[Freeipa-users] Re: AD trust setup woes
On Mon, Jul 24, 2017 at 2:53 PM, Jason Beck wrote: > On Mon, Jul 24, 2017 at 2:23 PM, Jakub Hrozek wrote: > >> On Mon, Jul 24, 2017 at 01:53:20PM -0400, Jason Beck wrote: >> > On Mon, Jul 24, 2017 at 9:25 AM, Jakub Hrozek >> wrote: >> > >> > > On Mon, Jul 24, 2017 at 09:05:59AM -0400, Jason Beck wrote: >> > > > On Jul 24, 2017 4:14 AM, "Jakub Hrozek via FreeIPA-users" < >> > > > freeipa-users@lists.fedorahosted.org> wrote: >> > > > >> > > > > On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via >> FreeIPA-users >> > > > > wrote: >> > > > > > I have been trying to reliably get an AD trust setup for a few >> weeks >> > > and >> > > > > no >> > > > > > matter what I try, when I goto add AD users to an external >> group in >> > > > > > FreeIPA, I get: >> > > > > > >> > > > > > "trusted domain object not found" >> > > > > > >> > > > > > Googling around tends to always yield the same suggestions: >> > > > > > >> > > > > > 1) Check time sync >> > > > > > 2) Check DNS >> > > > > > 3) Check firewall >> > > > > > >> > > > > > I have done all of this ad nauseam in several different >> environments >> > > with >> > > > > > several different versions of FreeIPA and Windows servers. I >> have >> > > > > gotten a >> > > > > > setup to work maybe 2% of the time out of hundreds of attempts. >> > > > > > >> > > > > > I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the COPR >> > > repo). >> > > > > I >> > > > > > am trying to establish trust with a mixed Windows 2012 & 2008 >> > > forest. I >> > > > > > have tried both one and two way trusts. Everything seems to >> work >> > > fine up >> > > > > > until I try to add AD users to FreeIPA. >> > > > > > >> > > > > > I have verified all of the requisite DNS records exist and >> return the >> > > > > > proper information on both sides, there are no firewalls >> between any >> > > of >> > > > > the >> > > > > > hosts, and the AD servers and FreeIPA servers are synchronized >> by the >> > > > > same >> > > > > > NTP servers. >> > > > > > >> > > > > > What could I possibly be missing? >> > > > > >> > > > > Can you resolve the object you're trying to add with sssd? >> > > > > >> > > > > e.g. id foo@windows.domain >> > > > > ___ >> > > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahost >> ed.org >> > > > > To unsubscribe send an email to freeipa-users-leave@lists. >> > > fedorahosted.org >> > > > >> > > > >> > > > No. I can login via Kerberos, kinit user@ad.domain. But neither >> id >> > > > user@ad.domain nor getent passwd user@ad.domain are successful. >> > > >> > > Then please follow >> > > https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html >> > > >> > >> > Jakub, >> > >> > Thank you for the support thus far. I have followed some suggestions >> in >> > the sssd troubleshooting link you provided. I am seeing these errors >> > whenever I try to perform an operation that would lookup an AD user, >> e.g. >> > id user@ad.domain. I am performing the user lookups on the primary IPA >> > server itself. >> > >> > *sssd.conf:* >> > >> > [domain/ipa.domain] >> > >> > debug_level = 10 >> > >> > cache_credentials = True >> > >> > enumerate = False >> > >> > krb5_store_password_if_offline = True >> > >> > ipa_domain = ipa.domain >> > >> > id_provider = ipa >> > >> > auth_provider = ipa >> > >> > access_provider = ipa >> > >> > ipa_hostname = ipa01.ipa.domain >> > >> > chpass_provider = ipa >> > >> > ip
[Freeipa-users] Re: AD trust setup woes
On Mon, Jul 24, 2017 at 2:23 PM, Jakub Hrozek wrote: > On Mon, Jul 24, 2017 at 01:53:20PM -0400, Jason Beck wrote: > > On Mon, Jul 24, 2017 at 9:25 AM, Jakub Hrozek > wrote: > > > > > On Mon, Jul 24, 2017 at 09:05:59AM -0400, Jason Beck wrote: > > > > On Jul 24, 2017 4:14 AM, "Jakub Hrozek via FreeIPA-users" < > > > > freeipa-users@lists.fedorahosted.org> wrote: > > > > > > > > > On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via > FreeIPA-users > > > > > wrote: > > > > > > I have been trying to reliably get an AD trust setup for a few > weeks > > > and > > > > > no > > > > > > matter what I try, when I goto add AD users to an external group > in > > > > > > FreeIPA, I get: > > > > > > > > > > > > "trusted domain object not found" > > > > > > > > > > > > Googling around tends to always yield the same suggestions: > > > > > > > > > > > > 1) Check time sync > > > > > > 2) Check DNS > > > > > > 3) Check firewall > > > > > > > > > > > > I have done all of this ad nauseam in several different > environments > > > with > > > > > > several different versions of FreeIPA and Windows servers. I > have > > > > > gotten a > > > > > > setup to work maybe 2% of the time out of hundreds of attempts. > > > > > > > > > > > > I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the COPR > > > repo). > > > > > I > > > > > > am trying to establish trust with a mixed Windows 2012 & 2008 > > > forest. I > > > > > > have tried both one and two way trusts. Everything seems to work > > > fine up > > > > > > until I try to add AD users to FreeIPA. > > > > > > > > > > > > I have verified all of the requisite DNS records exist and > return the > > > > > > proper information on both sides, there are no firewalls between > any > > > of > > > > > the > > > > > > hosts, and the AD servers and FreeIPA servers are synchronized > by the > > > > > same > > > > > > NTP servers. > > > > > > > > > > > > What could I possibly be missing? > > > > > > > > > > Can you resolve the object you're trying to add with sssd? > > > > > > > > > > e.g. id foo@windows.domain > > > > > ___ > > > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > > > > To unsubscribe send an email to freeipa-users-leave@lists. > > > fedorahosted.org > > > > > > > > > > > > No. I can login via Kerberos, kinit user@ad.domain. But neither id > > > > user@ad.domain nor getent passwd user@ad.domain are successful. > > > > > > Then please follow > > > https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html > > > > > > > Jakub, > > > > Thank you for the support thus far. I have followed some suggestions > in > > the sssd troubleshooting link you provided. I am seeing these errors > > whenever I try to perform an operation that would lookup an AD user, e.g. > > id user@ad.domain. I am performing the user lookups on the primary IPA > > server itself. > > > > *sssd.conf:* > > > > [domain/ipa.domain] > > > > debug_level = 10 > > > > cache_credentials = True > > > > enumerate = False > > > > krb5_store_password_if_offline = True > > > > ipa_domain = ipa.domain > > > > id_provider = ipa > > > > auth_provider = ipa > > > > access_provider = ipa > > > > ipa_hostname = ipa01.ipa.domain > > > > chpass_provider = ipa > > > > ipa_server = _srv_ > > > > ldap_tls_cacert = /etc/ipa/ca.crt > > > > [sssd] > > > > services = sudo, nss, ifp, pam, ssh, pac > > > > debug_level = 10 > > > > domains = ipa.domain > > > > [nss] > > > > debug_level = 10 > > > > [pam] > > > > debug_level = 10 > > > > [sudo] > > > > debug_level = 10 > > > > [autofs] > > > > debug_level = 10 > > > > [ssh] > > >
[Freeipa-users] Re: AD trust setup woes
On Mon, Jul 24, 2017 at 9:25 AM, Jakub Hrozek wrote: > On Mon, Jul 24, 2017 at 09:05:59AM -0400, Jason Beck wrote: > > On Jul 24, 2017 4:14 AM, "Jakub Hrozek via FreeIPA-users" < > > freeipa-users@lists.fedorahosted.org> wrote: > > > > > On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via FreeIPA-users > > > wrote: > > > > I have been trying to reliably get an AD trust setup for a few weeks > and > > > no > > > > matter what I try, when I goto add AD users to an external group in > > > > FreeIPA, I get: > > > > > > > > "trusted domain object not found" > > > > > > > > Googling around tends to always yield the same suggestions: > > > > > > > > 1) Check time sync > > > > 2) Check DNS > > > > 3) Check firewall > > > > > > > > I have done all of this ad nauseam in several different environments > with > > > > several different versions of FreeIPA and Windows servers. I have > > > gotten a > > > > setup to work maybe 2% of the time out of hundreds of attempts. > > > > > > > > I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the COPR > repo). > > > I > > > > am trying to establish trust with a mixed Windows 2012 & 2008 > forest. I > > > > have tried both one and two way trusts. Everything seems to work > fine up > > > > until I try to add AD users to FreeIPA. > > > > > > > > I have verified all of the requisite DNS records exist and return the > > > > proper information on both sides, there are no firewalls between any > of > > > the > > > > hosts, and the AD servers and FreeIPA servers are synchronized by the > > > same > > > > NTP servers. > > > > > > > > What could I possibly be missing? > > > > > > Can you resolve the object you're trying to add with sssd? > > > > > > e.g. id foo@windows.domain > > > ___ > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > > To unsubscribe send an email to freeipa-users-leave@lists. > fedorahosted.org > > > > > > No. I can login via Kerberos, kinit user@ad.domain. But neither id > > user@ad.domain nor getent passwd user@ad.domain are successful. > > Then please follow > https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html > Jakub, Thank you for the support thus far. I have followed some suggestions in the sssd troubleshooting link you provided. I am seeing these errors whenever I try to perform an operation that would lookup an AD user, e.g. id user@ad.domain. I am performing the user lookups on the primary IPA server itself. *sssd.conf:* [domain/ipa.domain] debug_level = 10 cache_credentials = True enumerate = False krb5_store_password_if_offline = True ipa_domain = ipa.domain id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa01.ipa.domain chpass_provider = ipa ipa_server = _srv_ ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = sudo, nss, ifp, pam, ssh, pac debug_level = 10 domains = ipa.domain [nss] debug_level = 10 [pam] debug_level = 10 [sudo] debug_level = 10 [autofs] debug_level = 10 [ssh] debug_level = 10 [pac] debug_level = 10 [ifp] debug_level = 10 [secrets] debug_level = 10 *sssd.log (debug 10 on everything):* Jul 24 13:19:40 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:19:40 2017) [sssd[be[ipa.domain]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. Jul 24 13:19:40 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1 Jul 24 13:19:40 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1 Jul 24 13:19:40 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:19:40 2017) [sssd[pac]] [accept_fd_handler] (0x0020): Access denied for uid [389]. Jul 24 13:19:40 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1 Jul 24 13:19:40 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 2 Jul 24 13:19:46 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:19:46 2017) [sssd[be[ipa.domain]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. Jul 24 13:19:46 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:19:46 2017) [sssd[pac]] [accept_fd_handler] (0x0020): Access denied for uid [389]. Jul 24 13:19:46 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1 Jul 24 13:19:46 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1 Jul 24 13:19:46 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:19:46 2017) [sssd[pac]] [accept_fd_handler] (0x0020): Access denied for uid [389]. Jul 24 13:19:46 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1 Jul 24 13:19:46 ipa01.
[Freeipa-users] Re: AD trust setup woes
On Jul 24, 2017 4:14 AM, "Jakub Hrozek via FreeIPA-users" < freeipa-users@lists.fedorahosted.org> wrote: > On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via FreeIPA-users > wrote: > > I have been trying to reliably get an AD trust setup for a few weeks and > no > > matter what I try, when I goto add AD users to an external group in > > FreeIPA, I get: > > > > "trusted domain object not found" > > > > Googling around tends to always yield the same suggestions: > > > > 1) Check time sync > > 2) Check DNS > > 3) Check firewall > > > > I have done all of this ad nauseam in several different environments with > > several different versions of FreeIPA and Windows servers. I have > gotten a > > setup to work maybe 2% of the time out of hundreds of attempts. > > > > I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the COPR repo). > I > > am trying to establish trust with a mixed Windows 2012 & 2008 forest. I > > have tried both one and two way trusts. Everything seems to work fine up > > until I try to add AD users to FreeIPA. > > > > I have verified all of the requisite DNS records exist and return the > > proper information on both sides, there are no firewalls between any of > the > > hosts, and the AD servers and FreeIPA servers are synchronized by the > same > > NTP servers. > > > > What could I possibly be missing? > > Can you resolve the object you're trying to add with sssd? > > e.g. id foo@windows.domain > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org No. I can login via Kerberos, kinit user@ad.domain. But neither id user@ad.domain nor getent passwd user@ad.domain are successful. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] AD trust setup woes
I have been trying to reliably get an AD trust setup for a few weeks and no matter what I try, when I goto add AD users to an external group in FreeIPA, I get: "trusted domain object not found" Googling around tends to always yield the same suggestions: 1) Check time sync 2) Check DNS 3) Check firewall I have done all of this ad nauseam in several different environments with several different versions of FreeIPA and Windows servers. I have gotten a setup to work maybe 2% of the time out of hundreds of attempts. I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the COPR repo). I am trying to establish trust with a mixed Windows 2012 & 2008 forest. I have tried both one and two way trusts. Everything seems to work fine up until I try to add AD users to FreeIPA. I have verified all of the requisite DNS records exist and return the proper information on both sides, there are no firewalls between any of the hosts, and the AD servers and FreeIPA servers are synchronized by the same NTP servers. What could I possibly be missing? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org