Re: [Freeipa-users] Unable to Login until Trust is Repaired
On 11/13/2014 08:37 AM, Jonathan Bradford wrote: > 3.0 is a pretty old version, I mean a lot has changed in trust area between 3.0 and 3.3. > Any chance you can use that? > What distro do you use? I'm not sure if I can use a newer version. I'm using RHEL Server 6.5. I'm connected to a Satellite server, but it is a disconnected Satellite not allowed on the internet. Satellite updates have to be manually downloaded via .ISOs. The server has the most recent version of RHEL 6 updates on it. The .ISOs and versions are found on Red Hat's website here... https://www.redhat.com/wapps/sso/login.html?redirect=https%3A%2F%2Frhn.redhat.com%2Frhn%2Fsoftware%2Fchannel%2Fdownloads%2FDownload.do%3Fcid=18952 3.3 is RHEL 7.0. I think there is an image: RHEL 7 (x86_64) + EUS + RHN Tools + Optional (Base 2014-06-24) Date: Thu, 13 Nov 2014 08:27:28 -0500 From: Dmitri Pal mailto:d...@redhat.com>> To: freeipa-users@redhat.com <mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] Unable to Login until Trust is Repaired (Jonathan) Message-ID: <5464b1c0.1070...@redhat.com <mailto:5464b1c0.1070...@redhat.com>> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed" On 11/13/2014 08:15 AM, Jonathan Bradford wrote: > Dmitri: > Thanks for the reply. > > Do you need to repair the trust for every single user or just once? > Yes, I have to repair the trust for every new user added to Active > Directory who needs access to an IdM resource. Only once per user though. > > What it is your AD domain topology? > My AD topology is very simple at the moment because it is a test > environment. I currently have one domain controller with a domain of > venus.com <http://venus.com/> <http://venus.com <http://venus.com/>>. My IdM topology is very similar--one > IdM server with a domain of mercury.com <http://mercury.com/> <http://mercury.com <http://mercury.com/>>. > > Are you establishing trust with the primary domain controller? > Yes. > > What version of IPA and AD are you using? > I'm using IPA v 3.0. I'm not sure of the current version of AD, but > I'm using it on Windows Server 2008 R2 SP1. 3.0 is a pretty old version, I mean a lot has changed in trust area between 3.0 and 3.3. Any chance you can use that? What distro do you use? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to Login until Trust is Repaired
> 3.0 is a pretty old version, I mean a lot has changed in trust area between 3.0 and 3.3. > Any chance you can use that? > What distro do you use? I'm not sure if I can use a newer version. I'm using RHEL Server 6.5. I'm connected to a Satellite server, but it is a disconnected Satellite not allowed on the internet. Satellite updates have to be manually downloaded via .ISOs. The server has the most recent version of RHEL 6 updates on it. The .ISOs and versions are found on Red Hat's website here... https://www.redhat.com/wapps/sso/login.html?redirect=https%3A%2F%2Frhn.redhat.com%2Frhn%2Fsoftware%2Fchannel%2Fdownloads%2FDownload.do%3Fcid=18952 Date: Thu, 13 Nov 2014 08:27:28 -0500 From: Dmitri Pal To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to Login until Trust is Repaired (Jonathan) Message-ID: <5464b1c0.1070...@redhat.com> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed" On 11/13/2014 08:15 AM, Jonathan Bradford wrote: > Dmitri: > Thanks for the reply. > > Do you need to repair the trust for every single user or just once? > Yes, I have to repair the trust for every new user added to Active > Directory who needs access to an IdM resource. Only once per user though. > > What it is your AD domain topology? > My AD topology is very simple at the moment because it is a test > environment. I currently have one domain controller with a domain of > venus.com <http://venus.com>. My IdM topology is very similar--one > IdM server with a domain of mercury.com <http://mercury.com>. > > Are you establishing trust with the primary domain controller? > Yes. > > What version of IPA and AD are you using? > I'm using IPA v 3.0. I'm not sure of the current version of AD, but > I'm using it on Windows Server 2008 R2 SP1. 3.0 is a pretty old version, I mean a lot has changed in trust area between 3.0 and 3.3. Any chance you can use that? What distro do you use? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to Login until Trust is Repaired
On Wed, 12 Nov 2014, Jonathan Bradford wrote: This is my first post on the IPA mailing list. Hey guys :) I've successfully walked through the IdM Red Hat document on "Integrating with Active Directory Through Cross-Realm Kerberos Trusts" using separate DNS domains. I've reached the part where you test the trust using SSH via PuTTY, and I have noticed a problem. If I add a user in Active Directory (group mapping is on), the user cannot immediately SSH to an IPA host. In fact, it never allows me to login until I first login to a Windows machine with the account and then repair the trust via AD. To repair the trust, I have to go to AD Domains and Trusts > Properties > Trusts> and Validate the incoming and outgoing connections. When I do this, it gives me an error message about the RPC server not running, but if I proceed, it eventually tells me that the connection has been repaired. Only after doing this can I successfully SSH with a new user. Do you have any idea why this might be happening? I have followed Red Hat's documentation exactly, so I am not sure why I am having issues. If you have any thoughts or ideas, I would greatly appreciate them. Thanks! We need to see debugging output to make decision on what is happening. From your description I'd say you haven't had a trust properly configured and most likely either AD DCs don't see directly IPA masters or there is a domain/NetBIOS name conflicts in place. You can produce logs by following http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Debugging_trust For RHEL 6.x configuration use 'service' instead of 'systemctl' and separate actions for starting/stopping multiple services: service stop smb service stop winbind .. service start smb service start winbind .. You can then send logs to me directly. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to Login until Trust is Repaired (Jonathan)
On 11/13/2014 08:15 AM, Jonathan Bradford wrote: Dmitri: Thanks for the reply. > Do you need to repair the trust for every single user or just once? Yes, I have to repair the trust for every new user added to Active Directory who needs access to an IdM resource. Only once per user though. > What it is your AD domain topology? My AD topology is very simple at the moment because it is a test environment. I currently have one domain controller with a domain of venus.com <http://venus.com>. My IdM topology is very similar--one IdM server with a domain of mercury.com <http://mercury.com>. > Are you establishing trust with the primary domain controller? Yes. > What version of IPA and AD are you using? I'm using IPA v 3.0. I'm not sure of the current version of AD, but I'm using it on Windows Server 2008 R2 SP1. 3.0 is a pretty old version, I mean a lot has changed in trust area between 3.0 and 3.3. Any chance you can use that? What distro do you use? -- Message: 1 Date: Wed, 12 Nov 2014 14:42:51 -0500 From: Dmitri Pal mailto:d...@redhat.com>> To: freeipa-users@redhat.com <mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] Unable to Login until Trust is Repaired Message-ID: <5463b83b.1040...@redhat.com <mailto:5463b83b.1040...@redhat.com>> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed" On 11/12/2014 08:44 AM, Jonathan Bradford wrote: > This is my first post on the IPA mailing list. Hey guys :) > I've successfully walked through the IdM Red Hat document on > "Integrating with Active Directory Through Cross-Realm Kerberos > Trusts" using separate DNS domains. I've reached the part where you > test the trust using SSH via PuTTY, and I have noticed a problem. > If I add a user in Active Directory (group mapping is on), the user > cannot immediately SSH to an IPA host. In fact, it never allows me to > login until I first login to a Windows machine with the account and > then repair the trust via AD. > To repair the trust, I have to go to AD Domains and Trusts > > Properties > Trusts> and Validate the incoming and outgoing > connections. When I do this, it gives me an error message about the > RPC server not running, but if I proceed, it eventually tells me that > the connection has been repaired. Only after doing this can I > successfully SSH with a new user. > Do you have any idea why this might be happening? I have followed Red > Hat's documentation exactly, so I am not sure why I am having issues. > If you have any thoughts or ideas, I would greatly appreciate them. > Thanks! > -Jonathan > > HI Jonathan, I would leave to Alexander to drill down into the details when he is back online tomorrow however if the trust is not validated then it is not fully established the first time. Something when wrong and it would be nice to look at the logs on the IPA and AD side to be able to determine the cause. Do you need to repair the trust for every single user or just once? What it is your AD domain topology? Are you establishing trust with the primary domain controller? What version of IPA and AD are you using? Thanks Dmitri -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to Login until Trust is Repaired (Jonathan)
Dmitri: Thanks for the reply. > Do you need to repair the trust for every single user or just once? Yes, I have to repair the trust for every new user added to Active Directory who needs access to an IdM resource. Only once per user though. > What it is your AD domain topology? My AD topology is very simple at the moment because it is a test environment. I currently have one domain controller with a domain of venus.com. My IdM topology is very similar--one IdM server with a domain of mercury.com. > Are you establishing trust with the primary domain controller? Yes. > What version of IPA and AD are you using? I'm using IPA v 3.0. I'm not sure of the current version of AD, but I'm using it on Windows Server 2008 R2 SP1. -- Message: 1 Date: Wed, 12 Nov 2014 14:42:51 -0500 From: Dmitri Pal To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to Login until Trust is Repaired Message-ID: <5463b83b.1040...@redhat.com> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed" On 11/12/2014 08:44 AM, Jonathan Bradford wrote: > This is my first post on the IPA mailing list. Hey guys :) > I've successfully walked through the IdM Red Hat document on > "Integrating with Active Directory Through Cross-Realm Kerberos > Trusts" using separate DNS domains. I've reached the part where you > test the trust using SSH via PuTTY, and I have noticed a problem. > If I add a user in Active Directory (group mapping is on), the user > cannot immediately SSH to an IPA host. In fact, it never allows me to > login until I first login to a Windows machine with the account and > then repair the trust via AD. > To repair the trust, I have to go to AD Domains and Trusts > > Properties > Trusts> and Validate the incoming and outgoing > connections. When I do this, it gives me an error message about the > RPC server not running, but if I proceed, it eventually tells me that > the connection has been repaired. Only after doing this can I > successfully SSH with a new user. > Do you have any idea why this might be happening? I have followed Red > Hat's documentation exactly, so I am not sure why I am having issues. > If you have any thoughts or ideas, I would greatly appreciate them. > Thanks! > -Jonathan > > HI Jonathan, I would leave to Alexander to drill down into the details when he is back online tomorrow however if the trust is not validated then it is not fully established the first time. Something when wrong and it would be nice to look at the logs on the IPA and AD side to be able to determine the cause. Do you need to repair the trust for every single user or just once? What it is your AD domain topology? Are you establishing trust with the primary domain controller? What version of IPA and AD are you using? Thanks Dmitri -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to Login until Trust is Repaired
On 11/12/2014 08:44 AM, Jonathan Bradford wrote: This is my first post on the IPA mailing list. Hey guys :) I've successfully walked through the IdM Red Hat document on "Integrating with Active Directory Through Cross-Realm Kerberos Trusts" using separate DNS domains. I've reached the part where you test the trust using SSH via PuTTY, and I have noticed a problem. If I add a user in Active Directory (group mapping is on), the user cannot immediately SSH to an IPA host. In fact, it never allows me to login until I first login to a Windows machine with the account and then repair the trust via AD. To repair the trust, I have to go to AD Domains and Trusts > Properties > Trusts> and Validate the incoming and outgoing connections. When I do this, it gives me an error message about the RPC server not running, but if I proceed, it eventually tells me that the connection has been repaired. Only after doing this can I successfully SSH with a new user. Do you have any idea why this might be happening? I have followed Red Hat's documentation exactly, so I am not sure why I am having issues. If you have any thoughts or ideas, I would greatly appreciate them. Thanks! -Jonathan HI Jonathan, I would leave to Alexander to drill down into the details when he is back online tomorrow however if the trust is not validated then it is not fully established the first time. Something when wrong and it would be nice to look at the logs on the IPA and AD side to be able to determine the cause. Do you need to repair the trust for every single user or just once? What it is your AD domain topology? Are you establishing trust with the primary domain controller? What version of IPA and AD are you using? Thanks Dmitri -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Unable to Login until Trust is Repaired
This is my first post on the IPA mailing list. Hey guys :) I've successfully walked through the IdM Red Hat document on "Integrating with Active Directory Through Cross-Realm Kerberos Trusts" using separate DNS domains. I've reached the part where you test the trust using SSH via PuTTY, and I have noticed a problem. If I add a user in Active Directory (group mapping is on), the user cannot immediately SSH to an IPA host. In fact, it never allows me to login until I first login to a Windows machine with the account and then repair the trust via AD. To repair the trust, I have to go to AD Domains and Trusts > Properties > Trusts> and Validate the incoming and outgoing connections. When I do this, it gives me an error message about the RPC server not running, but if I proceed, it eventually tells me that the connection has been repaired. Only after doing this can I successfully SSH with a new user. Do you have any idea why this might be happening? I have followed Red Hat's documentation exactly, so I am not sure why I am having issues. If you have any thoughts or ideas, I would greatly appreciate them. Thanks! -Jonathan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project