On 12/6/2016 11:32 PM, TomK wrote:
On 12/6/2016 3:37 PM, Alexander Bokovoy wrote:
On ti, 06 joulu 2016, TomK wrote:
On 12/5/2016 2:02 AM, Alexander Bokovoy wrote:
On su, 04 joulu 2016, TomK wrote:
Could not get much from logs and decided to start fresh.  When I run
this:

ipa trust-add --type=ad mds.xyz --admin Administrator --password

Trust works fine and id t...@mds.xyz returns a valid result.

However when I run the following on both masters on a fresh new setup:

ipa-adtrust-install --netbios-name=NIX -a "<SECRET>"
ipa trust-add --type=ad "mds.xyz" --trust-secret

and created a trust object in AD DC with the name of NIX and a
non-transitive trust, the above did NOT work.  I didn't get anything
by typing id t...@mds.xyz.  (I do not get an option for a Forest Trust
as the gif on this page suggests:
https://www.freeipa.org/page/Active_Directory_trust_setup .  Possibly
it's Server 2012 hence the difference in what's presented to me but
another reason is that the name I type for the trust can't resolve to
an IP for now: nix.mds.xyz . So I use NIX to match the bios name used
on the ipa-adtrust-install command above.  )
The shared secret case for one-way trust is known to be broken. When a
shared half is created on AD side first, it is marked as not yet valid
by Windows and currently we cannot perform validation of it from IPA
side. Validating it from AD side is not possible as well as we don't
provide all interfaces Windows would like to use.

And the fact you cannot see 'Forest Trust' type of the trust says also
that you have problems with reaching IPA masters from AD DC side for
probing purposes over CLDAP ping (389/UDP) and then SMB (445/TCP and
UDP).
Nothing I tried in AD Trust creation allowed me to make one with type
Forest.  Just realm.  I recall I had a trust type of Forest but in
trying various options I lost how I did that.  Or perhaps I hadn't
payed attention and it got created indirectly as part of another
action I took.  The domain functional level I'm using is Windows
Server 2008. Using a lower value for testing.
This (inability to chose Forest trust type) simply means AD DC is unable
to probe IPA DC. You said below that SMB port towards IPA DC was closed.

Also make sure to remove incorrect trust from Windows side. While we are
removing a trust object named as our NetBIOS name, it only works for the
proper trusted domain/forests, not for wrong 'realm trust' type.


My IPA version is 4.2 right now.  It came with the CentOS 7.2.
Looking forward to 4.4.  Not sure when you plan to include it as part
of the latest CentOS base.  Indeed some ports were not open (445).
I've adjusted the firewall command accordingly for RHEL 7 / CentOS 7:

for KEY in $(echo "80/tcp 443/tcp 389/tcp 636/tcp 88/tcp 464/tcp
53/tcp 135/tcp 138/tcp 139/tcp 445/tcp 1024-1300/tcp 88/udp 464/udp
53/udp 123/udp 138/udp 139/udp 389/udp 445/udp"); do firewall-cmd
--zone=public --permanent --add-port=$KEY; done

[root@idmipa01 ~]# firewall-cmd --zone=public --list-all
public (default)
 interfaces:
 sources:
 services: dhcpv6-client ntp ssh
 ports: 443/tcp 80/tcp 464/tcp 138/tcp 88/udp 464/udp 445/tcp 88/tcp
135/tcp 123/udp 139/tcp 389/tcp 53/tcp 389/udp 1024-1300/tcp 445/udp
139/udp 138/udp 53/udp 636/tcp
 masquerade: no
 forward-ports:
 icmp-blocks:
 rich rules:

[root@idmipa01 ~]#

On Windows Side (The nslookup results were the same before the
firewall change however.):
Firewall changes cannot affect DNS as you already had DNS port open.

On the AD side, I added the SRV records for the second AD DC,
manually, since earlier there were no results printed on the AD DC
command line for the second AD DC, when I typed the command
_ldap._tcp.mds.xyz.

One additional question I had with the setup is in regards to the
failover.  I see the ipa_server entry in /etc/sssd/sssd.conf pointing
to two of the master IPA nodes.  Where can I find the additional
settings that control priority of the listed server or order they are
checked?
You need to look at SSSD manual pages: sssd-ipa and sssd-ldap, sections
FAILOVER and SERVICE DISCOVER.

What I ran to get the above is:

1) ipa-client-install --force-join -p admin -w "<HUSH!>"
--fixed-primary --server=idmipa01.nix.mds.xyz
--server=idmipa02.nix.mds.xyz --domain=nix.mds.xyz
--realm=NIX.MDS.XYZ -U
2) realm join mds.xyz
This is wrong. You have effectively joined this IPA client to AD and IPA
at the same time. It should not be done this way (read
http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain
for details).

Instead, you need to identify why the trust does not work properly.
Use tcpdump to intercept the traffic between your AD DCs and IPA DCs
while establishing the trust.

You can send the trace to me off-list.




Ok, let me take these away and get back to you.  ( On realm, thank you.
Hadn't reviewed the changes it did fully before logging off. )


Removed the direct mds.xyz domain directly (my bad). Currently I get this on using MDS.XYZ\tom to login with or t...@mds.xyz when trying ssh directly. From command line the user is visible (not enough time to get to the rest. Not sure if the system error breaks this though so want to run it by you):

[root@ipaclient01 sssd]# id t...@mds.xyz
uid=155601104(t...@mds.xyz) gid=155601104(t...@mds.xyz) groups=155601104(t...@mds.xyz),155600513(domain us...@mds.xyz),155601107(nixadm...@mds.xyz),1746600039(nixadmins)
[root@ipaclient01 sssd]#

(Wed Dec 7 08:11:59 2016) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [t...@mds.xyz] (Wed Dec 7 08:11:59 2016) [sssd[pam]] [pd_set_primary_name] (0x0400): User's primary name is t...@mds.xyz (Wed Dec 7 08:11:59 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Wed Dec 7 08:11:59 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Wed Dec 7 08:11:59 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: mds.xyz (Wed Dec 7 08:11:59 2016) [sssd[pam]] [pam_print_data] (0x0100): user: t...@mds.xyz (Wed Dec 7 08:11:59 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Wed Dec  7 08:11:59 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Wed Dec 7 08:11:59 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Wed Dec 7 08:11:59 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: 192.168.0.208 (Wed Dec 7 08:11:59 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Wed Dec 7 08:11:59 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Wed Dec  7 08:11:59 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Wed Dec 7 08:11:59 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 6297 (Wed Dec 7 08:11:59 2016) [sssd[pam]] [pam_print_data] (0x0100): logon name: MDS.XYZ\tom (Wed Dec 7 08:11:59 2016) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x7f7e7ed32700 (Wed Dec 7 08:11:59 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Wed Dec 7 08:11:59 2016) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x7f7e7ed32700 (Wed Dec 7 08:11:59 2016) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x7f7e7ed2e7f0 (Wed Dec 7 08:11:59 2016) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Wed Dec 7 08:11:59 2016) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [4 (System error)][mds.xyz] (Wed Dec 7 08:11:59 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]: System error.
(Wed Dec  7 08:11:59 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 24
(Wed Dec 7 08:11:59 2016) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7f7e7ed38210][20] (Wed Dec 7 08:12:04 2016) [sssd[pam]] [pam_initgr_cache_remove] (0x2000): [MDS.XYZ\tom] removed from PAM initgroup cache (Wed Dec 7 08:12:09 2016) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x7f7e7ed29d00 (Wed Dec 7 08:12:09 2016) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Wed Dec 7 08:12:09 2016) [sssd[pam]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed Dec 7 08:12:09 2016) [sssd[pam]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit






(Wed Dec 7 08:11:15 2016) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [t...@mds.xyz] (Wed Dec 7 08:11:15 2016) [sssd[pam]] [pd_set_primary_name] (0x0400): User's primary name is t...@mds.xyz (Wed Dec 7 08:11:15 2016) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Wed Dec 7 08:11:15 2016) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Wed Dec 7 08:11:15 2016) [sssd[pam]] [pam_print_data] (0x0100): domain: mds.xyz (Wed Dec 7 08:11:15 2016) [sssd[pam]] [pam_print_data] (0x0100): user: t...@mds.xyz (Wed Dec 7 08:11:15 2016) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Wed Dec  7 08:11:15 2016) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Wed Dec 7 08:11:15 2016) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Wed Dec 7 08:11:15 2016) [sssd[pam]] [pam_print_data] (0x0100): rhost: 192.168.0.208 (Wed Dec 7 08:11:15 2016) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Wed Dec 7 08:11:15 2016) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Wed Dec  7 08:11:15 2016) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Wed Dec 7 08:11:15 2016) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 6293 (Wed Dec 7 08:11:15 2016) [sssd[pam]] [pam_print_data] (0x0100): logon name: t...@mds.xyz (Wed Dec 7 08:11:15 2016) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x7f7e7ed34340 (Wed Dec 7 08:11:15 2016) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Wed Dec 7 08:11:15 2016) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x7f7e7ed34340 (Wed Dec 7 08:11:15 2016) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x7f7e7ed2e7f0 (Wed Dec 7 08:11:15 2016) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Wed Dec 7 08:11:15 2016) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [4 (System error)][mds.xyz] (Wed Dec 7 08:11:15 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]: System error.
(Wed Dec  7 08:11:15 2016) [sssd[pam]] [pam_reply] (0x0200): blen: 24
(Wed Dec 7 08:11:15 2016) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7f7e7ed35900][19] (Wed Dec 7 08:11:19 2016) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x7f7e7ed29d00 (Wed Dec 7 08:11:19 2016) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Wed Dec 7 08:11:19 2016) [sssd[pam]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed Dec 7 08:11:19 2016) [sssd[pam]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Dec 7 08:11:20 2016) [sssd[pam]] [pam_initgr_cache_remove] (0x2000): [t...@mds.xyz] removed from PAM initgroup cache





--
Cheers,
Tom K.
-------------------------------------------------------------------------------------

Living on earth is expensive, but it includes a free trip around the sun.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
  • ... TomK
    • ... Sumit Bose
      • ... TomK
        • ... TomK
          • ... TomK
            • ... Alexander Bokovoy
              • ... TomK
                • ... List dedicated to discussions about use, configuration and deployment of the IPA server.
                • ... List dedicated to discussions about use, configuration and deployment of the IPA server.
                • ... TomK
                • ... TomK

Reply via email to