Hmm, ok. In that case, I guess I need to rethink my setup. Thanks again for all your help!
Kind regards, Guy On 10 August 2016 at 14:46, Justin Stephenson <[email protected]> wrote: > On 08/10/2016 05:19 PM, Guy Knights wrote: > > Ok, I increased the debug level as you recommended and it's given me a lot > of useful info. Before I go any further trying to troubleshoot that mass of > info on this mailing list though, I would like to double check something I > came across. In the debug output I noticed this line: > > "No ccache file for user [[email protected]] found." > > I would not dwell much on this error message, I see the same error from > the krb5_auth_prepare_ccache_name function when I successfully logged in as > an AD user on my IPA client(I suspect the ccache gets created shortly > after). Higher debug logs means there will be a lot of log messages that > look like errors but may not be. > > I then searched this error and found this thread in which the OP seems to > have basically the same setup as me: > > https://lists.fedorahosted.org/pipermail/sssd-users/2013- > January/000379.html > > I started playing with kinit on the ubuntu machine that I'm trying to log > into, and got this error: > > "kinit: Cannot find KDC for realm "AD.BBG.NET" while getting initial > credentials" > > After reading through some of the replies on the above thread, I saw a > post that basically says that while the initial user info lookup is via > FreeIPA, to actually authenticate a user the ipa client machine must > connect directly to the AD controller. If this is true, it basically means > the setup I was planning to use (FreeIPA in the cloud replicating/proxying > local AD user accounts) is not going to work as I'd hoped. Could you > confirm if this behaviour is in fact correct? > > Yes, the IPA client at some points needs to communicate directly with AD > for kerberos communication - you should see this in > /var/log/sssd/krb5_child.log > > This is explained better than I could here: > > The anatomy of a trusted identity lookup > > https://jhrozek.wordpress.com/2015/08/19/performance-tuning- > sssd-for-large-ipa-ad-trust-deployments/ > > > Kind regards, > Justin Stephenson > > Thanks, > Guy > > On 9 August 2016 at 18:47, Justin Stephenson <[email protected]> wrote: > >> Hello, >> >> You may need to increase the debug level to 9 and look in the >> sssd_<ipadomain>.log for failures after the failed login attempt - i would >> look in between log messages 'Got request for bobt...' and 'Backend >> returned' messages >> >> https://fedorahosted.org/sssd/wiki/Troubleshooting >> >> You can also send the debug logs here for review. >> >> Make sure logins and lookups are working on the IPA server first before >> troubleshooting the IPA client. >> >> Kind regards, >> >> Justin Stephenson >> On 08/09/2016 07:32 PM, Guy Knights wrote: >> >> I've set up a freeipa server on a centos 7 machine and have successfully >> configured a 2-way trust between it and our active directory domain >> controller. I've also installed ipa-client on an ubuntu 14.04 machine and >> have run ipa-client-install, which has apparently successfully joined the >> FreeIPA domain. >> >> So far, I can successfully do the following: >> >> 1. Log into the FreeIPA machine with an AD user account. >> 2. Log into the Ubuntu machine with a FreeIPA account. >> 3. Run 'getent passwd <freeipa username>' on the Ubuntu machine and have >> it return the associated FreeIPA user account details (eg. >> "jackt:*:1131000005:1131000005:Jack Test:/home/ipa.bbg.net/jackt:/ >> bin/bash") >> 4. Run 'getent passwd <ad username>' on the Ubuntu machine and have it >> return the associated AD user account details (eg. " >> [email protected]:*:1946801107:1946801107::/home/ad.bbg.net/bobt:/bin/bash >> ") >> >> What I can't do is log into the Ubuntu machine with the AD user. I'm >> using the following SSH command from the command line on my mac: >> >> ssh -o [email protected] vm1.bbg.com >> >> It asks me for the password, I enter it and it says permissions denied, >> please try again. I set the debug level in SSSD on the ubuntu client to 5 >> and this is what shows up in the log during the login attempt: >> >> (Tue Aug 9 16:25:56 2016) [sssd[be[ipa.bbg.net]]] [be_get_account_info] >> (0x0100): Got request for [4097][1][name=bobt] >> (Tue Aug 9 16:25:56 2016) [sssd[be[ipa.bbg.net]]] [acctinfo_callback] >> (0x0100): Request processed. Returned 3,95,Account info lookup failed >> (Tue Aug 9 16:25:57 2016) [sssd[be[ipa.bbg.net]]] [acctinfo_callback] >> (0x0100): Request processed. Returned 0,0,Success >> (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [be_get_account_info] >> (0x0100): Got request for [3][1][name=bobt] >> (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [acctinfo_callback] >> (0x0100): Request processed. Returned 3,95,Account info lookup failed >> (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [be_pam_handler] >> (0x0100): Got request with the following data >> (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] >> (0x0100): command: PAM_AUTHENTICATE >> (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] >> (0x0100): domain: ad.bbg.net >> (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] >> (0x0100): user: [email protected] >> (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] >> (0x0100): service: sshd >> (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] >> (0x0100): tty: ssh >> (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] >> (0x0100): ruser: >> (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] >> (0x0100): rhost: 192.168.100.157 >> (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] >> (0x0100): authtok type: 1 >> (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] >> (0x0100): newauthtok type: 0 >> (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] >> (0x0100): priv: 1 >> (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] >> (0x0100): cli_pid: 16230 >> (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [krb5_auth_send] >> (0x0100): No ccache file for user [[email protected]] found. >> (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] >> [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' >> (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] >> [be_resolve_server_process] (0x0200): Found address for server >> dc.ipa.bbg.net: [192.168.100.14] TTL 3600 >> (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] >> [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) >> [Success] >> (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] >> [be_pam_handler_callback] (0x0100): Sending result [4][ad.bbg.net] >> (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] >> [be_pam_handler_callback] (0x0100): Sent result [4][ad.bbg.net] >> (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [child_sig_handler] >> (0x0100): child [16313] finished successfully. >> >> Can anyone explain why it's saying account info lookup failed when it can >> get the account info fine via getent? >> >> Thanks, >> Guy >> >> >> >> > > > -- > > * Guy Knights * > Senior Systems Engineer > BlueBat Games Inc. > Ph: 778-379-5120 > Email: [email protected] > > > -- *Guy Knights* Senior Systems Engineer BlueBat Games Inc. Ph: 778-379-5120 Email: [email protected]
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
