This was very helpful, Thank You!

Thank You, 

Jacob D. Evans 
Cloud Consultant 
717.417.8324

----- Original Message -----
From: "Alexander Bokovoy" <aboko...@redhat.com>
To: "Jake" <free...@jacobdevans.com>
Cc: freeipa-users@redhat.com
Sent: Thursday, August 4, 2016 1:46:51 AM
Subject: Re: [Freeipa-users] Login Troubles with Centos7 and external users 
(4.2.0-15.0.1.el7.centos.17)

On Wed, 03 Aug 2016, Jake wrote:
>Hello All,
>I'm new to FreeIPA and am having some issues with my endpoints.
>
>First attempts to login as usern...@legacy.example.org always fail with:
>Logs on client:
>sshd[3771]: Invalid user usern...@legacy.example.org from 192.168.1.123
>sshd[3771]: input_userauth_request: invalid user usern...@legacy.example.org 
>[preauth]
>
>[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for 
>[0x1001][1][name=username]
>[sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): 
>ldap_extended_operation result: No such object(32), (null).
>[sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request 
>failed.
>[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. 
>Returned 0,0,Success (Success)
>[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for 
>[0x1003][1][name=NOUSER]
>[sssd[be[ipa.example.com]]] [sysdb_get_real_name] (0x0040): 
>sysdb_search_object_by_uuid did not return a single result.
>[sssd[be[ipa.example.com]]] [groups_by_user_done] (0x0040): Failed to 
>canonicalize name, using [NOUSER].
>[sssd[be[ipa.example.com]]] [ipa_id_get_account_info_orig_done] (0x0080): 
>Object not found, ending request
>[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. 
>Returned 3,0,Account info lookup failed
>[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for 
>[0x1001][1][idnumber=1644425765]
>[sssd[be[ipa.example.com]]] [sdap_get_users_done] (0x0040): Failed to retrieve 
>users
>[sssd[be[ipa.example.com]]] [ipa_id_get_account_info_orig_done] (0x0080): 
>Object not found, ending request
>[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. 
>Returned 3,0,Account info lookup failed
>[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for 
>[0x1001][1][idnumber=1644425765]
>[sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): 
>ldap_extended_operation result: No such object(32), (null).
>[sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request 
>failed.
>[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. 
>Returned 0,0,Success (Success)
>[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for 
>[0x1001][1][idnumber=1644425765]
>[sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): 
>ldap_extended_operation result: No such object(32), (null).
>[sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request 
>failed.
>[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. 
>Returned 0,0,Success (Success)
>[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for 
>[0x1001][1][idnumber=1644425765]
>[sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): 
>ldap_extended_operation result: No such object(32), (null).
>[sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request 
>failed.
>[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. 
>Returned 0,0,Success (Success)
>
>running the command 'getent password usern...@legacy.example.org' on the ipa 
>server works fine
>
>Logs from server:
>[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for 
>[0x1001][1][name=username]
>[sssd[be[ipa.example.com]]] [ipa_srv_ad_acct_lookup_done] (0x0080): Sudomain 
>lookup failed, will try to reset sudomain..
>[sssd[be[ipa.example.com]]] [child_sig_handler] (0x0100): child [26269] 
>finished successfully.
>[sssd[be[ipa.example.com]]] [set_srv_data_status] (0x0100): Marking SRV lookup 
>of service 'legacy.example.org' as 'neutral'
>[sssd[be[ipa.example.com]]] [fo_set_port_status] (0x0100): Marking port 0 of 
>server '(no name)' as 'neutral'
>[sssd[be[ipa.example.com]]] [ipa_srv_ad_acct_lookup_done] (0x0040): 
>ipa_get_*_acct request failed: [1432158262]: Subdomain is inactive.
>[sssd[be[ipa.example.com]]] [ipa_subdomain_account_done] (0x0040): 
>ipa_get_*_acct request failed: 1432158262
>[sssd[be[ipa.example.com]]] [ipa_account_info_error_text] (0x0020): Bug: 
>dp_error is OK on failed request
>[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. 
>Returned 3,1432158262,Account info lookup failed
>
>
>Stuff:
>(4) IPA Masters at ipa.example.com
>(4) root domain controllers in example.com
>(4) child domain controllers in new.example.com
>(4) second domain in legacy.example.org
>
>There is a (1) way trust between ipa.example.com and example.com (forest trust)
>There is a (1) way trust between ipa.example.com and legacy.example.org 
>(forest with single domain)
>There is a (2) way trust between example.com and legacy.example.org (forest 
>transitive trust)
Was the trust between example.com and legacy.example.org established
before establishing trust between IPA and any of those forest roots?

Can you check in the trust properties on AD side for both forest roots,
what is the state of name suffix routing to IPA domain? It should be
enabled for both.

If not, you need to solve conflicts.

There is a documentation reference on Microsoft side how to add
exclusion entries for name routing suffixes. This is the detailed
instruction:
https://msdn.microsoft.com/it-it/library/cc786254%28v=ws.10%29.aspx

For configuration where:
  - AD example.com trusts IPA at ipa.example.com
  - AD example.org trusts AD example.com
  - a trust is tried to be established between ipa.example.com and
    example.org and a conflict is generated in example.org for
    example.com namespace.

A sequence might be like a following one:
   1. Establish trust between example.com and ipa.example.com
   2. Establish trust between example.com and example.org
   3. Now, as Administrator in example.org, do what
https://msdn.microsoft.com/it-it/library/cc786254%28v=ws.10%29.aspx
describes for the trust 'example.com' and add exclusion entry for
ipa.example.com
   4. Establish trust between ipa.example.com and example.org

It is important to add the exclusion entry before step 4 or there will
be conflict recorded which cannot be cleared easily right now due to a
combination of bugs in both IPA and Active Directory.


>
>Users are in legacy.example.org and new.example.com
>User Computers are in new .example.com
>Linux Servers are in ipa.example.com as hostname linux.example.com
>
>Gist for kbr5.conf 
>https://gist.github.com/JakeDEvans/8e787bc5751d3d0e8f3b18943d63f00b
>Gist for sssd.conf 
>https://gist.github.com/JakeDEvans/ed34098b96b6e061095da85e1db58d70
>
>all other configs unmodified.
>
>Also, is it normal that the login is very slow?
>
>Thanks All,
>-Jake
>
>

>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project


-- 
/ Alexander Bokovoy

<<attachment: Evans, Jacob.vcf>>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to