[Freeipa-users] Re: GSSAPI login from trusted AD domain to FreeIPA clients not working
I ran into this exact same problem with my IPA domain in a one way external trust to our Windows 2012 R2 AD forest. It appears that Microsoft may have removed the routing suffix option from the Windows 2012 R2 native forest trust gui. My solution was to follow the instructions in the "Define host name-to-Kerberos realm mappings" section of this document from Microsoft: https://support.microsoft.com/en-us/help/947706/windows-server-2008-group-policy-settings-for-interoperability-with-non-microsoft-kerberos-realms . Assuming the IPA realm name is the same as the domain name you would use: Value Name: I.RDMEDIA.COM Value: .i.rdmedia.com (Notice the period at the beginning of the domain name) I applied the GPO to all of my workstations (not the servers) but I don't see any harm across all the windows systems. Rob Johnson On Tue, Jun 20, 2017 at 3:04 PM, Alexander Bokovoy via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > On ti, 20 kesä 2017, Tiemen Ruiten via FreeIPA-users wrote: > >> Please see the attached screenshot for the Trust settings, and thank you >> for your time. >> > Thanks. I'm not sure why is that happening even for the immediate forest > root domain that i.rdmedia.com is. I'll check with Microsoft doc help > team while here at the Redmond Interop 2017. > > > -- > / Alexander Bokovoy > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Compat tree question
Is there a option in SSSD or the plugin to turn off the normalization ? On Tue, May 30, 2017 at 2:27 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On ti, 30 touko 2017, Robert Johnson via FreeIPA-users wrote: > >> So I took a brand new user that I have never used in the system before (I >> checked that the entry was not in the compat tree) and just ran an "id" >> command on Solaris system. I then looked in the >> /var/log/dirsrv/slapd-> domain>/access log file on the ipa server, for the query and from the log >> file, the query came in as all caps. >> >> example: >> [~]$: id 831...@win.mydomin.com >> >> [~]$: cat /var/log/dirsrv/slapd-/access |grep 831413 >> [30/May/2017:13:34:38.637498942 -0400] conn=94124 op=622 SRCH >> base="cn=users,cn=compat,dc=ipa,dc=mydomain,dc=com" scope=1 >> filter="(&(objectClass=posixAccount)(uid=831...@win.mydomin.com))" >> attrs="cn uid uidNumber gidNumber gecos description homeDirectory >> loginShell" >> [30/May/2017:13:34:38.651811322 -0400] conn=94124 op=622 RESULT err=0 >> tag=101 nentries=1 etime=0 >> >> However, the entry in the compat tree is all lowercase just like I >> reported. I can reproduce this easily. >> > memberUid value comes from SSSD look up. SSSD normalizes all names to > low case. > > For group names, I'm not sure they are normalized, though. > > > > >> Robert Johnson >> >> On Tue, May 30, 2017 at 1:10 PM, Alexander Bokovoy <aboko...@redhat.com> >> wrote: >> >> On ti, 30 touko 2017, Robert Johnson via FreeIPA-users wrote: >>> >>> Red Hat Enterprise Linux Server release 7.3 >>>> ipa-server-4.4.0-14.el7_3.4.x86_64 >>>> 389-ds-base-1.3.5.10-15.el7_3.x86_64 >>>> sssd-1.14.0-43.el7_3.11.x86_64 >>>> >>>> When looking at entries in the "cn=groups,cn=compat" tree, I noticed >>>> that >>>> the entries for windows groups have the realm portion of the group name >>>> in >>>> all caps. This is true for the comment, the dn and the cn. >>>> example: >>>> # domain us...@win.mydomain.com, groups, compat, ipa.mydomain.com >>>> dn: cn=domain us...@win.mydomain.com >>>> ,cn=groups,cn=compat,dc=ipa,dc=mydomain,dc=com >>>> memberUid: 123...@win.mydomain.com >>>> cn: domain us...@win.mydomain.com >>>> >>>> When I look at the entries in the "cn=users,cn=compat" tree, the realm >>>> portion of the user name is all lower case. Incidentally, these same >>>> user >>>> names are also all lowercase in the "memberUid" option on the groups >>>> above. >>>> example: >>>> # 123...@win.mydomain.com, users, compat, ipa.mydomain.com >>>> dn: uid=123...@win.mydomain.com,cn=users,cn=compat,dc=ipa,dc=myd >>>> omain,dc=com >>>> homeDirectory: /home/win.mydomain.com/123456 >>>> uid: 123...@win.mydomain.com >>>> >>>> Was this by design ? >>>> >>>> Users and groups for AD users are inserted into the compat tree on >>> demand, when a request comes mentioning them via LDAP query. The name is >>> taken from the LDAP query. >>> >>> So it is your application(s) that are asking fully qualified user/group >>> names with domain part capitalized. >>> >>> >>> The reason I ask, is that when I try to use the "kinit" feature on our >>> >>>> Solaris 10 systems (which is joined to the IPA domain) for this windows >>>> user, I get an error. >>>> >>>> [~]$ kinit >>>> Password for 123...@win.mydomain.com: >>>> kinit(v5): KDC reply did not match expectations while getting initial >>>> credentials >>>> >>>> If I run it like this: >>>> [~]$ kinit 123...@win.mydomain.com >>>> Password for 123...@win.mydomain.com: >>>> [~]$ klist >>>> Ticket cache: FILE:/tmp/krb5cc_1683378846 >>>> Default principal: 123...@win.mydomain.com >>>> >>>> Valid startingExpiresService principal >>>> 05/30/17 11:44:35 05/30/17 21:44:40 krbtgt/ >>>> win.mydomain@win.mydomain.com >>>>renew until 06/06/17 11:44:35 >>>> >>>> I believe this is due to the fact that the Solaris 10 system is using >>>> the >>>> lowercase entry in the compat tree abov
[Freeipa-users] Compat tree question
Red Hat Enterprise Linux Server release 7.3 ipa-server-4.4.0-14.el7_3.4.x86_64 389-ds-base-1.3.5.10-15.el7_3.x86_64 sssd-1.14.0-43.el7_3.11.x86_64 When looking at entries in the "cn=groups,cn=compat" tree, I noticed that the entries for windows groups have the realm portion of the group name in all caps. This is true for the comment, the dn and the cn. example: # domain us...@win.mydomain.com, groups, compat, ipa.mydomain.com dn: cn=domain us...@win.mydomain.com ,cn=groups,cn=compat,dc=ipa,dc=mydomain,dc=com memberUid: 123...@win.mydomain.com cn: domain us...@win.mydomain.com When I look at the entries in the "cn=users,cn=compat" tree, the realm portion of the user name is all lower case. Incidentally, these same user names are also all lowercase in the "memberUid" option on the groups above. example: # 123...@win.mydomain.com, users, compat, ipa.mydomain.com dn: uid=123...@win.mydomain.com,cn=users,cn=compat,dc=ipa,dc=mydomain,dc=com homeDirectory: /home/win.mydomain.com/123456 uid: 123...@win.mydomain.com Was this by design ? The reason I ask, is that when I try to use the "kinit" feature on our Solaris 10 systems (which is joined to the IPA domain) for this windows user, I get an error. [~]$ kinit Password for 123...@win.mydomain.com: kinit(v5): KDC reply did not match expectations while getting initial credentials If I run it like this: [~]$ kinit 123...@win.mydomain.com Password for 123...@win.mydomain.com: [~]$ klist Ticket cache: FILE:/tmp/krb5cc_1683378846 Default principal: 123...@win.mydomain.com Valid startingExpiresService principal 05/30/17 11:44:35 05/30/17 21:44:40 krbtgt/ win.mydomain@win.mydomain.com renew until 06/06/17 11:44:35 I believe this is due to the fact that the Solaris 10 system is using the lowercase entry in the compat tree above. Here is the result of the ID command on this user: [~]$ id uid=1683378846(123...@win.mydomain.com) gid=1683378846( 123...@win.mydomain.com) I know this is a work around but I would prefer to make this easier on the end users. Any suggestions ? Robert Johnson ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
