Re: [Freeipa-users] Forest trust and AD child domain

2014-12-17 Thread Manuel Lopes 
Thanks Sumit

This is indeed a bug. We encounter this issue when we try to add the group
"domain users" or "domain admin"  but it's working fine with a group that
we have created as "users group".
And only on the acme.windows.com child domain and not the windows.com domain

Regards

2014-12-15 21:35 GMT+01:00 Manuel Lopes :
>
> Hi,
>
> Attached, the good log.
>
> We are running sssd-1.11.2-68.el7_0.6 on RHEL 7.
> ipa-server-3.3.3-28.el7_0.3
>
> Regards
>
> 2014-12-15 18:34 GMT+01:00 Sumit Bose :
>>
>> On Mon, Dec 15, 2014 at 05:38:05PM +0100, Manuel Lopes wrote:
>> > Attached the sssd_linux.com.log file
>> >
>> > Regards
>>
>> Thank you, there is no request logged in the logs, did you run ipa
>> group-add-member after restarting SSSD? Nevertheless I think I know what
>> is happening, you hit an issue which should be fixed in SSSD 1.12.2,
>> which version of SSSD are you running on which platform?
>>
>> bye,
>> Sumit
>>
>> >
>> > 2014-12-15 17:03 GMT+01:00 Sumit Bose :
>> > >
>> > > On Mon, Dec 15, 2014 at 04:39:29PM +0100, Manuel Lopes wrote:
>> > > > The file sssd_linux.com.log is empty.
>> > >
>> > > please add
>> > >
>> > > debug_level = 10
>> > >
>> > > to the [domain/...] section in sssd.conf to enable logging for this
>> part
>> > > of SSSD.
>> > >
>> > > bye,
>> > > Sumit
>> > > >
>> > > >
>> > > >
>> > > > 2014-12-15 15:42 GMT+01:00 Sumit Bose :
>> > > > >
>> > > > > On Sat, Dec 13, 2014 at 02:13:30PM +0100, Manuel Lopes wrote:
>> > > > > > Hi,
>> > > > > >
>> > > > > > As explained in the previous email, the getent is successful.
>> > > > > >
>> > > > > >
>> > > > > > *[root@support1 ~]# getent group 'ACME\Domain Users' domain
>> > > > > > us...@acme.windows.com:*:**
>> 365600513:administra...@acme.windows.com
>> > > > > > <365600513%3aadministra...@acme.windows.com>*
>> > > > > >
>> > > > > >
>> > > > > >
>> > > > > > In fact, our real problem is not the “wbinfo –n” but the
>> following
>> > > > > command:
>> > > > > >
>> > > > > > *[root@support1 sssd]# ipa group-add-member ad_users_external
>> > > --external
>> > > > > > "ACME\Domain Users"*
>> > > > > >
>> > > > > > *[member user]:*
>> > > > > >
>> > > > > > *[member group]:*
>> > > > > >
>> > > > > > *  Group name: ad_users_external*
>> > > > > >
>> > > > > > *  Description: AD users external map*
>> > > > > >
>> > > > > > *  External member: *
>> > > > > >
>> > > > > > *  Member of groups: ad_users*
>> > > > > >
>> > > > > > *  Failed members:*
>> > > > > >
>> > > > > > *member user:*
>> > > > > >
>> > > > > > *member group: ACME\Domain Users: Cannot find specified
>> domain or
>> > > > > > server name*
>> > > > > >
>> > > > > > *-*
>> > > > > >
>> > > > > > *Number of members added 0*
>> > > > > >
>> > > > > > *-*
>> > > > > >
>> > > > > >
>> > > > > >
>> > > > > > We cannot add ACME’s domain users in the ad_users_external.
>> > > > > >
>> > > > > >
>> > > > > >
>> > > > > > I attached the sssd logs.
>> > > > >
>> > > > > Can you send the corresponding domain log file as well, it should
>> be
>> > > > > called sssd_linux.com.log or similar.
>> > > > >
>> > > > > bye,
>> > > > > Sumit
>> > > > >
>> > > > > >
>> > > > > >
>> > > > > >
>> > > > > > Regards
>> > &g

Re: [Freeipa-users] Forest trust and AD child domain

2014-12-15 Thread Manuel Lopes 
The file sssd_linux.com.log is empty.



2014-12-15 15:42 GMT+01:00 Sumit Bose :
>
> On Sat, Dec 13, 2014 at 02:13:30PM +0100, Manuel Lopes wrote:
> > Hi,
> >
> > As explained in the previous email, the getent is successful.
> >
> >
> > *[root@support1 ~]# getent group 'ACME\Domain Users' domain
> > us...@acme.windows.com:*:**365600513:administra...@acme.windows.com
> > <365600513%3aadministra...@acme.windows.com>*
> >
> >
> >
> > In fact, our real problem is not the “wbinfo –n” but the following
> command:
> >
> > *[root@support1 sssd]# ipa group-add-member ad_users_external --external
> > "ACME\Domain Users"*
> >
> > *[member user]:*
> >
> > *[member group]:*
> >
> > *  Group name: ad_users_external*
> >
> > *  Description: AD users external map*
> >
> > *  External member: *
> >
> > *  Member of groups: ad_users*
> >
> > *  Failed members:*
> >
> > *member user:*
> >
> > *member group: ACME\Domain Users: Cannot find specified domain or
> > server name*
> >
> > *-*
> >
> > *Number of members added 0*
> >
> > *-*
> >
> >
> >
> > We cannot add ACME’s domain users in the ad_users_external.
> >
> >
> >
> > I attached the sssd logs.
>
> Can you send the corresponding domain log file as well, it should be
> called sssd_linux.com.log or similar.
>
> bye,
> Sumit
>
> >
> >
> >
> > Regards
> >
> > 2014-12-12 21:51 GMT+01:00 Manuel Lopes :
> > >
> > > OK.
> > >
> > > Command successful
> > > [root@support1 ~]# getent group  'ACME\Domain Users'
> > > domain us...@acme.windows.com:*:
> 365600513:administra...@acme.windows.com
> > >
> > > Log files attached
> > >
> > > Thanks
> > >
> > > 2014-12-12 21:32 GMT+01:00 Sumit Bose :
> > >>
> > >> On Fri, Dec 12, 2014 at 08:41:27PM +0100, Manuel Lopes wrote:
> > >> > [root@support1 ~]# ipa idrange-find
> > >> > 
> > >> > 3 ranges matched
> > >> > 
> > >> > Range name: LINUX.COM_id_range
> > >> > First Posix ID of the range: 106600
> > >> > Number of IDs in the range: 20
> > >> > First RID of the corresponding RID range: 1000
> > >> > First RID of the secondary RID range: 1
> > >> > Range type: local domain range
> > >> >
> > >> > Range name: WINDOWS.COM_id_range
> > >> > First Posix ID of the range: 73020
> > >> > Number of IDs in the range: 20
> > >> > First RID of the corresponding RID range: 0
> > >> > Domain SID of the trusted domain:
> > >> S-1-5-21-1701591335-3855227394-3044674468
> > >> > Range type: Active Directory domain range
> > >> >
> > >> > Range name: ACME.WINDOWS.COM_id_range
> > >> > First Posix ID of the range: 36560
> > >> > Number of IDs in the range: 20
> > >> > First RID of the corresponding RID range: 0
> > >> > Domain SID of the trusted domain:
> > >> S-1-5-21-1215373191-1991333051-3772904882
> > >> > Range type: Active Directory domain range
> > >> > 
> > >> > Number of entries returned 3
> > >> > 
> > >> >
> > >> >
> > >> > As we can see in the ouput of the command, the range type is "ad
> POSIX
> > >> > attributes".
> > >>
> > >> no, it's only 'Active Directory domain range', this is good because
> with
> > >> this type we generate the UIDs and GIDs algorithmically.
> > >>
> > >> > In our case, the gidNumber is not set in the "ACME\Domain Users" AD
> > >> group,
> > >> > nor in the " WINDOWS\Domain Users".
> > >> > With a gidNumber attribute value, the 'wbinfo -n "ACME\Domain
> Users"'
> > >> still
> > >> > command fails.
> > >>
> > >> no need to set the ID attributes in AD. But I should have mentioned
> > >> that wbinfo is quite useless nowadays with FreeIPA because winbind is
> > >> only used to assure some types of commu

Re: [Freeipa-users] Forest trust and AD child domain

2014-12-12 Thread Manuel Lopes 
[root@support1 ~]# ipa idrange-find

3 ranges matched

  Range name: LINUX.COM_id_range
  First Posix ID of the range: 106600
  Number of IDs in the range: 20
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 1
  Range type: local domain range

  Range name: WINDOWS.COM_id_range
  First Posix ID of the range: 73020
  Number of IDs in the range: 20
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain:
S-1-5-21-1701591335-3855227394-3044674468
  Range type: Active Directory domain range

  Range name: ACME.WINDOWS.COM_id_range
  First Posix ID of the range: 36560
  Number of IDs in the range: 20
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain:
S-1-5-21-1215373191-1991333051-3772904882
  Range type: Active Directory domain range

Number of entries returned 3



As we can see in the ouput of the command, the range type is "ad POSIX
attributes".
In our case, the gidNumber is not set in the "ACME\Domain Users" AD group,
nor in the " WINDOWS\Domain Users".
With a gidNumber attribute value, the 'wbinfo -n "ACME\Domain Users"' still
command fails.

Thanks


2014-12-12 10:33 GMT+01:00 Sumit Bose :
>
> On Fri, Dec 12, 2014 at 02:06:05AM +0100, Manuel Lopes wrote:
> > Hi Sumit,
> >
> > Thank you very much for the prompt reply
> >
> > [root@support1 ~]# ipa trustdomain-find windows.com
> >   Domain name: windows.com
> >   Domain NetBIOS name: WINDOWS
> >   Domain Security Identifier: S-1-5-21-1701591335-3855227394-3044674468
> >   Domain enabled: True
> >
> >   Domain name: acme.windows.com
> >   Domain NetBIOS name: ACME
> >   Domain Security Identifier: S-1-5-21-1215373191-1991333051-3772904882
> >   Domain enabled: True
> > 
> > Number of entries returned 2
> > 
>
> ok, so ACME was discovered successful, can you check next the output of
>
> ipa idrange-find
>
> The important attribute is the 'Range type' for the AD domains. If it is
> 'Active Directory trust range with POSIX attributes' it is expected that
> users and groups in the AD forest have the POSIX UID and GID attributes
> set and only those users and groups will be available in the IPA domain.
> In this case please check if 'ACME\Domain Users' have the GID attribute
> set.
>
> If this does not help (please mind the negative cache of SSSD) please
> send the SSSD logs in /var/log/sssd on the IPA server. You might need to
> enable logging in sssd.conf by setting 'debug_level = 10' in the
> [domain/..] and [nss] section of sssd.conf.
>
> bye,
> Sumit
>
> >
> > [root@support1 ~]# ipa trust-fetch-domains windows.com
> > ---
> > No new trust domains were found
> > ---
> > 
> > Number of entries returned 0
> > 
> >
> > Regards
> > Le 11 déc. 2014 20:08, "Sumit Bose"  > > a écrit :
> >
> > > On Thu, Dec 11, 2014 at 06:45:49PM +0100, Manuel Lopes wrote:
> > > >  Hello,
> > > >
> > > >
> > > > We have been following the AD integration guide for IPAv3:
> > > > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
> > > >
> > > >
> > > >
> > > > Our setup is:
> > > >
> > > > • 2 domain controllers with Windows 2008 R2 AD DC -> windows.com
> > > > <http://example.com/> as Forest Root Domain and acme.windows.com
> > > > <http://acme.example.com/> as transitive child domain
> > > >
> > > > • RHEL7 as IPA server with domain: linux.com
> > > > <http://linux.acme.example.com/>
> > > >
> > > >
> > > >
> > > > We have established a forest trust between windows.com and linux.com
> and
> > > > everything seems OK from an IPA perspective.
> > > >
> > > >
> > > >
> > > > We can work with Kerberos tickets without any issue from “windows”
> domain
> > > > or his child domain “acme”. (kinit, kvno…)
> > > >
> > > >
> > > >
> > > > When we use samba tools, the following command is working fine.
> > > >
> > > > *[root@support1 ]# wbinfo -n 'WINDOWS\Domain Admins'*
> > > >
> > > > *S-1-5-21-1701591335-3855227394-30446

[Freeipa-users] Forest trust and AD child domain

2014-12-11 Thread Manuel Lopes 
Hi Sumit,

Thank you very much for the prompt reply

[root@support1 ~]# ipa trustdomain-find windows.com
  Domain name: windows.com
  Domain NetBIOS name: WINDOWS
  Domain Security Identifier: S-1-5-21-1701591335-3855227394-3044674468
  Domain enabled: True

  Domain name: acme.windows.com
  Domain NetBIOS name: ACME
  Domain Security Identifier: S-1-5-21-1215373191-1991333051-3772904882
  Domain enabled: True

Number of entries returned 2


[root@support1 ~]# ipa trust-fetch-domains windows.com
---
No new trust domains were found
---

Number of entries returned 0


Regards
Le 11 déc. 2014 20:08, "Sumit Bose" > a écrit :

> On Thu, Dec 11, 2014 at 06:45:49PM +0100, Manuel Lopes wrote:
> >  Hello,
> >
> >
> > We have been following the AD integration guide for IPAv3:
> > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
> >
> >
> >
> > Our setup is:
> >
> > • 2 domain controllers with Windows 2008 R2 AD DC -> windows.com
> > <http://example.com/> as Forest Root Domain and acme.windows.com
> > <http://acme.example.com/> as transitive child domain
> >
> > • RHEL7 as IPA server with domain: linux.com
> > <http://linux.acme.example.com/>
> >
> >
> >
> > We have established a forest trust between windows.com and linux.com and
> > everything seems OK from an IPA perspective.
> >
> >
> >
> > We can work with Kerberos tickets without any issue from “windows” domain
> > or his child domain “acme”. (kinit, kvno…)
> >
> >
> >
> > When we use samba tools, the following command is working fine.
> >
> > *[root@support1 ]# wbinfo -n 'WINDOWS\Domain Admins'*
> >
> > *S-1-5-21-1701591335-3855227394-3044674468-512 SID_DOM_GROUP (2)*
> >
> >
> >
> > But, the same command against the acme domain returns an error.
> >
> > *[root@support1 ]# wbinfo -n 'ACME\Domain Admins'*
> >
> > *failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND*
> >
> > *Could not lookup name ACME\Domain Admins*
> >
> >
> >
> > Same problem with the following command:
> >
> > *[root@support1]# ipa group-add-member ad_users_external --external
> > "ACME\Domain Users"*
> >
> > *[member user]:*
> >
> > *[member group]:*
> >
> > *  Group name: ad_users_external*
> >
> > *  Description: AD users external map*
> >
> > *  External member: *
> >
> > *  Member of groups: ad_users*
> >
> > *  Failed members:*
> >
> > *member user:*
> >
> > *member group: ACME\Domain Users: Cannot find specified domain or
> > server name*
> >
> > *-*
> >
> > *Number of members added 0*
> >
> >
> >
> >
> >
> > Any help would be appreciated
>
> Does
>
> ipa trustdomain-find windows.com
>
> show acme.windows.com as well ?
>
> Does
>
> ipa trust-fetch-domains ad.devel
>
> help to retrieve the child domain?
>
> Please note that if acme.windows.com now shows up you might have to wait
> 1-2 minutes until SSSD's negative caches are flushed and the new domains
> is discovered by SSSD, as an alternative you can just restart SSSD.
>
> HTH
>
> bye,
> Sumit
>
> >
> >
> >
> > Regards
>
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go To http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Forest trust and AD child domain

2014-12-11 Thread Manuel Lopes 
 Hello,


We have been following the AD integration guide for IPAv3:
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup



Our setup is:

• 2 domain controllers with Windows 2008 R2 AD DC -> windows.com
 as Forest Root Domain and acme.windows.com
 as transitive child domain

• RHEL7 as IPA server with domain: linux.com




We have established a forest trust between windows.com and linux.com and
everything seems OK from an IPA perspective.



We can work with Kerberos tickets without any issue from “windows” domain
or his child domain “acme”. (kinit, kvno…)



When we use samba tools, the following command is working fine.

*[root@support1 ]# wbinfo -n 'WINDOWS\Domain Admins'*

*S-1-5-21-1701591335-3855227394-3044674468-512 SID_DOM_GROUP (2)*



But, the same command against the acme domain returns an error.

*[root@support1 ]# wbinfo -n 'ACME\Domain Admins'*

*failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND*

*Could not lookup name ACME\Domain Admins*



Same problem with the following command:

*[root@support1]# ipa group-add-member ad_users_external --external
"ACME\Domain Users"*

*[member user]:*

*[member group]:*

*  Group name: ad_users_external*

*  Description: AD users external map*

*  External member: *

*  Member of groups: ad_users*

*  Failed members:*

*member user:*

*member group: ACME\Domain Users: Cannot find specified domain or
server name*

*-*

*Number of members added 0*





Any help would be appreciated



Regards
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project