Re: [Freeipa-users] AD - Freeipa trust confusion
On Tue, Jan 07, 2014 at 08:51:49AM -0500, Simo Sorce wrote: > On Tue, 2014-01-07 at 07:48 +0200, Alexander Bokovoy wrote: > > On Fri, 03 Jan 2014, Simo Sorce wrote: > > >On Fri, 2014-01-03 at 12:29 +0100, Jakub Hrozek wrote: > > >> On Thu, Jan 02, 2014 at 08:06:31PM +, Andrew Holway wrote: > > >> > /var/log/sssd/* > > >> > this is using bob@host (prattle.com is the windows domain) > > >> > https://gist.github.com/anonymous/ff817a251948ff58bdb1 > > >> > > > >> > this is using b...@prattle.com@host (prattle.com is the windows domain) > > >> > > >> Thanks, these logs have somewhat more info than those in the other > > >> thread. > > >> > > >> It seems that Winbind on the IPA server has trouble talking to the AD > > >> server: > > >> > > >> (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [fo_set_port_status] > > >> (0x0100): Marking port 0 of server 'ipa.wibble.com' as 'working' > > >> (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] > > >> [set_server_common_status] (0x0100): Marking server 'ipa.wibble.com' as > > >> 'working' > > >> (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [ipa_s2n_get_user_done] > > >> (0x0040): s2n exop request failed. > > >> > > >> (The s2n exop does a special LDAP call to IPA which in turn calls > > >> winbind on the server). > > >> > > >> To generate the winbind logs on the server, can you do 'smbcontrol > > >> winbindd > > >> debug 100', then request the trusted user. The winbind logs would be at > > >> /var/log/samba/log.w* > > > > > >Don't use debug level 100, it will litter the tmp with packet dumps and > > >[possibly fill the disk. > > > > > >Log level 10 is the max that is ever useful. > > No, you are not right. > > > > It looks in this case that there are some unfinished async tasks > > associated with the outgoing socket and they prevent cli_negprot from > > starting. On debug level 100 we see content of the packets sent by > > smbd/winbindd in the log itself which will help to identify what > > happens. On debug level 10 we simply have two lines in succession > > telling that winbindd attempted to start cli_negprot and then failed it. > > Yes it is ok to ask for 100 in specific cases if you find out it is > really needed, but shouldn't normally be advised, the starting point is > level 10, imo. > > Simo. I agree that 10 is a better default value to advice. To be honest, I didn't try the debug level before I adviced it, I just copied what I had in bash history on my IPA server. Sorry. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
On Tue, 2014-01-07 at 07:48 +0200, Alexander Bokovoy wrote: > On Fri, 03 Jan 2014, Simo Sorce wrote: > >On Fri, 2014-01-03 at 12:29 +0100, Jakub Hrozek wrote: > >> On Thu, Jan 02, 2014 at 08:06:31PM +, Andrew Holway wrote: > >> > /var/log/sssd/* > >> > this is using bob@host (prattle.com is the windows domain) > >> > https://gist.github.com/anonymous/ff817a251948ff58bdb1 > >> > > >> > this is using b...@prattle.com@host (prattle.com is the windows domain) > >> > >> Thanks, these logs have somewhat more info than those in the other > >> thread. > >> > >> It seems that Winbind on the IPA server has trouble talking to the AD > >> server: > >> > >> (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [fo_set_port_status] > >> (0x0100): Marking port 0 of server 'ipa.wibble.com' as 'working' > >> (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] > >> [set_server_common_status] (0x0100): Marking server 'ipa.wibble.com' as > >> 'working' > >> (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [ipa_s2n_get_user_done] > >> (0x0040): s2n exop request failed. > >> > >> (The s2n exop does a special LDAP call to IPA which in turn calls > >> winbind on the server). > >> > >> To generate the winbind logs on the server, can you do 'smbcontrol winbindd > >> debug 100', then request the trusted user. The winbind logs would be at > >> /var/log/samba/log.w* > > > >Don't use debug level 100, it will litter the tmp with packet dumps and > >[possibly fill the disk. > > > >Log level 10 is the max that is ever useful. > No, you are not right. > > It looks in this case that there are some unfinished async tasks > associated with the outgoing socket and they prevent cli_negprot from > starting. On debug level 100 we see content of the packets sent by > smbd/winbindd in the log itself which will help to identify what > happens. On debug level 10 we simply have two lines in succession > telling that winbindd attempted to start cli_negprot and then failed it. Yes it is ok to ask for 100 in specific cases if you find out it is really needed, but shouldn't normally be advised, the starting point is level 10, imo. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
Andrew, On Tue, 07 Jan 2014, Andrew Holway wrote: At this point I need to know exact version of the samba package (samba4 if this is RHEL 6.x) to continue investigations with the exact source code at hand. [root@ipa ~]# rpm -qa | grep samba samba4-libs-4.0.0-60.el6_5.rc4.x86_64 Thanks. Can you please repeat getting the logs with 'log level = 100'? Don't put them online, just send them to me privately. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
> At this point I need to know exact version of the samba package (samba4 > if this is RHEL 6.x) to continue investigations with the exact source > code at hand. [root@ipa ~]# rpm -qa | grep samba samba4-libs-4.0.0-60.el6_5.rc4.x86_64 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
On Fri, 03 Jan 2014, Simo Sorce wrote: On Fri, 2014-01-03 at 12:29 +0100, Jakub Hrozek wrote: On Thu, Jan 02, 2014 at 08:06:31PM +, Andrew Holway wrote: > /var/log/sssd/* > this is using bob@host (prattle.com is the windows domain) > https://gist.github.com/anonymous/ff817a251948ff58bdb1 > > this is using b...@prattle.com@host (prattle.com is the windows domain) Thanks, these logs have somewhat more info than those in the other thread. It seems that Winbind on the IPA server has trouble talking to the AD server: (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'ipa.wibble.com' as 'working' (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [set_server_common_status] (0x0100): Marking server 'ipa.wibble.com' as 'working' (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. (The s2n exop does a special LDAP call to IPA which in turn calls winbind on the server). To generate the winbind logs on the server, can you do 'smbcontrol winbindd debug 100', then request the trusted user. The winbind logs would be at /var/log/samba/log.w* Don't use debug level 100, it will litter the tmp with packet dumps and [possibly fill the disk. Log level 10 is the max that is ever useful. No, you are not right. It looks in this case that there are some unfinished async tasks associated with the outgoing socket and they prevent cli_negprot from starting. On debug level 100 we see content of the packets sent by smbd/winbindd in the log itself which will help to identify what happens. On debug level 10 we simply have two lines in succession telling that winbindd attempted to start cli_negprot and then failed it. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
On Fri, 03 Jan 2014, Andrew Holway wrote: To generate the winbind logs on the server, can you do 'smbcontrol winbindd debug 100', then request the trusted user. The winbind logs would be at /var/log/samba/log.w* I truncated all of the files in /var/log/samba and then make a single login attempt. These are the files that were non zero after the event. log.smbd.epmd - https://gist.github.com/anonymous/663be9204d24bf3e915c log.wb-PRATTLE - https://gist.github.com/anonymous/069c9931b1c66a2da85e I can see multiples of: [2014/01/03 07:48:08.789374, 10, pid=2662, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:806(cm_prepare_connection) cm_prepare_connection: connecting to DC WIN-5UGLHAK7RIN for domain PRATTLE [2014/01/03 07:48:08.789437, 1, pid=2662, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:839(cm_prepare_connection) cli_negprot failed: NT_STATUS_INVALID_PARAMETER_MIX This means some internal mishandling in winbindd, NT_STATUS_INVALID_PARAMETER_MIX can only appear at this path if the connection (which has just been created, few calls before cli_negprot) has outstanding outstanding calls in outgoing queue at the point when cli_negprot is attempted. As result, cli_negprot can't start until they are finished. log.wb-WIBBLE - https://gist.github.com/anonymous/c60754ec956df30f2c60 log.winbindd - https://gist.github.com/anonymous/25995d07c20ef5f3926a log.winbindd-dc-connect - https://gist.github.com/anonymous/9b6a1b736f1266ddc37f At this point I need to know exact version of the samba package (samba4 if this is RHEL 6.x) to continue investigations with the exact source code at hand. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
On Fri, Jan 03, 2014 at 02:05:58PM +, Andrew Holway wrote: > >> To generate the winbind logs on the server, can you do 'smbcontrol winbindd > >> debug 100', then request the trusted user. The winbind logs would be at > >> /var/log/samba/log.w* > > I truncated all of the files in /var/log/samba and then make a single > login attempt. These are the files that were non zero after the event. > > log.smbd.epmd - https://gist.github.com/anonymous/663be9204d24bf3e915c > log.wb-PRATTLE - https://gist.github.com/anonymous/069c9931b1c66a2da85e > log.wb-WIBBLE - https://gist.github.com/anonymous/c60754ec956df30f2c60 > log.winbindd - https://gist.github.com/anonymous/25995d07c20ef5f3926a > log.winbindd-dc-connect - > https://gist.github.com/anonymous/9b6a1b736f1266ddc37f Thank you, I can see some errors in the winbind log and the fact you can't resolve users with wbinfo -u confirms there is an issue, but I'not really a winbind expert. I'm sure Alexander will chime in once he's done with his post-holiday travelling :-) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
[r...@ipa.wibble.com ~]# wbinfo --all-domains BUILTIN WIBBLE PRATTLE [r...@ipa.wibble.com ~]# wbinfo --own-domain WIBBLE On 3 January 2014 15:06, Andrew Holway wrote: >> or simply run wbinfo on the server to check winbindd can properly >> retrieve users before moving back to testing on client. > > > [r...@ipa.wibble.com ~]# wbinfo -i b...@prattle.com > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > Could not get info for user b...@prattle.com > > Would this be an appropriate wbinfo command? > > > > >> >> Simo. >> >> -- >> Simo Sorce * Red Hat, Inc * New York >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
> or simply run wbinfo on the server to check winbindd can properly > retrieve users before moving back to testing on client. [r...@ipa.wibble.com ~]# wbinfo -i b...@prattle.com failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user b...@prattle.com Would this be an appropriate wbinfo command? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
>> To generate the winbind logs on the server, can you do 'smbcontrol winbindd >> debug 100', then request the trusted user. The winbind logs would be at >> /var/log/samba/log.w* I truncated all of the files in /var/log/samba and then make a single login attempt. These are the files that were non zero after the event. log.smbd.epmd - https://gist.github.com/anonymous/663be9204d24bf3e915c log.wb-PRATTLE - https://gist.github.com/anonymous/069c9931b1c66a2da85e log.wb-WIBBLE - https://gist.github.com/anonymous/c60754ec956df30f2c60 log.winbindd - https://gist.github.com/anonymous/25995d07c20ef5f3926a log.winbindd-dc-connect - https://gist.github.com/anonymous/9b6a1b736f1266ddc37f ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
On Fri, 2014-01-03 at 12:29 +0100, Jakub Hrozek wrote: > On Thu, Jan 02, 2014 at 08:06:31PM +, Andrew Holway wrote: > > /var/log/sssd/* > > this is using bob@host (prattle.com is the windows domain) > > https://gist.github.com/anonymous/ff817a251948ff58bdb1 > > > > this is using b...@prattle.com@host (prattle.com is the windows domain) > > Thanks, these logs have somewhat more info than those in the other > thread. > > It seems that Winbind on the IPA server has trouble talking to the AD > server: > > (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [fo_set_port_status] > (0x0100): Marking port 0 of server 'ipa.wibble.com' as 'working' > (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] > [set_server_common_status] (0x0100): Marking server 'ipa.wibble.com' as > 'working' > (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [ipa_s2n_get_user_done] > (0x0040): s2n exop request failed. > > (The s2n exop does a special LDAP call to IPA which in turn calls > winbind on the server). > > To generate the winbind logs on the server, can you do 'smbcontrol winbindd > debug 100', then request the trusted user. The winbind logs would be at > /var/log/samba/log.w* Don't use debug level 100, it will litter the tmp with packet dumps and [possibly fill the disk. Log level 10 is the max that is ever useful. > I'd advise to restart SSSD on the client before the test to get rid of > the negative cache and make sure the request actually hits the server. or simply run wbinfo on the server to check winbindd can properly retrieve users before moving back to testing on client. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
On Fri, Jan 03, 2014 at 12:29:11PM +0100, Jakub Hrozek wrote: > On Thu, Jan 02, 2014 at 08:06:31PM +, Andrew Holway wrote: > > /var/log/sssd/* > > this is using bob@host (prattle.com is the windows domain) > > https://gist.github.com/anonymous/ff817a251948ff58bdb1 > > > > this is using b...@prattle.com@host (prattle.com is the windows domain) > > Thanks, these logs have somewhat more info than those in the other > thread. > > It seems that Winbind on the IPA server has trouble talking to the AD > server: > > (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [fo_set_port_status] > (0x0100): Marking port 0 of server 'ipa.wibble.com' as 'working' > (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] > [set_server_common_status] (0x0100): Marking server 'ipa.wibble.com' as > 'working' > (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [ipa_s2n_get_user_done] > (0x0040): s2n exop request failed. > > (The s2n exop does a special LDAP call to IPA which in turn calls > winbind on the server). > > To generate the winbind logs on the server, can you do 'smbcontrol winbindd > debug 100', then request the trusted user. The winbind logs would be at > /var/log/samba/log.w* > > I'd advise to restart SSSD on the client before the test to get rid of > the negative cache and make sure the request actually hits the server. > Oh and after you gather the info, you should also re-set the debug logs back: smbcontrol winbindd debug 1 Running with a verbose log level would flood your disk soon. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
On Thu, Jan 02, 2014 at 08:06:31PM +, Andrew Holway wrote: > /var/log/sssd/* > this is using bob@host (prattle.com is the windows domain) > https://gist.github.com/anonymous/ff817a251948ff58bdb1 > > this is using b...@prattle.com@host (prattle.com is the windows domain) Thanks, these logs have somewhat more info than those in the other thread. It seems that Winbind on the IPA server has trouble talking to the AD server: (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'ipa.wibble.com' as 'working' (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [set_server_common_status] (0x0100): Marking server 'ipa.wibble.com' as 'working' (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. (The s2n exop does a special LDAP call to IPA which in turn calls winbind on the server). To generate the winbind logs on the server, can you do 'smbcontrol winbindd debug 100', then request the trusted user. The winbind logs would be at /var/log/samba/log.w* I'd advise to restart SSSD on the client before the test to get rid of the negative cache and make sure the request actually hits the server. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
Sorry, I forgot this. It works fine for the wibble.com linux domain. [r...@ipa.wibble.com log]# ldapsearch -x -ZZ -H ldap://localhost -b dc=prattle,dc=com # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 3 result: 32 No such object # numResponses: 1 On 2 January 2014 20:06, Andrew Holway wrote: >> As for AD users we need to look at the client and see what is going on >> there. What is your client? Version and component? Is it using latest SSSD? >> If not additional steps might be needed. Please provide the details >> about the clients. Please start with trying AD users on the IPA server >> itself, looking at the logs and seeing what is going on. > > /var/log/secure > Jan 2 19:27:46 ipa sshd[8252]: pam_unix(sshd:auth): check pass; user unknown > Jan 2 19:27:46 ipa sshd[8252]: pam_succeed_if(sshd:auth): error > retrieving information about user b...@prattle.com > Jan 2 19:27:49 ipa sshd[8252]: Failed password for invalid user > b...@prattle.com from 192.168.202.12 port 51537 ssh2 > > /var/log/messages (not sure if related. this error is going off every 20s) > Jan 2 19:52:18 ipa smbd[7279]: [2014/01/02 19:52:18.895536, 0] > ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) > Jan 2 19:52:18 ipa smbd[7279]: dcesrv_interface_register: interface > 'lsarpc' already registered on endpoint > Jan 2 19:52:18 ipa smbd[7279]: [2014/01/02 19:52:18.896121, 0] > ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) > Jan 2 19:52:18 ipa smbd[7279]: dcesrv_interface_register: interface > 'samr' already registered on endpoint > Jan 2 19:52:18 ipa smbd[7279]: [2014/01/02 19:52:18.896616, 0] > ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) > Jan 2 19:52:18 ipa smbd[7279]: dcesrv_interface_register: interface > 'netlogon' already registered on endpoint > Jan 2 19:53:18 ipa smbd[7279]: [2014/01/02 19:53:18.913794, 0] > ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) > Jan 2 19:53:18 ipa smbd[7279]: dcesrv_interface_register: interface > 'lsarpc' already registered on endpoint > Jan 2 19:53:18 ipa smbd[7279]: [2014/01/02 19:53:18.914377, 0] > ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) > Jan 2 19:53:18 ipa smbd[7279]: dcesrv_interface_register: interface > 'samr' already registered on endpoint > Jan 2 19:53:18 ipa smbd[7279]: [2014/01/02 19:53:18.914853, 0] > ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) > Jan 2 19:53:18 ipa smbd[7279]: dcesrv_interface_register: interface > 'netlogon' already registered on endpoint > > /var/log/krb5kdc.log > Jan 02 19:27:37 ipa.wibble.com krb5kdc[6611](info): AS_REQ (4 etypes > {18 17 16 23}) 10.51.120.1: NEEDED_PREAUTH: > host/ipa.wibble@wibble.com for krbtgt/wibble@wibble.com, > Additional pre-authentication required > Jan 02 19:27:37 ipa.wibble.com krb5kdc[6611](info): AS_REQ (4 etypes > {18 17 16 23}) 10.51.120.1: ISSUE: authtime 1388690857, etypes {rep=18 > tkt=18 ses=18}, host/ipa.wibble@wibble.com for > krbtgt/wibble@wibble.com > Jan 02 19:27:37 ipa.wibble.com krb5kdc[6611](info): TGS_REQ (4 etypes > {18 17 16 23}) 10.51.120.1: ISSUE: authtime 1388690857, etypes {rep=18 > tkt=18 ses=18}, host/ipa.wibble@wibble.com for > ldap/ipa.wibble@wibble.com > > /var/log/sssd/* > this is using bob@host (prattle.com is the windows domain) > https://gist.github.com/anonymous/ff817a251948ff58bdb1 > > this is using b...@prattle.com@host (prattle.com is the windows domain) > https://gist.github.com/anonymous/885d8bfd6cf7d224de93 > > >> >> Thanks >> Dmitri >> >>> >>> Ta, >>> >>> Andrew >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> --- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
> As for AD users we need to look at the client and see what is going on > there. What is your client? Version and component? Is it using latest SSSD? > If not additional steps might be needed. Please provide the details > about the clients. Please start with trying AD users on the IPA server > itself, looking at the logs and seeing what is going on. /var/log/secure Jan 2 19:27:46 ipa sshd[8252]: pam_unix(sshd:auth): check pass; user unknown Jan 2 19:27:46 ipa sshd[8252]: pam_succeed_if(sshd:auth): error retrieving information about user b...@prattle.com Jan 2 19:27:49 ipa sshd[8252]: Failed password for invalid user b...@prattle.com from 192.168.202.12 port 51537 ssh2 /var/log/messages (not sure if related. this error is going off every 20s) Jan 2 19:52:18 ipa smbd[7279]: [2014/01/02 19:52:18.895536, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 19:52:18 ipa smbd[7279]: dcesrv_interface_register: interface 'lsarpc' already registered on endpoint Jan 2 19:52:18 ipa smbd[7279]: [2014/01/02 19:52:18.896121, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 19:52:18 ipa smbd[7279]: dcesrv_interface_register: interface 'samr' already registered on endpoint Jan 2 19:52:18 ipa smbd[7279]: [2014/01/02 19:52:18.896616, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 19:52:18 ipa smbd[7279]: dcesrv_interface_register: interface 'netlogon' already registered on endpoint Jan 2 19:53:18 ipa smbd[7279]: [2014/01/02 19:53:18.913794, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 19:53:18 ipa smbd[7279]: dcesrv_interface_register: interface 'lsarpc' already registered on endpoint Jan 2 19:53:18 ipa smbd[7279]: [2014/01/02 19:53:18.914377, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 19:53:18 ipa smbd[7279]: dcesrv_interface_register: interface 'samr' already registered on endpoint Jan 2 19:53:18 ipa smbd[7279]: [2014/01/02 19:53:18.914853, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 19:53:18 ipa smbd[7279]: dcesrv_interface_register: interface 'netlogon' already registered on endpoint /var/log/krb5kdc.log Jan 02 19:27:37 ipa.wibble.com krb5kdc[6611](info): AS_REQ (4 etypes {18 17 16 23}) 10.51.120.1: NEEDED_PREAUTH: host/ipa.wibble@wibble.com for krbtgt/wibble@wibble.com, Additional pre-authentication required Jan 02 19:27:37 ipa.wibble.com krb5kdc[6611](info): AS_REQ (4 etypes {18 17 16 23}) 10.51.120.1: ISSUE: authtime 1388690857, etypes {rep=18 tkt=18 ses=18}, host/ipa.wibble@wibble.com for krbtgt/wibble@wibble.com Jan 02 19:27:37 ipa.wibble.com krb5kdc[6611](info): TGS_REQ (4 etypes {18 17 16 23}) 10.51.120.1: ISSUE: authtime 1388690857, etypes {rep=18 tkt=18 ses=18}, host/ipa.wibble@wibble.com for ldap/ipa.wibble@wibble.com /var/log/sssd/* this is using bob@host (prattle.com is the windows domain) https://gist.github.com/anonymous/ff817a251948ff58bdb1 this is using b...@prattle.com@host (prattle.com is the windows domain) https://gist.github.com/anonymous/885d8bfd6cf7d224de93 > > Thanks > Dmitri > >> >> Ta, >> >> Andrew > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > --- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
On 01/02/2014 02:12 PM, Andrew Holway wrote: >> You are still setting up a replication agreement not a trust. > Oh, I am following the redhat documentation here: > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html This is sync not trust as I mentioned in my first reply. > >> This seems to indicate that the directory server is not running. >> Can you check that the dirsrv is running? > [r...@ipa.wibble.com log]# /etc/init.d/dirsrv status > dirsrv PKI-IPA (pid 7394) is running... > dirsrv WIBBLE-COM (pid 7463) is running... > > > [r...@ipa.wibble.com log]# ipa trust-add --type=ad prattle.com --admin > Administrator --password > Active directory domain administrator's password: > > Added Active Directory trust for realm "prattle.com" > > Realm name: prattle.com > Domain NetBIOS name: PRATTLE > Domain Security Identifier: S-1-5-21-2812083513-4116408788-3699662436 > Trust direction: Two-way trust > Trust type: Active Directory domain > Trust status: Established and verified This is the right step. > However I cannot log into the windows domain with my linux users nor > the linux domain with my linux users. You should not expect logging into AD domain with Linux users. This functionality is not implemented yet. As for AD users we need to look at the client and see what is going on there. What is your client? Version and component? Is it using latest SSSD? If not additional steps might be needed. Please provide the details about the clients. Please start with trying AD users on the IPA server itself, looking at the logs and seeing what is going on. Thanks Dmitri > > Ta, > > Andrew -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
On Thu, 2014-01-02 at 19:12 +, Andrew Holway wrote: > > You are still setting up a replication agreement not a trust. > > Oh, I am following the redhat documentation here: > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html > > > This seems to indicate that the directory server is not running. > > Can you check that the dirsrv is running? > > [r...@ipa.wibble.com log]# /etc/init.d/dirsrv status > dirsrv PKI-IPA (pid 7394) is running... > dirsrv WIBBLE-COM (pid 7463) is running... > > > [r...@ipa.wibble.com log]# ipa trust-add --type=ad prattle.com --admin > Administrator --password > Active directory domain administrator's password: > > Added Active Directory trust for realm "prattle.com" > > Realm name: prattle.com > Domain NetBIOS name: PRATTLE > Domain Security Identifier: S-1-5-21-2812083513-4116408788-3699662436 > Trust direction: Two-way trust > Trust type: Active Directory domain > Trust status: Established and verified > > However I cannot log into the windows domain with my linux users nor > the linux domain with my linux users. At this time loggin in with linux iusers into the Windows domain is not supported and does not work. However loggin with Windows user into a linux machine joined to the ipa realm should work, a slong as you use sssd on the linux machine. What error do you see on the linux machine whe you try to log in with a windows user ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
> You are still setting up a replication agreement not a trust. Oh, I am following the redhat documentation here: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html > This seems to indicate that the directory server is not running. > Can you check that the dirsrv is running? [r...@ipa.wibble.com log]# /etc/init.d/dirsrv status dirsrv PKI-IPA (pid 7394) is running... dirsrv WIBBLE-COM (pid 7463) is running... [r...@ipa.wibble.com log]# ipa trust-add --type=ad prattle.com --admin Administrator --password Active directory domain administrator's password: Added Active Directory trust for realm "prattle.com" Realm name: prattle.com Domain NetBIOS name: PRATTLE Domain Security Identifier: S-1-5-21-2812083513-4116408788-3699662436 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified However I cannot log into the windows domain with my linux users nor the linux domain with my linux users. Ta, Andrew ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
On 01/02/2014 12:07 PM, Andrew Holway wrote: > I have taken out the winsync. > > [r...@ipa.wibble.com ~]# ipa-replica-manage connect --binddn > cn=administrator,cn=users,dc=prattle,dc=com --bindpw pa$$ --passsync > pa$$ --cacert /etc/openldap/cacerts/prattle.crt > win-5uglhak7rin.prattle.com. -vvv > Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate > database for ipa.wibble.com You are still setting up a replication agreement not a trust. > You cannot connect to a previously deleted master I think it confuses your AD for a replica that does not exist. > > I cant find anything useful in the server2008 AD logsI am seeing > If I can make them more sensitive. > > /var/log/messages > > Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.904045, 0] > ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) > Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register: > interface 'lsarpc' already registered on endpoint > Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.904642, 0] > ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) > Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register: > interface 'samr' already registered on endpoint > Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.905147, 0] > ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) > Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register: > interface 'netlogon' already registered on endpoint > Jan 2 16:53:47 ipa named[11459]: LDAP error: Can't contact LDAP server > Jan 2 16:53:47 ipa named[11459]: connection to the LDAP server was lost > Jan 2 16:53:47 ipa named[11459]: bind to LDAP server failed: Can't > contact LDAP server This seems to indicate that the directory server is not running. Can you check that the dirsrv is running? > Jan 2 16:53:47 ipa named[11459]: ldap_psearch_watcher failed to > handle LDAP connection error. Reconnection in 60s > Jan 2 16:53:49 ipa winbindd[12071]: [2014/01/02 16:53:49.299083, 0] > ipa_sam.c:3689(bind_callback_cleanup) > Jan 2 16:53:49 ipa winbindd[12071]: kerberos error: > code=-1765328324, message=Generic error (see e-text) > Jan 2 16:53:49 ipa winbindd[12071]: [2014/01/02 16:53:49.299320, 0] > ../source3/lib/smbldap.c:998(smbldap_connect_system) > Jan 2 16:53:49 ipa winbindd[12071]: failed to bind to server > ldapi://%2fvar%2frun%2fslapd-WIBBLE-COM.socket with dn="[Anonymous > bind]" Error: Local error > Jan 2 16:53:49 ipa winbindd[12071]: #011(unknown) > Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.909746, 0] > ../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal) > Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many > handles (2049) on this pipe. > Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.910126, 0] > ../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal) > Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many > handles (2049) on this pipe. > Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.910427, 0] > ../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal) > Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many > handles (2049) on this pipe. > > > On 2 January 2014 13:41, Dmitri Pal wrote: >> On 01/02/2014 07:38 AM, Andrew Holway wrote: >>> I have gotten a little further along with this but am having problems >>> connecting to the AD LDAP. >>> >>> [r...@ipa.wibble.com cacerts]# ipa-replica-manage connect --winsync >>> --binddn cn=administrator,cn=users,dc=prattle,dc=com --bindpw >>> X9deiX9dei --passsync X9deiX9dei --cacert >>> /etc/openldap/cacerts/prattle.crt win-5uglhak7rin.prattle.com. -vvv >>> >>> Directory Manager password: >>> >>> Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate >>> database for ipa.wibble.com >>> >>> ipa: INFO: Failed to connect to AD server win-5uglhak7rin.prattle.com. >>> >>> ipa: INFO: The error was: {'info': ': LdapErr: DSID-0C090E17, >>> comment: Error initializing SSL/TLS, data 0, v1db1', 'desc': 'Server >>> is unavailable'} >>> >>> Failed to setup winsync replication >> Hello, >> >> Trusts and winsync are mutually exclusive. >> You either do one or another. We do not have a way to move from one >> configuration to another yet and the decision should be made at the >> deployment time. >> >> Which one do you prefer? >> If you prefer trusts please follow the instructions on the wiki. The >> guide is not updated yet, sorry. >> http://www.freeipa.org/page/Trusts >> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup >> >> It seems that after the trust is established you try to login and fail. >> Can you provide more details about those attempts? >> http://www.freeipa.org/page/Troubleshooting#Reporting_bugs >> also see other sections on the same page. >> >> HTH >> Thanks >> Dmitri >> >> >>> On 1 January 2014 22:27, Andrew Holway wrote: Hello, I am attempting to set up trust between my test freeipa server at
Re: [Freeipa-users] AD - Freeipa trust confusion
I turned off all the AD processed on my windows domain controller. The error did not change. On 2 January 2014 17:07, Andrew Holway wrote: > I have taken out the winsync. > > [r...@ipa.wibble.com ~]# ipa-replica-manage connect --binddn > cn=administrator,cn=users,dc=prattle,dc=com --bindpw pa$$ --passsync > pa$$ --cacert /etc/openldap/cacerts/prattle.crt > win-5uglhak7rin.prattle.com. -vvv > Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate > database for ipa.wibble.com > You cannot connect to a previously deleted master > > I cant find anything useful in the server2008 AD logsI am seeing > If I can make them more sensitive. > > /var/log/messages > > Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.904045, 0] > ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) > Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register: > interface 'lsarpc' already registered on endpoint > Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.904642, 0] > ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) > Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register: > interface 'samr' already registered on endpoint > Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.905147, 0] > ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) > Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register: > interface 'netlogon' already registered on endpoint > Jan 2 16:53:47 ipa named[11459]: LDAP error: Can't contact LDAP server > Jan 2 16:53:47 ipa named[11459]: connection to the LDAP server was lost > Jan 2 16:53:47 ipa named[11459]: bind to LDAP server failed: Can't > contact LDAP server > Jan 2 16:53:47 ipa named[11459]: ldap_psearch_watcher failed to > handle LDAP connection error. Reconnection in 60s > Jan 2 16:53:49 ipa winbindd[12071]: [2014/01/02 16:53:49.299083, 0] > ipa_sam.c:3689(bind_callback_cleanup) > Jan 2 16:53:49 ipa winbindd[12071]: kerberos error: > code=-1765328324, message=Generic error (see e-text) > Jan 2 16:53:49 ipa winbindd[12071]: [2014/01/02 16:53:49.299320, 0] > ../source3/lib/smbldap.c:998(smbldap_connect_system) > Jan 2 16:53:49 ipa winbindd[12071]: failed to bind to server > ldapi://%2fvar%2frun%2fslapd-WIBBLE-COM.socket with dn="[Anonymous > bind]" Error: Local error > Jan 2 16:53:49 ipa winbindd[12071]: #011(unknown) > Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.909746, 0] > ../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal) > Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many > handles (2049) on this pipe. > Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.910126, 0] > ../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal) > Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many > handles (2049) on this pipe. > Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.910427, 0] > ../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal) > Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many > handles (2049) on this pipe. > > > On 2 January 2014 13:41, Dmitri Pal wrote: >> On 01/02/2014 07:38 AM, Andrew Holway wrote: >>> I have gotten a little further along with this but am having problems >>> connecting to the AD LDAP. >>> >>> [r...@ipa.wibble.com cacerts]# ipa-replica-manage connect --winsync >>> --binddn cn=administrator,cn=users,dc=prattle,dc=com --bindpw >>> X9deiX9dei --passsync X9deiX9dei --cacert >>> /etc/openldap/cacerts/prattle.crt win-5uglhak7rin.prattle.com. -vvv >>> >>> Directory Manager password: >>> >>> Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate >>> database for ipa.wibble.com >>> >>> ipa: INFO: Failed to connect to AD server win-5uglhak7rin.prattle.com. >>> >>> ipa: INFO: The error was: {'info': ': LdapErr: DSID-0C090E17, >>> comment: Error initializing SSL/TLS, data 0, v1db1', 'desc': 'Server >>> is unavailable'} >>> >>> Failed to setup winsync replication >> >> Hello, >> >> Trusts and winsync are mutually exclusive. >> You either do one or another. We do not have a way to move from one >> configuration to another yet and the decision should be made at the >> deployment time. >> >> Which one do you prefer? >> If you prefer trusts please follow the instructions on the wiki. The >> guide is not updated yet, sorry. >> http://www.freeipa.org/page/Trusts >> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup >> >> It seems that after the trust is established you try to login and fail. >> Can you provide more details about those attempts? >> http://www.freeipa.org/page/Troubleshooting#Reporting_bugs >> also see other sections on the same page. >> >> HTH >> Thanks >> Dmitri >> >> >>> >>> On 1 January 2014 22:27, Andrew Holway wrote: Hello, I am attempting to set up trust between my test freeipa server at ipa.wibble.com. and my test AD server at win-5uglhak7rin.prattle.com. In the GUI I can see the following in "Trusts » p
Re: [Freeipa-users] AD - Freeipa trust confusion
I have taken out the winsync. [r...@ipa.wibble.com ~]# ipa-replica-manage connect --binddn cn=administrator,cn=users,dc=prattle,dc=com --bindpw pa$$ --passsync pa$$ --cacert /etc/openldap/cacerts/prattle.crt win-5uglhak7rin.prattle.com. -vvv Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate database for ipa.wibble.com You cannot connect to a previously deleted master I cant find anything useful in the server2008 AD logsI am seeing If I can make them more sensitive. /var/log/messages Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.904045, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register: interface 'lsarpc' already registered on endpoint Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.904642, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register: interface 'samr' already registered on endpoint Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.905147, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register: interface 'netlogon' already registered on endpoint Jan 2 16:53:47 ipa named[11459]: LDAP error: Can't contact LDAP server Jan 2 16:53:47 ipa named[11459]: connection to the LDAP server was lost Jan 2 16:53:47 ipa named[11459]: bind to LDAP server failed: Can't contact LDAP server Jan 2 16:53:47 ipa named[11459]: ldap_psearch_watcher failed to handle LDAP connection error. Reconnection in 60s Jan 2 16:53:49 ipa winbindd[12071]: [2014/01/02 16:53:49.299083, 0] ipa_sam.c:3689(bind_callback_cleanup) Jan 2 16:53:49 ipa winbindd[12071]: kerberos error: code=-1765328324, message=Generic error (see e-text) Jan 2 16:53:49 ipa winbindd[12071]: [2014/01/02 16:53:49.299320, 0] ../source3/lib/smbldap.c:998(smbldap_connect_system) Jan 2 16:53:49 ipa winbindd[12071]: failed to bind to server ldapi://%2fvar%2frun%2fslapd-WIBBLE-COM.socket with dn="[Anonymous bind]" Error: Local error Jan 2 16:53:49 ipa winbindd[12071]: #011(unknown) Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.909746, 0] ../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal) Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many handles (2049) on this pipe. Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.910126, 0] ../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal) Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many handles (2049) on this pipe. Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.910427, 0] ../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal) Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many handles (2049) on this pipe. On 2 January 2014 13:41, Dmitri Pal wrote: > On 01/02/2014 07:38 AM, Andrew Holway wrote: >> I have gotten a little further along with this but am having problems >> connecting to the AD LDAP. >> >> [r...@ipa.wibble.com cacerts]# ipa-replica-manage connect --winsync >> --binddn cn=administrator,cn=users,dc=prattle,dc=com --bindpw >> X9deiX9dei --passsync X9deiX9dei --cacert >> /etc/openldap/cacerts/prattle.crt win-5uglhak7rin.prattle.com. -vvv >> >> Directory Manager password: >> >> Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate >> database for ipa.wibble.com >> >> ipa: INFO: Failed to connect to AD server win-5uglhak7rin.prattle.com. >> >> ipa: INFO: The error was: {'info': ': LdapErr: DSID-0C090E17, >> comment: Error initializing SSL/TLS, data 0, v1db1', 'desc': 'Server >> is unavailable'} >> >> Failed to setup winsync replication > > Hello, > > Trusts and winsync are mutually exclusive. > You either do one or another. We do not have a way to move from one > configuration to another yet and the decision should be made at the > deployment time. > > Which one do you prefer? > If you prefer trusts please follow the instructions on the wiki. The > guide is not updated yet, sorry. > http://www.freeipa.org/page/Trusts > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup > > It seems that after the trust is established you try to login and fail. > Can you provide more details about those attempts? > http://www.freeipa.org/page/Troubleshooting#Reporting_bugs > also see other sections on the same page. > > HTH > Thanks > Dmitri > > >> >> On 1 January 2014 22:27, Andrew Holway wrote: >>> Hello, >>> >>> I am attempting to set up trust between my test freeipa server at >>> ipa.wibble.com. and my test AD server at win-5uglhak7rin.prattle.com. >>> >>> In the GUI I can see the following in "Trusts » prattle.com". >>> >>> Realm name: prattle.com >>> Domain NetBIOS name: PRATTLE >>> Domain Security Identifier: S-1-5-21-2812083513-4116408788-3699662436 >>> Trust direction: Two-way trust >>> Trust type: Active Directory domain >>> >>> However I cant see any of the AD users that I have created nor can I >
Re: [Freeipa-users] AD - Freeipa trust confusion
On 01/02/2014 07:38 AM, Andrew Holway wrote: > I have gotten a little further along with this but am having problems > connecting to the AD LDAP. > > [r...@ipa.wibble.com cacerts]# ipa-replica-manage connect --winsync > --binddn cn=administrator,cn=users,dc=prattle,dc=com --bindpw > X9deiX9dei --passsync X9deiX9dei --cacert > /etc/openldap/cacerts/prattle.crt win-5uglhak7rin.prattle.com. -vvv > > Directory Manager password: > > Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate > database for ipa.wibble.com > > ipa: INFO: Failed to connect to AD server win-5uglhak7rin.prattle.com. > > ipa: INFO: The error was: {'info': ': LdapErr: DSID-0C090E17, > comment: Error initializing SSL/TLS, data 0, v1db1', 'desc': 'Server > is unavailable'} > > Failed to setup winsync replication Hello, Trusts and winsync are mutually exclusive. You either do one or another. We do not have a way to move from one configuration to another yet and the decision should be made at the deployment time. Which one do you prefer? If you prefer trusts please follow the instructions on the wiki. The guide is not updated yet, sorry. http://www.freeipa.org/page/Trusts http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup It seems that after the trust is established you try to login and fail. Can you provide more details about those attempts? http://www.freeipa.org/page/Troubleshooting#Reporting_bugs also see other sections on the same page. HTH Thanks Dmitri > > On 1 January 2014 22:27, Andrew Holway wrote: >> Hello, >> >> I am attempting to set up trust between my test freeipa server at >> ipa.wibble.com. and my test AD server at win-5uglhak7rin.prattle.com. >> >> In the GUI I can see the following in "Trusts » prattle.com". >> >> Realm name: prattle.com >> Domain NetBIOS name: PRATTLE >> Domain Security Identifier: S-1-5-21-2812083513-4116408788-3699662436 >> Trust direction: Two-way trust >> Trust type: Active Directory domain >> >> However I cant see any of the AD users that I have created nor can I >> log on to any of the systems under my freeipa realm. >> >> Jan 1 20:50:30 host002 sshd[9959]: Failed password for invalid user >> bob from 10.51.120.1 port 55101 ssh2 >> >> I haven't actually done anything to AD to facilitate this trust. Its >> not particularly clear what should be done. >> >> Many thanks, >> >> Andrew > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
I have gotten a little further along with this but am having problems connecting to the AD LDAP. [r...@ipa.wibble.com cacerts]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=prattle,dc=com --bindpw X9deiX9dei --passsync X9deiX9dei --cacert /etc/openldap/cacerts/prattle.crt win-5uglhak7rin.prattle.com. -vvv Directory Manager password: Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate database for ipa.wibble.com ipa: INFO: Failed to connect to AD server win-5uglhak7rin.prattle.com. ipa: INFO: The error was: {'info': ': LdapErr: DSID-0C090E17, comment: Error initializing SSL/TLS, data 0, v1db1', 'desc': 'Server is unavailable'} Failed to setup winsync replication On 1 January 2014 22:27, Andrew Holway wrote: > Hello, > > I am attempting to set up trust between my test freeipa server at > ipa.wibble.com. and my test AD server at win-5uglhak7rin.prattle.com. > > In the GUI I can see the following in "Trusts » prattle.com". > > Realm name: prattle.com > Domain NetBIOS name: PRATTLE > Domain Security Identifier: S-1-5-21-2812083513-4116408788-3699662436 > Trust direction: Two-way trust > Trust type: Active Directory domain > > However I cant see any of the AD users that I have created nor can I > log on to any of the systems under my freeipa realm. > > Jan 1 20:50:30 host002 sshd[9959]: Failed password for invalid user > bob from 10.51.120.1 port 55101 ssh2 > > I haven't actually done anything to AD to facilitate this trust. Its > not particularly clear what should be done. > > Many thanks, > > Andrew ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] AD - Freeipa trust confusion
Hello, I am attempting to set up trust between my test freeipa server at ipa.wibble.com. and my test AD server at win-5uglhak7rin.prattle.com. In the GUI I can see the following in "Trusts » prattle.com". Realm name: prattle.com Domain NetBIOS name: PRATTLE Domain Security Identifier: S-1-5-21-2812083513-4116408788-3699662436 Trust direction: Two-way trust Trust type: Active Directory domain However I cant see any of the AD users that I have created nor can I log on to any of the systems under my freeipa realm. Jan 1 20:50:30 host002 sshd[9959]: Failed password for invalid user bob from 10.51.120.1 port 55101 ssh2 I haven't actually done anything to AD to facilitate this trust. Its not particularly clear what should be done. Many thanks, Andrew ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users