[Freeipa-users] Re: Can't login with AD credentials on a trust controller

Thu, 02 Nov 2017 08:04:14 -0700 

On to, 02 marras 2017, Ranbir via FreeIPA-users wrote:

Hello Everyone,

I have four CentOS 7.3 boxes running ipa that are in a one way trust
with an AD domain. Two servers are configured as trust agents and the
other two are trust controllers.

The trust agents and one trust controller are functioning properly.
That is, I can ssh to them and login with my AD credentials, I can use
sudo, I can get kerberos tickets, etc. They're working just like I
expected them to.

The problem is one trust controller won't let me login with my AD
credentials. If I login as root and run "id adacco...@domain.tld", I
get back the message "no such user". However, I can get kerberos
tickets (i.e kinit adacco...@domain.tld) for the AD users so I know at
least that part works.

The fact that you can kinit against AD realm tells nothing about whether
trust is working. You are communicating directly to AD DCs and IPA side
is not involved here. Also, on AD DC side you are not exercising
anything about the trust to IPA. You are just obtaining a Kerberos
ticket within AD realm.


I've run "ipa-server-install --uninstall", rebooted, and then installed
the server again a couple of times, but I've seen no change. I've
checked ports and routes and other basic networking with no glaring
issues found.

I've seen this error in sssd_nss.log:

(Thu Nov  2 09:58:00 2017) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply 
from Data Provider - DP error code: 3 errno: 22 error message: Invalid argument
(Thu Nov  2 09:58:00 2017) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): 
Unable to get information from Data Provider
Error: 3, 22, Invalid argument
Will try to return what we have in cache

Enable debugging in SSSD domain section, not nss. nss component talks to
the domain provider and if that one reports an issue, you should be
looking there.

Use https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html and
https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/
for details on how to debug such cases.

--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to