Got request for bobt...' and
    'Backend returned' messages

    https://fedorahosted.org/sssd/wiki/Troubleshooting
    <https://fedorahosted.org/sssd/wiki/Troubleshooting>

    You can also send the debug logs here for review.

    Make sure logins and lookups are working on the IPA server first
    before troubleshooting the IPA client.

    Kind regards,

    Justin Stephenson

    On 08/09/2016 07:32 PM, Guy Knights wrote:
    I've set up a freeipa server on a centos 7 machine and have
    successfully configured a 2-way trust between it and our active
    directory domain controller. I've also installed ipa-client on an
    ubuntu 14.04 machine and have run ipa-client-install, which has
    apparently successfully joined the FreeIPA domain.

    So far, I can successfully do the following:

    1. Log into the FreeIPA machine with an AD user account.
    2. Log into the Ubuntu machine with a FreeIPA account.
    3. Run 'getent passwd <freeipa username>' on the Ubuntu machine
    and have it return the associated FreeIPA user account details
    (eg. "jackt:*:1131000005:1131000005:Jack
    Test:/home/ipa.bbg.net/jackt:/bin/bash
    <http://ipa.bbg.net/jackt:/bin/bash>")
    4. Run 'getent passwd <ad username>' on the Ubuntu machine and
    have it return the associated AD user account details (eg.
    "b...@ad.bbg.net:*:1946801107:1946801107::/home/
    
<mailto:b...@ad.bbg.net:*:1946801107:1946801107::/home/>ad.bbg.net/bobt:/bin/bash
    <http://ad.bbg.net/bobt:/bin/bash>")

    What I can't do is log into the Ubuntu machine with the AD user.
    I'm using the following SSH command from the command line on my mac:

    ssh -o User=b...@ad.bbg.net <mailto:b...@ad.bbg.net> vm1.bbg.com
    <http://vm1.bbg.com>

    It asks me for the password, I enter it and it says permissions
    denied, please try again. I set the debug level in SSSD on the
    ubuntu client to 5 and this is what shows up in the log during
    the login attempt:

    (Tue Aug  9 16:25:56 2016) [sssd[be[ipa.bbg.net
    <http://ipa.bbg.net>]]] [be_get_account_info] (0x0100): Got
    request for [4097][1][name=bobt]
    (Tue Aug  9 16:25:56 2016) [sssd[be[ipa.bbg.net
    <http://ipa.bbg.net>]]] [acctinfo_callback] (0x0100): Request
    processed. Returned 3,95,Account info lookup failed
    (Tue Aug  9 16:25:57 2016) [sssd[be[ipa.bbg.net
    <http://ipa.bbg.net>]]] [acctinfo_callback] (0x0100): Request
    processed. Returned 0,0,Success
    (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
    <http://ipa.bbg.net>]]] [be_get_account_info] (0x0100): Got
    request for [3][1][name=bobt]
    (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
    <http://ipa.bbg.net>]]] [acctinfo_callback] (0x0100): Request
    processed. Returned 3,95,Account info lookup failed
    (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
    <http://ipa.bbg.net>]]] [be_pam_handler] (0x0100): Got request
    with the following data
    (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
    <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): command:
    PAM_AUTHENTICATE
    (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
    <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): domain:
    ad.bbg.net <http://ad.bbg.net>
    (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
    <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): user:
    b...@ad.bbg.net <mailto:b...@ad.bbg.net>
    (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
    <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): service: sshd
    (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
    <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): tty: ssh
    (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
    <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): ruser:
    (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
    <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): rhost:
    192.168.100.157
    (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
    <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): authtok type: 1
    (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
    <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): newauthtok type: 0
    (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
    <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): priv: 1
    (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
    <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): cli_pid: 16230
    (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
    <http://ipa.bbg.net>]]] [krb5_auth_send] (0x0100): No ccache file
    for user [b...@ad.bbg.net <mailto:b...@ad.bbg.net>] found.
    (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
    <http://ipa.bbg.net>]]] [fo_resolve_service_send] (0x0100):
    Trying to resolve service 'IPA'
    (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
    <http://ipa.bbg.net>]]] [be_resolve_server_process] (0x0200):
    Found address for server dc.ipa.bbg.net <http://dc.ipa.bbg.net>:
    [192.168.100.14] TTL 3600
    (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
    <http://ipa.bbg.net>]]] [be_pam_handler_callback] (0x0100):
    Backend returned: (0, 4, <NULL>) [Success]
    (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
    <http://ipa.bbg.net>]]] [be_pam_handler_callback] (0x0100):
    Sending result [4][ad.bbg.net <http://ad.bbg.net>]
    (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
    <http://ipa.bbg.net>]]] [be_pam_handler_callback] (0x0100): Sent
    result [4][ad.bbg.net <http://ad.bbg.net>]
    (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
    <http://ipa.bbg.net>]]] [child_sig_handler] (0x0100): child
    [16313] finished successfully.

    Can anyone explain why it's saying account info lookup failed
    when it can get the account info fine via getent?

    Thanks,
    Guy






--

    *
    *Guy Knights*
    *
    Senior Systems Engineer
    BlueBat Games Inc.
    Ph: 778-379-5120
    Email: g...@bluebatgames.com <mailto:g...@bluebatgames.com>


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to