Re: [Freeipa-users] AD - Freeipa trust confusion
Andrew, On Tue, 07 Jan 2014, Andrew Holway wrote: At this point I need to know exact version of the samba package (samba4 if this is RHEL 6.x) to continue investigations with the exact source code at hand. [root@ipa ~]# rpm -qa | grep samba samba4-libs-4.0.0-60.el6_5.rc4.x86_64 Thanks. Can you please repeat getting the logs with 'log level = 100'? Don't put them online, just send them to me privately. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
On Tue, 2014-01-07 at 07:48 +0200, Alexander Bokovoy wrote: On Fri, 03 Jan 2014, Simo Sorce wrote: On Fri, 2014-01-03 at 12:29 +0100, Jakub Hrozek wrote: On Thu, Jan 02, 2014 at 08:06:31PM +, Andrew Holway wrote: /var/log/sssd/* this is using bob@host (prattle.com is the windows domain) https://gist.github.com/anonymous/ff817a251948ff58bdb1 this is using b...@prattle.com@host (prattle.com is the windows domain) Thanks, these logs have somewhat more info than those in the other thread. It seems that Winbind on the IPA server has trouble talking to the AD server: (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'ipa.wibble.com' as 'working' (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [set_server_common_status] (0x0100): Marking server 'ipa.wibble.com' as 'working' (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. (The s2n exop does a special LDAP call to IPA which in turn calls winbind on the server). To generate the winbind logs on the server, can you do 'smbcontrol winbindd debug 100', then request the trusted user. The winbind logs would be at /var/log/samba/log.w* Don't use debug level 100, it will litter the tmp with packet dumps and [possibly fill the disk. Log level 10 is the max that is ever useful. No, you are not right. It looks in this case that there are some unfinished async tasks associated with the outgoing socket and they prevent cli_negprot from starting. On debug level 100 we see content of the packets sent by smbd/winbindd in the log itself which will help to identify what happens. On debug level 10 we simply have two lines in succession telling that winbindd attempted to start cli_negprot and then failed it. Yes it is ok to ask for 100 in specific cases if you find out it is really needed, but shouldn't normally be advised, the starting point is level 10, imo. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
On Tue, Jan 07, 2014 at 08:51:49AM -0500, Simo Sorce wrote: On Tue, 2014-01-07 at 07:48 +0200, Alexander Bokovoy wrote: On Fri, 03 Jan 2014, Simo Sorce wrote: On Fri, 2014-01-03 at 12:29 +0100, Jakub Hrozek wrote: On Thu, Jan 02, 2014 at 08:06:31PM +, Andrew Holway wrote: /var/log/sssd/* this is using bob@host (prattle.com is the windows domain) https://gist.github.com/anonymous/ff817a251948ff58bdb1 this is using b...@prattle.com@host (prattle.com is the windows domain) Thanks, these logs have somewhat more info than those in the other thread. It seems that Winbind on the IPA server has trouble talking to the AD server: (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'ipa.wibble.com' as 'working' (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [set_server_common_status] (0x0100): Marking server 'ipa.wibble.com' as 'working' (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. (The s2n exop does a special LDAP call to IPA which in turn calls winbind on the server). To generate the winbind logs on the server, can you do 'smbcontrol winbindd debug 100', then request the trusted user. The winbind logs would be at /var/log/samba/log.w* Don't use debug level 100, it will litter the tmp with packet dumps and [possibly fill the disk. Log level 10 is the max that is ever useful. No, you are not right. It looks in this case that there are some unfinished async tasks associated with the outgoing socket and they prevent cli_negprot from starting. On debug level 100 we see content of the packets sent by smbd/winbindd in the log itself which will help to identify what happens. On debug level 10 we simply have two lines in succession telling that winbindd attempted to start cli_negprot and then failed it. Yes it is ok to ask for 100 in specific cases if you find out it is really needed, but shouldn't normally be advised, the starting point is level 10, imo. Simo. I agree that 10 is a better default value to advice. To be honest, I didn't try the debug level before I adviced it, I just copied what I had in bash history on my IPA server. Sorry. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
On Fri, Jan 03, 2014 at 02:05:58PM +, Andrew Holway wrote: To generate the winbind logs on the server, can you do 'smbcontrol winbindd debug 100', then request the trusted user. The winbind logs would be at /var/log/samba/log.w* I truncated all of the files in /var/log/samba and then make a single login attempt. These are the files that were non zero after the event. log.smbd.epmd - https://gist.github.com/anonymous/663be9204d24bf3e915c log.wb-PRATTLE - https://gist.github.com/anonymous/069c9931b1c66a2da85e log.wb-WIBBLE - https://gist.github.com/anonymous/c60754ec956df30f2c60 log.winbindd - https://gist.github.com/anonymous/25995d07c20ef5f3926a log.winbindd-dc-connect - https://gist.github.com/anonymous/9b6a1b736f1266ddc37f Thank you, I can see some errors in the winbind log and the fact you can't resolve users with wbinfo -u confirms there is an issue, but I'not really a winbind expert. I'm sure Alexander will chime in once he's done with his post-holiday travelling :-) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
On Fri, 03 Jan 2014, Andrew Holway wrote: To generate the winbind logs on the server, can you do 'smbcontrol winbindd debug 100', then request the trusted user. The winbind logs would be at /var/log/samba/log.w* I truncated all of the files in /var/log/samba and then make a single login attempt. These are the files that were non zero after the event. log.smbd.epmd - https://gist.github.com/anonymous/663be9204d24bf3e915c log.wb-PRATTLE - https://gist.github.com/anonymous/069c9931b1c66a2da85e I can see multiples of: [2014/01/03 07:48:08.789374, 10, pid=2662, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:806(cm_prepare_connection) cm_prepare_connection: connecting to DC WIN-5UGLHAK7RIN for domain PRATTLE [2014/01/03 07:48:08.789437, 1, pid=2662, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:839(cm_prepare_connection) cli_negprot failed: NT_STATUS_INVALID_PARAMETER_MIX This means some internal mishandling in winbindd, NT_STATUS_INVALID_PARAMETER_MIX can only appear at this path if the connection (which has just been created, few calls before cli_negprot) has outstanding outstanding calls in outgoing queue at the point when cli_negprot is attempted. As result, cli_negprot can't start until they are finished. log.wb-WIBBLE - https://gist.github.com/anonymous/c60754ec956df30f2c60 log.winbindd - https://gist.github.com/anonymous/25995d07c20ef5f3926a log.winbindd-dc-connect - https://gist.github.com/anonymous/9b6a1b736f1266ddc37f At this point I need to know exact version of the samba package (samba4 if this is RHEL 6.x) to continue investigations with the exact source code at hand. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
On Fri, 03 Jan 2014, Simo Sorce wrote: On Fri, 2014-01-03 at 12:29 +0100, Jakub Hrozek wrote: On Thu, Jan 02, 2014 at 08:06:31PM +, Andrew Holway wrote: /var/log/sssd/* this is using bob@host (prattle.com is the windows domain) https://gist.github.com/anonymous/ff817a251948ff58bdb1 this is using b...@prattle.com@host (prattle.com is the windows domain) Thanks, these logs have somewhat more info than those in the other thread. It seems that Winbind on the IPA server has trouble talking to the AD server: (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'ipa.wibble.com' as 'working' (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [set_server_common_status] (0x0100): Marking server 'ipa.wibble.com' as 'working' (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. (The s2n exop does a special LDAP call to IPA which in turn calls winbind on the server). To generate the winbind logs on the server, can you do 'smbcontrol winbindd debug 100', then request the trusted user. The winbind logs would be at /var/log/samba/log.w* Don't use debug level 100, it will litter the tmp with packet dumps and [possibly fill the disk. Log level 10 is the max that is ever useful. No, you are not right. It looks in this case that there are some unfinished async tasks associated with the outgoing socket and they prevent cli_negprot from starting. On debug level 100 we see content of the packets sent by smbd/winbindd in the log itself which will help to identify what happens. On debug level 10 we simply have two lines in succession telling that winbindd attempted to start cli_negprot and then failed it. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
On Thu, Jan 02, 2014 at 08:06:31PM +, Andrew Holway wrote: /var/log/sssd/* this is using bob@host (prattle.com is the windows domain) https://gist.github.com/anonymous/ff817a251948ff58bdb1 this is using b...@prattle.com@host (prattle.com is the windows domain) Thanks, these logs have somewhat more info than those in the other thread. It seems that Winbind on the IPA server has trouble talking to the AD server: (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'ipa.wibble.com' as 'working' (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [set_server_common_status] (0x0100): Marking server 'ipa.wibble.com' as 'working' (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. (The s2n exop does a special LDAP call to IPA which in turn calls winbind on the server). To generate the winbind logs on the server, can you do 'smbcontrol winbindd debug 100', then request the trusted user. The winbind logs would be at /var/log/samba/log.w* I'd advise to restart SSSD on the client before the test to get rid of the negative cache and make sure the request actually hits the server. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
On Fri, Jan 03, 2014 at 12:29:11PM +0100, Jakub Hrozek wrote: On Thu, Jan 02, 2014 at 08:06:31PM +, Andrew Holway wrote: /var/log/sssd/* this is using bob@host (prattle.com is the windows domain) https://gist.github.com/anonymous/ff817a251948ff58bdb1 this is using b...@prattle.com@host (prattle.com is the windows domain) Thanks, these logs have somewhat more info than those in the other thread. It seems that Winbind on the IPA server has trouble talking to the AD server: (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'ipa.wibble.com' as 'working' (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [set_server_common_status] (0x0100): Marking server 'ipa.wibble.com' as 'working' (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. (The s2n exop does a special LDAP call to IPA which in turn calls winbind on the server). To generate the winbind logs on the server, can you do 'smbcontrol winbindd debug 100', then request the trusted user. The winbind logs would be at /var/log/samba/log.w* I'd advise to restart SSSD on the client before the test to get rid of the negative cache and make sure the request actually hits the server. Oh and after you gather the info, you should also re-set the debug logs back: smbcontrol winbindd debug 1 Running with a verbose log level would flood your disk soon. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
On Fri, 2014-01-03 at 12:29 +0100, Jakub Hrozek wrote: On Thu, Jan 02, 2014 at 08:06:31PM +, Andrew Holway wrote: /var/log/sssd/* this is using bob@host (prattle.com is the windows domain) https://gist.github.com/anonymous/ff817a251948ff58bdb1 this is using b...@prattle.com@host (prattle.com is the windows domain) Thanks, these logs have somewhat more info than those in the other thread. It seems that Winbind on the IPA server has trouble talking to the AD server: (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'ipa.wibble.com' as 'working' (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [set_server_common_status] (0x0100): Marking server 'ipa.wibble.com' as 'working' (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. (The s2n exop does a special LDAP call to IPA which in turn calls winbind on the server). To generate the winbind logs on the server, can you do 'smbcontrol winbindd debug 100', then request the trusted user. The winbind logs would be at /var/log/samba/log.w* Don't use debug level 100, it will litter the tmp with packet dumps and [possibly fill the disk. Log level 10 is the max that is ever useful. I'd advise to restart SSSD on the client before the test to get rid of the negative cache and make sure the request actually hits the server. or simply run wbinfo on the server to check winbindd can properly retrieve users before moving back to testing on client. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
To generate the winbind logs on the server, can you do 'smbcontrol winbindd debug 100', then request the trusted user. The winbind logs would be at /var/log/samba/log.w* I truncated all of the files in /var/log/samba and then make a single login attempt. These are the files that were non zero after the event. log.smbd.epmd - https://gist.github.com/anonymous/663be9204d24bf3e915c log.wb-PRATTLE - https://gist.github.com/anonymous/069c9931b1c66a2da85e log.wb-WIBBLE - https://gist.github.com/anonymous/c60754ec956df30f2c60 log.winbindd - https://gist.github.com/anonymous/25995d07c20ef5f3926a log.winbindd-dc-connect - https://gist.github.com/anonymous/9b6a1b736f1266ddc37f ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
or simply run wbinfo on the server to check winbindd can properly retrieve users before moving back to testing on client. [r...@ipa.wibble.com ~]# wbinfo -i b...@prattle.com failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user b...@prattle.com Would this be an appropriate wbinfo command? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
[r...@ipa.wibble.com ~]# wbinfo --all-domains BUILTIN WIBBLE PRATTLE [r...@ipa.wibble.com ~]# wbinfo --own-domain WIBBLE On 3 January 2014 15:06, Andrew Holway andrew.hol...@gmail.com wrote: or simply run wbinfo on the server to check winbindd can properly retrieve users before moving back to testing on client. [r...@ipa.wibble.com ~]# wbinfo -i b...@prattle.com failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user b...@prattle.com Would this be an appropriate wbinfo command? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
I have gotten a little further along with this but am having problems connecting to the AD LDAP. [r...@ipa.wibble.com cacerts]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=prattle,dc=com --bindpw X9deiX9dei --passsync X9deiX9dei --cacert /etc/openldap/cacerts/prattle.crt win-5uglhak7rin.prattle.com. -vvv Directory Manager password: Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate database for ipa.wibble.com ipa: INFO: Failed to connect to AD server win-5uglhak7rin.prattle.com. ipa: INFO: The error was: {'info': ': LdapErr: DSID-0C090E17, comment: Error initializing SSL/TLS, data 0, v1db1', 'desc': 'Server is unavailable'} Failed to setup winsync replication On 1 January 2014 22:27, Andrew Holway andrew.hol...@gmail.com wrote: Hello, I am attempting to set up trust between my test freeipa server at ipa.wibble.com. and my test AD server at win-5uglhak7rin.prattle.com. In the GUI I can see the following in Trusts » prattle.com. Realm name: prattle.com Domain NetBIOS name: PRATTLE Domain Security Identifier: S-1-5-21-2812083513-4116408788-3699662436 Trust direction: Two-way trust Trust type: Active Directory domain However I cant see any of the AD users that I have created nor can I log on to any of the systems under my freeipa realm. Jan 1 20:50:30 host002 sshd[9959]: Failed password for invalid user bob from 10.51.120.1 port 55101 ssh2 I haven't actually done anything to AD to facilitate this trust. Its not particularly clear what should be done. Many thanks, Andrew ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
On 01/02/2014 07:38 AM, Andrew Holway wrote: I have gotten a little further along with this but am having problems connecting to the AD LDAP. [r...@ipa.wibble.com cacerts]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=prattle,dc=com --bindpw X9deiX9dei --passsync X9deiX9dei --cacert /etc/openldap/cacerts/prattle.crt win-5uglhak7rin.prattle.com. -vvv Directory Manager password: Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate database for ipa.wibble.com ipa: INFO: Failed to connect to AD server win-5uglhak7rin.prattle.com. ipa: INFO: The error was: {'info': ': LdapErr: DSID-0C090E17, comment: Error initializing SSL/TLS, data 0, v1db1', 'desc': 'Server is unavailable'} Failed to setup winsync replication Hello, Trusts and winsync are mutually exclusive. You either do one or another. We do not have a way to move from one configuration to another yet and the decision should be made at the deployment time. Which one do you prefer? If you prefer trusts please follow the instructions on the wiki. The guide is not updated yet, sorry. http://www.freeipa.org/page/Trusts http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup It seems that after the trust is established you try to login and fail. Can you provide more details about those attempts? http://www.freeipa.org/page/Troubleshooting#Reporting_bugs also see other sections on the same page. HTH Thanks Dmitri On 1 January 2014 22:27, Andrew Holway andrew.hol...@gmail.com wrote: Hello, I am attempting to set up trust between my test freeipa server at ipa.wibble.com. and my test AD server at win-5uglhak7rin.prattle.com. In the GUI I can see the following in Trusts » prattle.com. Realm name: prattle.com Domain NetBIOS name: PRATTLE Domain Security Identifier: S-1-5-21-2812083513-4116408788-3699662436 Trust direction: Two-way trust Trust type: Active Directory domain However I cant see any of the AD users that I have created nor can I log on to any of the systems under my freeipa realm. Jan 1 20:50:30 host002 sshd[9959]: Failed password for invalid user bob from 10.51.120.1 port 55101 ssh2 I haven't actually done anything to AD to facilitate this trust. Its not particularly clear what should be done. Many thanks, Andrew ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
I have taken out the winsync. [r...@ipa.wibble.com ~]# ipa-replica-manage connect --binddn cn=administrator,cn=users,dc=prattle,dc=com --bindpw pa$$ --passsync pa$$ --cacert /etc/openldap/cacerts/prattle.crt win-5uglhak7rin.prattle.com. -vvv Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate database for ipa.wibble.com You cannot connect to a previously deleted master I cant find anything useful in the server2008 AD logsI am seeing If I can make them more sensitive. /var/log/messages Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.904045, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register: interface 'lsarpc' already registered on endpoint Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.904642, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register: interface 'samr' already registered on endpoint Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.905147, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register: interface 'netlogon' already registered on endpoint Jan 2 16:53:47 ipa named[11459]: LDAP error: Can't contact LDAP server Jan 2 16:53:47 ipa named[11459]: connection to the LDAP server was lost Jan 2 16:53:47 ipa named[11459]: bind to LDAP server failed: Can't contact LDAP server Jan 2 16:53:47 ipa named[11459]: ldap_psearch_watcher failed to handle LDAP connection error. Reconnection in 60s Jan 2 16:53:49 ipa winbindd[12071]: [2014/01/02 16:53:49.299083, 0] ipa_sam.c:3689(bind_callback_cleanup) Jan 2 16:53:49 ipa winbindd[12071]: kerberos error: code=-1765328324, message=Generic error (see e-text) Jan 2 16:53:49 ipa winbindd[12071]: [2014/01/02 16:53:49.299320, 0] ../source3/lib/smbldap.c:998(smbldap_connect_system) Jan 2 16:53:49 ipa winbindd[12071]: failed to bind to server ldapi://%2fvar%2frun%2fslapd-WIBBLE-COM.socket with dn=[Anonymous bind] Error: Local error Jan 2 16:53:49 ipa winbindd[12071]: #011(unknown) Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.909746, 0] ../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal) Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many handles (2049) on this pipe. Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.910126, 0] ../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal) Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many handles (2049) on this pipe. Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.910427, 0] ../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal) Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many handles (2049) on this pipe. On 2 January 2014 13:41, Dmitri Pal d...@redhat.com wrote: On 01/02/2014 07:38 AM, Andrew Holway wrote: I have gotten a little further along with this but am having problems connecting to the AD LDAP. [r...@ipa.wibble.com cacerts]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=prattle,dc=com --bindpw X9deiX9dei --passsync X9deiX9dei --cacert /etc/openldap/cacerts/prattle.crt win-5uglhak7rin.prattle.com. -vvv Directory Manager password: Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate database for ipa.wibble.com ipa: INFO: Failed to connect to AD server win-5uglhak7rin.prattle.com. ipa: INFO: The error was: {'info': ': LdapErr: DSID-0C090E17, comment: Error initializing SSL/TLS, data 0, v1db1', 'desc': 'Server is unavailable'} Failed to setup winsync replication Hello, Trusts and winsync are mutually exclusive. You either do one or another. We do not have a way to move from one configuration to another yet and the decision should be made at the deployment time. Which one do you prefer? If you prefer trusts please follow the instructions on the wiki. The guide is not updated yet, sorry. http://www.freeipa.org/page/Trusts http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup It seems that after the trust is established you try to login and fail. Can you provide more details about those attempts? http://www.freeipa.org/page/Troubleshooting#Reporting_bugs also see other sections on the same page. HTH Thanks Dmitri On 1 January 2014 22:27, Andrew Holway andrew.hol...@gmail.com wrote: Hello, I am attempting to set up trust between my test freeipa server at ipa.wibble.com. and my test AD server at win-5uglhak7rin.prattle.com. In the GUI I can see the following in Trusts » prattle.com. Realm name: prattle.com Domain NetBIOS name: PRATTLE Domain Security Identifier: S-1-5-21-2812083513-4116408788-3699662436 Trust direction: Two-way trust Trust type: Active Directory domain However I cant see any of the AD users that I have created nor can I log on to any of the systems under my freeipa realm. Jan 1 20:50:30
Re: [Freeipa-users] AD - Freeipa trust confusion
On 01/02/2014 12:07 PM, Andrew Holway wrote: I have taken out the winsync. [r...@ipa.wibble.com ~]# ipa-replica-manage connect --binddn cn=administrator,cn=users,dc=prattle,dc=com --bindpw pa$$ --passsync pa$$ --cacert /etc/openldap/cacerts/prattle.crt win-5uglhak7rin.prattle.com. -vvv Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate database for ipa.wibble.com You are still setting up a replication agreement not a trust. You cannot connect to a previously deleted master I think it confuses your AD for a replica that does not exist. I cant find anything useful in the server2008 AD logsI am seeing If I can make them more sensitive. /var/log/messages Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.904045, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register: interface 'lsarpc' already registered on endpoint Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.904642, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register: interface 'samr' already registered on endpoint Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.905147, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register: interface 'netlogon' already registered on endpoint Jan 2 16:53:47 ipa named[11459]: LDAP error: Can't contact LDAP server Jan 2 16:53:47 ipa named[11459]: connection to the LDAP server was lost Jan 2 16:53:47 ipa named[11459]: bind to LDAP server failed: Can't contact LDAP server This seems to indicate that the directory server is not running. Can you check that the dirsrv is running? Jan 2 16:53:47 ipa named[11459]: ldap_psearch_watcher failed to handle LDAP connection error. Reconnection in 60s Jan 2 16:53:49 ipa winbindd[12071]: [2014/01/02 16:53:49.299083, 0] ipa_sam.c:3689(bind_callback_cleanup) Jan 2 16:53:49 ipa winbindd[12071]: kerberos error: code=-1765328324, message=Generic error (see e-text) Jan 2 16:53:49 ipa winbindd[12071]: [2014/01/02 16:53:49.299320, 0] ../source3/lib/smbldap.c:998(smbldap_connect_system) Jan 2 16:53:49 ipa winbindd[12071]: failed to bind to server ldapi://%2fvar%2frun%2fslapd-WIBBLE-COM.socket with dn=[Anonymous bind] Error: Local error Jan 2 16:53:49 ipa winbindd[12071]: #011(unknown) Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.909746, 0] ../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal) Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many handles (2049) on this pipe. Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.910126, 0] ../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal) Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many handles (2049) on this pipe. Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.910427, 0] ../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal) Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many handles (2049) on this pipe. On 2 January 2014 13:41, Dmitri Pal d...@redhat.com wrote: On 01/02/2014 07:38 AM, Andrew Holway wrote: I have gotten a little further along with this but am having problems connecting to the AD LDAP. [r...@ipa.wibble.com cacerts]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=prattle,dc=com --bindpw X9deiX9dei --passsync X9deiX9dei --cacert /etc/openldap/cacerts/prattle.crt win-5uglhak7rin.prattle.com. -vvv Directory Manager password: Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate database for ipa.wibble.com ipa: INFO: Failed to connect to AD server win-5uglhak7rin.prattle.com. ipa: INFO: The error was: {'info': ': LdapErr: DSID-0C090E17, comment: Error initializing SSL/TLS, data 0, v1db1', 'desc': 'Server is unavailable'} Failed to setup winsync replication Hello, Trusts and winsync are mutually exclusive. You either do one or another. We do not have a way to move from one configuration to another yet and the decision should be made at the deployment time. Which one do you prefer? If you prefer trusts please follow the instructions on the wiki. The guide is not updated yet, sorry. http://www.freeipa.org/page/Trusts http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup It seems that after the trust is established you try to login and fail. Can you provide more details about those attempts? http://www.freeipa.org/page/Troubleshooting#Reporting_bugs also see other sections on the same page. HTH Thanks Dmitri On 1 January 2014 22:27, Andrew Holway andrew.hol...@gmail.com wrote: Hello, I am attempting to set up trust between my test freeipa server at ipa.wibble.com. and my test AD server at win-5uglhak7rin.prattle.com. In the GUI I can see the following in Trusts » prattle.com. Realm
Re: [Freeipa-users] AD - Freeipa trust confusion
I turned off all the AD processed on my windows domain controller. The error did not change. On 2 January 2014 17:07, Andrew Holway andrew.hol...@gmail.com wrote: I have taken out the winsync. [r...@ipa.wibble.com ~]# ipa-replica-manage connect --binddn cn=administrator,cn=users,dc=prattle,dc=com --bindpw pa$$ --passsync pa$$ --cacert /etc/openldap/cacerts/prattle.crt win-5uglhak7rin.prattle.com. -vvv Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate database for ipa.wibble.com You cannot connect to a previously deleted master I cant find anything useful in the server2008 AD logsI am seeing If I can make them more sensitive. /var/log/messages Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.904045, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register: interface 'lsarpc' already registered on endpoint Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.904642, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register: interface 'samr' already registered on endpoint Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.905147, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register: interface 'netlogon' already registered on endpoint Jan 2 16:53:47 ipa named[11459]: LDAP error: Can't contact LDAP server Jan 2 16:53:47 ipa named[11459]: connection to the LDAP server was lost Jan 2 16:53:47 ipa named[11459]: bind to LDAP server failed: Can't contact LDAP server Jan 2 16:53:47 ipa named[11459]: ldap_psearch_watcher failed to handle LDAP connection error. Reconnection in 60s Jan 2 16:53:49 ipa winbindd[12071]: [2014/01/02 16:53:49.299083, 0] ipa_sam.c:3689(bind_callback_cleanup) Jan 2 16:53:49 ipa winbindd[12071]: kerberos error: code=-1765328324, message=Generic error (see e-text) Jan 2 16:53:49 ipa winbindd[12071]: [2014/01/02 16:53:49.299320, 0] ../source3/lib/smbldap.c:998(smbldap_connect_system) Jan 2 16:53:49 ipa winbindd[12071]: failed to bind to server ldapi://%2fvar%2frun%2fslapd-WIBBLE-COM.socket with dn=[Anonymous bind] Error: Local error Jan 2 16:53:49 ipa winbindd[12071]: #011(unknown) Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.909746, 0] ../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal) Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many handles (2049) on this pipe. Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.910126, 0] ../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal) Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many handles (2049) on this pipe. Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.910427, 0] ../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal) Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many handles (2049) on this pipe. On 2 January 2014 13:41, Dmitri Pal d...@redhat.com wrote: On 01/02/2014 07:38 AM, Andrew Holway wrote: I have gotten a little further along with this but am having problems connecting to the AD LDAP. [r...@ipa.wibble.com cacerts]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=prattle,dc=com --bindpw X9deiX9dei --passsync X9deiX9dei --cacert /etc/openldap/cacerts/prattle.crt win-5uglhak7rin.prattle.com. -vvv Directory Manager password: Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate database for ipa.wibble.com ipa: INFO: Failed to connect to AD server win-5uglhak7rin.prattle.com. ipa: INFO: The error was: {'info': ': LdapErr: DSID-0C090E17, comment: Error initializing SSL/TLS, data 0, v1db1', 'desc': 'Server is unavailable'} Failed to setup winsync replication Hello, Trusts and winsync are mutually exclusive. You either do one or another. We do not have a way to move from one configuration to another yet and the decision should be made at the deployment time. Which one do you prefer? If you prefer trusts please follow the instructions on the wiki. The guide is not updated yet, sorry. http://www.freeipa.org/page/Trusts http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup It seems that after the trust is established you try to login and fail. Can you provide more details about those attempts? http://www.freeipa.org/page/Troubleshooting#Reporting_bugs also see other sections on the same page. HTH Thanks Dmitri On 1 January 2014 22:27, Andrew Holway andrew.hol...@gmail.com wrote: Hello, I am attempting to set up trust between my test freeipa server at ipa.wibble.com. and my test AD server at win-5uglhak7rin.prattle.com. In the GUI I can see the following in Trusts » prattle.com. Realm name: prattle.com Domain NetBIOS name: PRATTLE Domain Security Identifier: S-1-5-21-2812083513-4116408788-3699662436
Re: [Freeipa-users] AD - Freeipa trust confusion
You are still setting up a replication agreement not a trust. Oh, I am following the redhat documentation here: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html This seems to indicate that the directory server is not running. Can you check that the dirsrv is running? [r...@ipa.wibble.com log]# /etc/init.d/dirsrv status dirsrv PKI-IPA (pid 7394) is running... dirsrv WIBBLE-COM (pid 7463) is running... [r...@ipa.wibble.com log]# ipa trust-add --type=ad prattle.com --admin Administrator --password Active directory domain administrator's password: Added Active Directory trust for realm prattle.com Realm name: prattle.com Domain NetBIOS name: PRATTLE Domain Security Identifier: S-1-5-21-2812083513-4116408788-3699662436 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified However I cannot log into the windows domain with my linux users nor the linux domain with my linux users. Ta, Andrew ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
On Thu, 2014-01-02 at 19:12 +, Andrew Holway wrote: You are still setting up a replication agreement not a trust. Oh, I am following the redhat documentation here: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html This seems to indicate that the directory server is not running. Can you check that the dirsrv is running? [r...@ipa.wibble.com log]# /etc/init.d/dirsrv status dirsrv PKI-IPA (pid 7394) is running... dirsrv WIBBLE-COM (pid 7463) is running... [r...@ipa.wibble.com log]# ipa trust-add --type=ad prattle.com --admin Administrator --password Active directory domain administrator's password: Added Active Directory trust for realm prattle.com Realm name: prattle.com Domain NetBIOS name: PRATTLE Domain Security Identifier: S-1-5-21-2812083513-4116408788-3699662436 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified However I cannot log into the windows domain with my linux users nor the linux domain with my linux users. At this time loggin in with linux iusers into the Windows domain is not supported and does not work. However loggin with Windows user into a linux machine joined to the ipa realm should work, a slong as you use sssd on the linux machine. What error do you see on the linux machine whe you try to log in with a windows user ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
As for AD users we need to look at the client and see what is going on there. What is your client? Version and component? Is it using latest SSSD? If not additional steps might be needed. Please provide the details about the clients. Please start with trying AD users on the IPA server itself, looking at the logs and seeing what is going on. /var/log/secure Jan 2 19:27:46 ipa sshd[8252]: pam_unix(sshd:auth): check pass; user unknown Jan 2 19:27:46 ipa sshd[8252]: pam_succeed_if(sshd:auth): error retrieving information about user b...@prattle.com Jan 2 19:27:49 ipa sshd[8252]: Failed password for invalid user b...@prattle.com from 192.168.202.12 port 51537 ssh2 /var/log/messages (not sure if related. this error is going off every 20s) Jan 2 19:52:18 ipa smbd[7279]: [2014/01/02 19:52:18.895536, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 19:52:18 ipa smbd[7279]: dcesrv_interface_register: interface 'lsarpc' already registered on endpoint Jan 2 19:52:18 ipa smbd[7279]: [2014/01/02 19:52:18.896121, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 19:52:18 ipa smbd[7279]: dcesrv_interface_register: interface 'samr' already registered on endpoint Jan 2 19:52:18 ipa smbd[7279]: [2014/01/02 19:52:18.896616, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 19:52:18 ipa smbd[7279]: dcesrv_interface_register: interface 'netlogon' already registered on endpoint Jan 2 19:53:18 ipa smbd[7279]: [2014/01/02 19:53:18.913794, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 19:53:18 ipa smbd[7279]: dcesrv_interface_register: interface 'lsarpc' already registered on endpoint Jan 2 19:53:18 ipa smbd[7279]: [2014/01/02 19:53:18.914377, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 19:53:18 ipa smbd[7279]: dcesrv_interface_register: interface 'samr' already registered on endpoint Jan 2 19:53:18 ipa smbd[7279]: [2014/01/02 19:53:18.914853, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 19:53:18 ipa smbd[7279]: dcesrv_interface_register: interface 'netlogon' already registered on endpoint /var/log/krb5kdc.log Jan 02 19:27:37 ipa.wibble.com krb5kdc[6611](info): AS_REQ (4 etypes {18 17 16 23}) 10.51.120.1: NEEDED_PREAUTH: host/ipa.wibble@wibble.com for krbtgt/wibble@wibble.com, Additional pre-authentication required Jan 02 19:27:37 ipa.wibble.com krb5kdc[6611](info): AS_REQ (4 etypes {18 17 16 23}) 10.51.120.1: ISSUE: authtime 1388690857, etypes {rep=18 tkt=18 ses=18}, host/ipa.wibble@wibble.com for krbtgt/wibble@wibble.com Jan 02 19:27:37 ipa.wibble.com krb5kdc[6611](info): TGS_REQ (4 etypes {18 17 16 23}) 10.51.120.1: ISSUE: authtime 1388690857, etypes {rep=18 tkt=18 ses=18}, host/ipa.wibble@wibble.com for ldap/ipa.wibble@wibble.com /var/log/sssd/* this is using bob@host (prattle.com is the windows domain) https://gist.github.com/anonymous/ff817a251948ff58bdb1 this is using b...@prattle.com@host (prattle.com is the windows domain) https://gist.github.com/anonymous/885d8bfd6cf7d224de93 Thanks Dmitri Ta, Andrew -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
Sorry, I forgot this. It works fine for the wibble.com linux domain. [r...@ipa.wibble.com log]# ldapsearch -x -ZZ -H ldap://localhost -b dc=prattle,dc=com # extended LDIF # # LDAPv3 # base dc=prattle,dc=com with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 3 result: 32 No such object # numResponses: 1 On 2 January 2014 20:06, Andrew Holway andrew.hol...@gmail.com wrote: As for AD users we need to look at the client and see what is going on there. What is your client? Version and component? Is it using latest SSSD? If not additional steps might be needed. Please provide the details about the clients. Please start with trying AD users on the IPA server itself, looking at the logs and seeing what is going on. /var/log/secure Jan 2 19:27:46 ipa sshd[8252]: pam_unix(sshd:auth): check pass; user unknown Jan 2 19:27:46 ipa sshd[8252]: pam_succeed_if(sshd:auth): error retrieving information about user b...@prattle.com Jan 2 19:27:49 ipa sshd[8252]: Failed password for invalid user b...@prattle.com from 192.168.202.12 port 51537 ssh2 /var/log/messages (not sure if related. this error is going off every 20s) Jan 2 19:52:18 ipa smbd[7279]: [2014/01/02 19:52:18.895536, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 19:52:18 ipa smbd[7279]: dcesrv_interface_register: interface 'lsarpc' already registered on endpoint Jan 2 19:52:18 ipa smbd[7279]: [2014/01/02 19:52:18.896121, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 19:52:18 ipa smbd[7279]: dcesrv_interface_register: interface 'samr' already registered on endpoint Jan 2 19:52:18 ipa smbd[7279]: [2014/01/02 19:52:18.896616, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 19:52:18 ipa smbd[7279]: dcesrv_interface_register: interface 'netlogon' already registered on endpoint Jan 2 19:53:18 ipa smbd[7279]: [2014/01/02 19:53:18.913794, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 19:53:18 ipa smbd[7279]: dcesrv_interface_register: interface 'lsarpc' already registered on endpoint Jan 2 19:53:18 ipa smbd[7279]: [2014/01/02 19:53:18.914377, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 19:53:18 ipa smbd[7279]: dcesrv_interface_register: interface 'samr' already registered on endpoint Jan 2 19:53:18 ipa smbd[7279]: [2014/01/02 19:53:18.914853, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 19:53:18 ipa smbd[7279]: dcesrv_interface_register: interface 'netlogon' already registered on endpoint /var/log/krb5kdc.log Jan 02 19:27:37 ipa.wibble.com krb5kdc[6611](info): AS_REQ (4 etypes {18 17 16 23}) 10.51.120.1: NEEDED_PREAUTH: host/ipa.wibble@wibble.com for krbtgt/wibble@wibble.com, Additional pre-authentication required Jan 02 19:27:37 ipa.wibble.com krb5kdc[6611](info): AS_REQ (4 etypes {18 17 16 23}) 10.51.120.1: ISSUE: authtime 1388690857, etypes {rep=18 tkt=18 ses=18}, host/ipa.wibble@wibble.com for krbtgt/wibble@wibble.com Jan 02 19:27:37 ipa.wibble.com krb5kdc[6611](info): TGS_REQ (4 etypes {18 17 16 23}) 10.51.120.1: ISSUE: authtime 1388690857, etypes {rep=18 tkt=18 ses=18}, host/ipa.wibble@wibble.com for ldap/ipa.wibble@wibble.com /var/log/sssd/* this is using bob@host (prattle.com is the windows domain) https://gist.github.com/anonymous/ff817a251948ff58bdb1 this is using b...@prattle.com@host (prattle.com is the windows domain) https://gist.github.com/anonymous/885d8bfd6cf7d224de93 Thanks Dmitri Ta, Andrew -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] AD - Freeipa trust confusion
Hello, I am attempting to set up trust between my test freeipa server at ipa.wibble.com. and my test AD server at win-5uglhak7rin.prattle.com. In the GUI I can see the following in Trusts » prattle.com. Realm name: prattle.com Domain NetBIOS name: PRATTLE Domain Security Identifier: S-1-5-21-2812083513-4116408788-3699662436 Trust direction: Two-way trust Trust type: Active Directory domain However I cant see any of the AD users that I have created nor can I log on to any of the systems under my freeipa realm. Jan 1 20:50:30 host002 sshd[9959]: Failed password for invalid user bob from 10.51.120.1 port 55101 ssh2 I haven't actually done anything to AD to facilitate this trust. Its not particularly clear what should be done. Many thanks, Andrew ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users