Re: [Freeipa-users] Cross Domain Trust

2016-01-28 Thread Zoske, Fabian 
Thank you Jakub, this solves the issue.

Best regards,
Fabian

-Ursprüngliche Nachricht-
Von: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] 
Im Auftrag von Jakub Hrozek
Gesendet: Montag, 18. Januar 2016 18:46
An: freeipa-users@redhat.com
Betreff: Re: [Freeipa-users] Cross Domain Trust

On Mon, Jan 18, 2016 at 06:02:43PM +0100, Lukas Slebodnik wrote:
> On (12/01/16 11:11), Lukas Slebodnik wrote:
> >On (12/01/16 08:25), Zoske, Fabian wrote:
> >>We recently upgraded our IPA-Server from CentOS 7.1 to CentOS 7.2. So far 
> >>no differences.
> >>
> >Then please provide sssd logfiles (1.13.3) from client and also log 
> >files from sssd on freeipa server (sssd on freeipa server is used 
> >indirectly by extop plugin in 389-ds)
> >
> >Please provide log files from the same time when you reproduced an issue.
> >
> Thank you very much for log files.
> 
> Authentication on client failed Due to following error:
> (Thu Jan 14 12:58:36 2016) [[sssd[krb5_child[992 
> [sss_child_krb5_trace_cb] (0x4000): [992] 1452772716.736098: Sending 
> request (173 bytes) to EUROIMMUN.TEST (master)
> 
> (Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992 
> [get_and_save_tgt] (0x0020): 1232: [-1765328230][Cannot find KDC for 
> realm "EUROIMMUN.TEST"] (Thu Jan 14 12:58:37 2016) 
> [[sssd[krb5_child[992 [map_krb5_error] (0x0020): 1301: 
> [-1765328230][Cannot find KDC for realm "EUROIMMUN.TEST"] (Thu Jan 14 
> 12:58:37 2016) [[sssd[krb5_child[992 [k5c_send_data] (0x0200): Received 
> error code 1432158209 (Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992 
> [pack_response_packet] (0x2000): response packet size: [4] (Thu Jan 14 
> 12:58:37 2016) [[sssd[krb5_child[992 [k5c_send_data] (0x4000): Response 
> sent.
> (Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992 [main] (0x0400): 
> krb5_child completed successfully
> 
> 
> Do you have defineded the realm "EUROIMMUN.TEST" in your krb5.conf?
> 
> It is possible that sssd wrote snippet to the directory 
> /var/lib/sss/pubconf/krb5.include.d/
> but this directory is not included in krb5.conf.
> 
> $ grep includedir /etc/krb5.conf
> includedir /var/lib/sss/pubconf/krb5.include.d/
> 
> BTW you can test the same operation as sssd did from command line.
> 
> KRB5_TRACE=/dev/stderr kinit f.zo...@euroimmun.test
> 
> or is this principal name an enterprise name?

IIRC this came up in a private conversation, too. In short, enterprise 
principals are not supported in a IPA-AD trust scenario, but one can work 
around that by using:
subdomain_inherit = ldap_user_principal
ldap_user_principal = nosuchattr
and thus tricking sssd into 'deriving' the UPN from the domain name.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cross Domain Trust

2016-01-20 Thread Zoske, Fabian 
Hi Lukas,

such a realm does not exists, but it is my user principal name in AD, due to 
legacy compatibility with Exchange.

Best regards,
Fabian

-Ursprüngliche Nachricht-
Von: Lukas Slebodnik [mailto:lsleb...@redhat.com] 
Gesendet: Montag, 18. Januar 2016 18:03
An: Zoske, Fabian
Cc: freeipa-users@redhat.com
Betreff: Re: [Freeipa-users] Cross Domain Trust

On (12/01/16 11:11), Lukas Slebodnik wrote:
>On (12/01/16 08:25), Zoske, Fabian wrote:
>>We recently upgraded our IPA-Server from CentOS 7.1 to CentOS 7.2. So far no 
>>differences.
>>
>Then please provide sssd logfiles (1.13.3) from client and also log 
>files from sssd on freeipa server (sssd on freeipa server is used 
>indirectly by extop plugin in 389-ds)
>
>Please provide log files from the same time when you reproduced an issue.
>
Thank you very much for log files.

Authentication on client failed Due to following error:
(Thu Jan 14 12:58:36 2016) [[sssd[krb5_child[992 [sss_child_krb5_trace_cb] 
(0x4000): [992] 1452772716.736098: Sending request (173 bytes) to 
EUROIMMUN.TEST (master)

(Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992 [get_and_save_tgt] 
(0x0020): 1232: [-1765328230][Cannot find KDC for realm "EUROIMMUN.TEST"] (Thu 
Jan 14 12:58:37 2016) [[sssd[krb5_child[992 [map_krb5_error] (0x0020): 
1301: [-1765328230][Cannot find KDC for realm "EUROIMMUN.TEST"] (Thu Jan 14 
12:58:37 2016) [[sssd[krb5_child[992 [k5c_send_data] (0x0200): Received 
error code 1432158209 (Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992 
[pack_response_packet] (0x2000): response packet size: [4] (Thu Jan 14 12:58:37 
2016) [[sssd[krb5_child[992 [k5c_send_data] (0x4000): Response sent.
(Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992 [main] (0x0400): 
krb5_child completed successfully


Do you have defineded the realm "EUROIMMUN.TEST" in your krb5.conf?

It is possible that sssd wrote snippet to the directory 
/var/lib/sss/pubconf/krb5.include.d/
but this directory is not included in krb5.conf.

$ grep includedir /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/

BTW you can test the same operation as sssd did from command line.

KRB5_TRACE=/dev/stderr kinit f.zo...@euroimmun.test

or is this principal name an enterprise name?

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cross Domain Trust

2016-01-18 Thread Jakub Hrozek 
On Mon, Jan 18, 2016 at 06:02:43PM +0100, Lukas Slebodnik wrote:
> On (12/01/16 11:11), Lukas Slebodnik wrote:
> >On (12/01/16 08:25), Zoske, Fabian wrote:
> >>We recently upgraded our IPA-Server from CentOS 7.1 to CentOS 7.2. So far 
> >>no differences.
> >>
> >Then please provide sssd logfiles (1.13.3) from client
> >and also log files from sssd on freeipa server (sssd on freeipa
> >server is used indirectly by extop plugin in 389-ds)
> >
> >Please provide log files from the same time when you reproduced an issue.
> >
> Thank you very much for log files.
> 
> Authentication on client failed Due to following error:
> (Thu Jan 14 12:58:36 2016) [[sssd[krb5_child[992 
> [sss_child_krb5_trace_cb] (0x4000): [992] 1452772716.736098: Sending request 
> (173 bytes) to EUROIMMUN.TEST (master)
> 
> (Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992 [get_and_save_tgt] 
> (0x0020): 1232: [-1765328230][Cannot find KDC for realm "EUROIMMUN.TEST"]
> (Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992 [map_krb5_error] 
> (0x0020): 1301: [-1765328230][Cannot find KDC for realm "EUROIMMUN.TEST"]
> (Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992 [k5c_send_data] 
> (0x0200): Received error code 1432158209
> (Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992 [pack_response_packet] 
> (0x2000): response packet size: [4]
> (Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992 [k5c_send_data] 
> (0x4000): Response sent.
> (Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992 [main] (0x0400): 
> krb5_child completed successfully
> 
> 
> Do you have defineded the realm "EUROIMMUN.TEST" in your krb5.conf?
> 
> It is possible that sssd wrote snippet to the directory
> /var/lib/sss/pubconf/krb5.include.d/
> but this directory is not included in krb5.conf.
> 
> $ grep includedir /etc/krb5.conf
> includedir /var/lib/sss/pubconf/krb5.include.d/
> 
> BTW you can test the same operation as sssd did from command line.
> 
> KRB5_TRACE=/dev/stderr kinit f.zo...@euroimmun.test
> 
> or is this principal name an enterprise name?

IIRC this came up in a private conversation, too. In short, enterprise
principals are not supported in a IPA-AD trust scenario, but one can
work around that by using:
subdomain_inherit = ldap_user_principal
ldap_user_principal = nosuchattr
and thus tricking sssd into 'deriving' the UPN from the domain name.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cross Domain Trust

2016-01-18 Thread Lukas Slebodnik 
On (12/01/16 11:11), Lukas Slebodnik wrote:
>On (12/01/16 08:25), Zoske, Fabian wrote:
>>We recently upgraded our IPA-Server from CentOS 7.1 to CentOS 7.2. So far no 
>>differences.
>>
>Then please provide sssd logfiles (1.13.3) from client
>and also log files from sssd on freeipa server (sssd on freeipa
>server is used indirectly by extop plugin in 389-ds)
>
>Please provide log files from the same time when you reproduced an issue.
>
Thank you very much for log files.

Authentication on client failed Due to following error:
(Thu Jan 14 12:58:36 2016) [[sssd[krb5_child[992 [sss_child_krb5_trace_cb] 
(0x4000): [992] 1452772716.736098: Sending request (173 bytes) to 
EUROIMMUN.TEST (master)

(Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992 [get_and_save_tgt] 
(0x0020): 1232: [-1765328230][Cannot find KDC for realm "EUROIMMUN.TEST"]
(Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992 [map_krb5_error] (0x0020): 
1301: [-1765328230][Cannot find KDC for realm "EUROIMMUN.TEST"]
(Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992 [k5c_send_data] (0x0200): 
Received error code 1432158209
(Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992 [pack_response_packet] 
(0x2000): response packet size: [4]
(Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992 [k5c_send_data] (0x4000): 
Response sent.
(Thu Jan 14 12:58:37 2016) [[sssd[krb5_child[992 [main] (0x0400): 
krb5_child completed successfully


Do you have defineded the realm "EUROIMMUN.TEST" in your krb5.conf?

It is possible that sssd wrote snippet to the directory
/var/lib/sss/pubconf/krb5.include.d/
but this directory is not included in krb5.conf.

$ grep includedir /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/

BTW you can test the same operation as sssd did from command line.

KRB5_TRACE=/dev/stderr kinit f.zo...@euroimmun.test

or is this principal name an enterprise name?

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cross Domain Trust

2016-01-12 Thread Zoske, Fabian 
We recently upgraded our IPA-Server from CentOS 7.1 to CentOS 7.2. So far no 
differences.

Best regards,
Fabian

> On 11 Jan 2016, at 19:37, Lukas Slebodnik  wrote:
> 
> On (11/01/16 14:56), Zoske, Fabian wrote:
>> I looked deeper into the problem and tested it with ubuntu 16.04 Alpha which 
>> includes SSSD 1-13-3.
>> Now I have the same problem on Ubuntu.
>> On Ubuntu 14.04 I have installed the shipped SSSD-1.11.5 and everything 
>> works.
>> 
> It might be issue on ipa server.
> sssd-1.11 fetch trusted users from ipa server in different way than
> sssd-1.12+
> 
> Could you try to upgrade FreeIPA from CentOS 7.1 to CentOS 7.2
> 
> LS


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cross Domain Trust

2016-01-12 Thread Lukas Slebodnik 
On (12/01/16 08:25), Zoske, Fabian wrote:
>We recently upgraded our IPA-Server from CentOS 7.1 to CentOS 7.2. So far no 
>differences.
>
Then please provide sssd logfiles (1.13.3) from client
and also log files from sssd on freeipa server (sssd on freeipa
server is used indirectly by extop plugin in 389-ds)

Please provide log files from the same time when you reproduced an issue.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cross Domain Trust

2016-01-11 Thread Zoske, Fabian 
I looked deeper into the problem and tested it with ubuntu 16.04 Alpha which 
includes SSSD 1-13-3.
Now I have the same problem on Ubuntu.
On Ubuntu 14.04 I have installed the shipped SSSD-1.11.5 and everything works.

Best regards,
Fabian


-Ursprüngliche Nachricht-
Von: Sumit Bose [mailto:sb...@redhat.com] 
Gesendet: Dienstag, 15. Dezember 2015 13:38
An: Zoske, Fabian
Cc: freeipa-users@redhat.com
Betreff: Re: [Freeipa-users] Cross Domain Trust

On Tue, Dec 15, 2015 at 10:58:09AM +, Zoske, Fabian wrote:
> I’ve setup an IPA-Server with a handful of clients and AD-Trust.
> The server is a CentOS7.1 with IPA4.1 and the clients are mostly Ubuntu 
> Server 14.04 LTS.
> Our IPA-Domain is like ipa-domain.com and our AD-Domain is like 
> ad-domain.local, but our user principals in AD are 
> u...@old-domain.com<mailto:u...@old-domain.com> for backward compatibility.
> 
> On the Ubuntu clients I can login with my AD-Credentials, but when trying to 
> do the same on a joined CentOS Server I can’t login.
> In the logs I can see, that there is no KDC for OLD-DOMAIN.COM is found.
> 
> Why does this scenario works on Ubuntu but not on CentOS?
> Can I do something about this?

Are there any differences in /etc/krb5.conf on the Ubuntu client and on the 
CentOS servers?

What name servers are configured? Typically the clients should use the IPA 
server as a name server.

bye,
Sumit

> 
> Best regards,
> Fabian

> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cross Domain Trust

2016-01-11 Thread Lukas Slebodnik 
On (11/01/16 14:56), Zoske, Fabian wrote:
>I looked deeper into the problem and tested it with ubuntu 16.04 Alpha which 
>includes SSSD 1-13-3.
>Now I have the same problem on Ubuntu.
>On Ubuntu 14.04 I have installed the shipped SSSD-1.11.5 and everything works.
>
It might be issue on ipa server.
sssd-1.11 fetch trusted users from ipa server in different way than
sssd-1.12+

Could you try to upgrade FreeIPA from CentOS 7.1 to CentOS 7.2

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Cross Domain Trust

2015-12-15 Thread Zoske, Fabian 
I’ve setup an IPA-Server with a handful of clients and AD-Trust.
The server is a CentOS7.1 with IPA4.1 and the clients are mostly Ubuntu Server 
14.04 LTS.
Our IPA-Domain is like ipa-domain.com and our AD-Domain is like 
ad-domain.local, but our user principals in AD are 
u...@old-domain.com for backward compatibility.

On the Ubuntu clients I can login with my AD-Credentials, but when trying to do 
the same on a joined CentOS Server I can’t login.
In the logs I can see, that there is no KDC for OLD-DOMAIN.COM is found.

Why does this scenario works on Ubuntu but not on CentOS?
Can I do something about this?

Best regards,
Fabian
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cross Domain Trust

2015-12-15 Thread Zoske, Fabian 
In the Ubuntu krb5.conf are 2 lines more:
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}

The nameservers on both system types are identical and pointing to our 
AD-Domain Controller.
On the AD-Servers the ipa-domain.com is a conditional forwarder to the 
IPA-Server.

I changed the name server configuration on a CentOS just to be sure, but it 
doesn’t had any effect.

Best regards,
Fabian

> On 15 Dec 2015, at 13:38, Sumit Bose  wrote:
> 
> On Tue, Dec 15, 2015 at 10:58:09AM +, Zoske, Fabian wrote:
>> I’ve setup an IPA-Server with a handful of clients and AD-Trust.
>> The server is a CentOS7.1 with IPA4.1 and the clients are mostly Ubuntu 
>> Server 14.04 LTS.
>> Our IPA-Domain is like ipa-domain.com and our AD-Domain is like 
>> ad-domain.local, but our user principals in AD are 
>> u...@old-domain.com for backward compatibility.
>> 
>> On the Ubuntu clients I can login with my AD-Credentials, but when trying to 
>> do the same on a joined CentOS Server I can’t login.
>> In the logs I can see, that there is no KDC for OLD-DOMAIN.COM is found.
>> 
>> Why does this scenario works on Ubuntu but not on CentOS?
>> Can I do something about this?
> 
> Are there any differences in /etc/krb5.conf on the Ubuntu client and on
> the CentOS servers?
> 
> What name servers are configured? Typically the clients should use the
> IPA server as a name server.
> 
> bye,
> Sumit
> 
>> 
>> Best regards,
>> Fabian
> 
>> -- 
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
> 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cross Domain Trust

2015-12-15 Thread Sumit Bose 
On Tue, Dec 15, 2015 at 10:58:09AM +, Zoske, Fabian wrote:
> I’ve setup an IPA-Server with a handful of clients and AD-Trust.
> The server is a CentOS7.1 with IPA4.1 and the clients are mostly Ubuntu 
> Server 14.04 LTS.
> Our IPA-Domain is like ipa-domain.com and our AD-Domain is like 
> ad-domain.local, but our user principals in AD are 
> u...@old-domain.com for backward compatibility.
> 
> On the Ubuntu clients I can login with my AD-Credentials, but when trying to 
> do the same on a joined CentOS Server I can’t login.
> In the logs I can see, that there is no KDC for OLD-DOMAIN.COM is found.
> 
> Why does this scenario works on Ubuntu but not on CentOS?
> Can I do something about this?

Are there any differences in /etc/krb5.conf on the Ubuntu client and on
the CentOS servers?

What name servers are configured? Typically the clients should use the
IPA server as a name server.

bye,
Sumit

> 
> Best regards,
> Fabian

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cross domain trust

2014-02-06 Thread Steve Dainard 
So I've completed the setup, and can see the trust on the Windows side.

I've joined a client to the IPA realm, and can login with a IPA user. When
I try to login (console, ssh, su -) as a domain user I get:

CLIENT SIDE

[root@rhel6-client ~]# su - sdainard@miovision
su: user sdainard@miovision does not exist
[root@rhel6-client ~]# su - sdain...@miovision.corp
su: user sdain...@miovision.corp does not exist
[root@rhel6-client ~]# su - sdain...@miovision.corp
su: user sdain...@miovision.corp does not exist


[root@rhel6-client ~]# ssh sdainard@miovision@localhost
sdainard@miovision@localhost's password:
Permission denied, please try again.


/var/log/secure:
Feb  6 10:13:06 rhel6 sshd[2435]: pam_unix(sshd:auth): check pass; user
unknown
Feb  6 10:13:06 rhel6 sshd[2435]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
Feb  6 10:13:09 rhel6 sshd[2435]: pam_succeed_if(sshd:auth): error
retrieving information about user sdainard@miovision
Feb  6 10:13:10 rhel6 sshd[2435]: Failed password for invalid user
sdainard@miovision from ::1 port 47391 ssh2
Feb  6 10:13:20 rhel6 sshd[2436]: Connection closed by ::1
Feb  6 10:13:25 rhel6 sshd[2709]: Invalid user sdainard@miovision from ::1
Feb  6 10:13:25 rhel6 sshd[2710]: input_userauth_request: invalid user
sdainard@miovision
Feb  6 10:13:36 rhel6 sshd[2709]: pam_unix(sshd:auth): check pass; user
unknown
Feb  6 10:13:36 rhel6 sshd[2709]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
Feb  6 10:13:38 rhel6 sshd[2709]: pam_succeed_if(sshd:auth): error
retrieving information about user sdainard@miovision
Feb  6 10:13:40 rhel6 sshd[2709]: Failed password for invalid user
sdainard@miovision from ::1 port 47417 ssh2

No logs for sssd;
# pwd
/var/log/sssd
[root@snapshot-test sssd]# ll
total 0
-rw---. 1 root root 0 Feb  5 17:38 krb5_child.log
-rw---. 1 root root 0 Feb  5 17:38 ldap_child.log
-rw---. 1 root root 0 Feb  5 17:37 sssd.log
-rw---. 1 root root 0 Feb  5 17:38 sssd_miolinux.corp.log
-rw---. 1 root root 0 Feb  5 17:38 sssd_nss.log
-rw---. 1 root root 0 Feb  5 17:38 sssd_pac.log
-rw---. 1 root root 0 Feb  5 17:38 sssd_pam.log
-rw---. 1 root root 0 Feb  5 17:38 sssd_ssh.log

/etc/sssd/sssd.conf:
[domain/miolinux.corp]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = miolinux.corp
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = rhel6-client.miolinux.corp
chpass_provider = ipa
ipa_server = _srv_, ipa1.miolinux.corp
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = miolinux.corp
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]



/etc/ipa/default.conf
#File modified by ipa-client-install

[global]
basedn = dc=miolinux,dc=corp
realm = MIOLINUX.CORP
domain = miolinux.corp
server = ipa1.miolinux.corp
xmlrpc_uri = https://ipa1.miolinux.corp/ipa/xml
enable_ra = True


 IPA SERVER SIDE --
/var/log/dirsrv/slapd-MIOLINUX-CORP/access
* no new entries *

/var/log/dirsrv/slapd-MIOLINUX-CORP/errors
* no new entries *

/var/log/krb5kdc.log when I attempt to su - sdainard@miovision

Feb 06 10:08:25 ipa1.miolinux.corp krb5kdc[7689](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: NEEDED_PREAUTH:
host/rhel6-client.miolinux.c...@miolinux.corp for
krbtgt/miolinux.c...@miolinux.corp, Additional pre-authentication required
Feb 06 10:08:25 ipa1.miolinux.corp krb5kdc[7688](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699305, etypes {rep=18
tkt=18 ses=18}, host/rhel6-client.miolinux.c...@miolinux.corp for
krbtgt/miolinux.c...@miolinux.corp
Feb 06 10:08:26 ipa1.miolinux.corp krb5kdc[7689](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699305, etypes {rep=18
tkt=18 ses=18}, host/rhel6-client.miolinux.c...@miolinux.corp for
ldap/ipa1.miolinux.c...@miolinux.corp
Feb 06 10:08:26 ipa1.miolinux.corp krb5kdc[7687](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: NEEDED_PREAUTH:
host/rhel6-client.miolinux.c...@miolinux.corp for
krbtgt/miolinux.c...@miolinux.corp, Additional pre-authentication required
Feb 06 10:08:26 ipa1.miolinux.corp krb5kdc[7690](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699306, etypes {rep=18
tkt=18 ses=18}, host/rhel6-client.miolinux.c...@miolinux.corp for
krbtgt/miolinux.c...@miolinux.corp
Feb 06 10:08:27 ipa1.miolinux.corp krb5kdc[7688](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699306, etypes {rep=18
tkt=18 ses=18}, host/rhel6-client.miolinux.c...@miolinux.corp for
ldap/ipa1.miolinux.c...@miolinux.corp
Feb 06 10:08:27 ipa1.miolinux.corp krb5kdc[7687](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: NEEDED_PREAUTH:
host/rhel6-client.miolinux.c...@miolinux.corp for
krbtgt/miolinux.c...@miolinux.corp, Additional pre-authentication required
Feb 06 10:08:27 ipa1.miolinux.corp krb5kdc[7688](info):

Re: [Freeipa-users] Cross domain trust

2014-02-06 Thread Alexander Bokovoy 

On Thu, 06 Feb 2014, Steve Dainard wrote:

So I've completed the setup, and can see the trust on the Windows side.

I've joined a client to the IPA realm, and can login with a IPA user. When
I try to login (console, ssh, su -) as a domain user I get:

CLIENT SIDE

[root@rhel6-client ~]# su - sdainard@miovision
su: user sdainard@miovision does not exist
[root@rhel6-client ~]# su - sdain...@miovision.corp
su: user sdain...@miovision.corp does not exist
[root@rhel6-client ~]# su - sdain...@miovision.corp
su: user sdain...@miovision.corp does not exist


[root@rhel6-client ~]# ssh sdainard@miovision@localhost
sdainard@miovision@localhost's password:
Permission denied, please try again.


/var/log/secure:
Feb  6 10:13:06 rhel6 sshd[2435]: pam_unix(sshd:auth): check pass; user
unknown
Feb  6 10:13:06 rhel6 sshd[2435]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
Feb  6 10:13:09 rhel6 sshd[2435]: pam_succeed_if(sshd:auth): error
retrieving information about user sdainard@miovision
Feb  6 10:13:10 rhel6 sshd[2435]: Failed password for invalid user
sdainard@miovision from ::1 port 47391 ssh2
Feb  6 10:13:20 rhel6 sshd[2436]: Connection closed by ::1
Feb  6 10:13:25 rhel6 sshd[2709]: Invalid user sdainard@miovision from ::1
Feb  6 10:13:25 rhel6 sshd[2710]: input_userauth_request: invalid user
sdainard@miovision
Feb  6 10:13:36 rhel6 sshd[2709]: pam_unix(sshd:auth): check pass; user
unknown
Feb  6 10:13:36 rhel6 sshd[2709]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
Feb  6 10:13:38 rhel6 sshd[2709]: pam_succeed_if(sshd:auth): error
retrieving information about user sdainard@miovision
Feb  6 10:13:40 rhel6 sshd[2709]: Failed password for invalid user
sdainard@miovision from ::1 port 47417 ssh2

Note that there are no logs from sssd above which means sssd never
consulted.



No logs for sssd;
# pwd
/var/log/sssd
[root@snapshot-test sssd]# ll
total 0
-rw---. 1 root root 0 Feb  5 17:38 krb5_child.log
-rw---. 1 root root 0 Feb  5 17:38 ldap_child.log
-rw---. 1 root root 0 Feb  5 17:37 sssd.log
-rw---. 1 root root 0 Feb  5 17:38 sssd_miolinux.corp.log
-rw---. 1 root root 0 Feb  5 17:38 sssd_nss.log
-rw---. 1 root root 0 Feb  5 17:38 sssd_pac.log
-rw---. 1 root root 0 Feb  5 17:38 sssd_pam.log
-rw---. 1 root root 0 Feb  5 17:38 sssd_ssh.log

sssd doesn't log if not asked. Each section of /etc/sssd/sssd.conf can
have 
  debug_level = value

line. For more details see sssd.conf(5).



/etc/sssd/sssd.conf:
[domain/miolinux.corp]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = miolinux.corp
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = rhel6-client.miolinux.corp
chpass_provider = ipa
ipa_server = _srv_, ipa1.miolinux.corp
ldap_tls_cacert = /etc/ipa/ca.crt

you are missing SSSD configuration for trusts:

subdomains_provider = ipa


[sssd]
services = nss, pam, ssh

and here also service 'pac' has to be referenced in the 'services = '
line


config_file_version = 2

domains = miolinux.corp
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]





Basically, situation should look like this:

1. IPA master server configured to talk to AD DC, by means of using winbindd in
   background (on RHEL 6.x, in current Fedora it is done by directly
   talking to AD LDAP services by SSSD). SSSD on IPA master uses it to resolve 
IDs for AD users
   and groups. This requires special setup of SSSD on IPA master, with

   [domain/...]
   subdomains_provider = ipa

   and

   [sssd]
 services = ..., pac

   In newer versions (FreeIPA 3.3+, SSSD 1.11+) this is done on IPA master
   automatically by setting 
   
   ipa_master_mode = True


   On RHEL 6.x one needs to add the parameters manually.

2. /etc/krb5.conf has to contain auth_to_local rules that map AD
   principals to lower-cased versions because some applications (SSH)
   are very picky about user/principal name mapping. This has to be done
   on both IPA masters and IPA clients.

3. On IPA clients SSSD needs to have following in the
   /etc/sssd/sssd.conf

   [domain/...]
   subdomains_provider = ipa

   and

   [sssd]
   services = ..., pac

   With these changes SSSD on IPA client will recognize AD users and
   request IPA master to perform name/SID/etc resolution, and also will
   make an attempt to parse special part of the Kerberos ticket
   generated by AD DC (MS-PAC) that contains signed cached copy of group
   ownership for AD users.

SSSD needs restart after each config change.

You can do checks step by step to see whether things are working:

1. Ensure that SSSD on IPA master resolves AD user properly:

   getent passwd user@ad.domain

   Should return non-empty entry.

2. Ensure that SSSD on IPA client resolves AD user properly:

   getent passwd user@ad.domain

   Should return non-empty entry.

3. Ensure that Kerberos infrastructure works:

   kinit user@ad.domain

Re: [Freeipa-users] Cross domain trust

2014-02-06 Thread Steve Dainard 
On Thu, Feb 6, 2014 at 11:14 AM, Alexander Bokovoy aboko...@redhat.comwrote:

 On Thu, 06 Feb 2014, Steve Dainard wrote:

 So I've completed the setup, and can see the trust on the Windows side.

 I've joined a client to the IPA realm, and can login with a IPA user. When
 I try to login (console, ssh, su -) as a domain user I get:

 CLIENT SIDE

 [root@rhel6-client ~]# su - sdainard@miovision
 su: user sdainard@miovision does not exist
 [root@rhel6-client ~]# su - sdain...@miovision.corp
 su: user sdain...@miovision.corp does not exist
 [root@rhel6-client ~]# su - sdain...@miovision.corp
 su: user sdain...@miovision.corp does not exist


 [root@rhel6-client ~]# ssh sdainard@miovision@localhost
 sdainard@miovision@localhost's password:
 Permission denied, please try again.


 /var/log/secure:
 Feb  6 10:13:06 rhel6 sshd[2435]: pam_unix(sshd:auth): check pass; user
 unknown
 Feb  6 10:13:06 rhel6 sshd[2435]: pam_unix(sshd:auth): authentication
 failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
 Feb  6 10:13:09 rhel6 sshd[2435]: pam_succeed_if(sshd:auth): error
 retrieving information about user sdainard@miovision
 Feb  6 10:13:10 rhel6 sshd[2435]: Failed password for invalid user
 sdainard@miovision from ::1 port 47391 ssh2
 Feb  6 10:13:20 rhel6 sshd[2436]: Connection closed by ::1
 Feb  6 10:13:25 rhel6 sshd[2709]: Invalid user sdainard@miovision from
 ::1
 Feb  6 10:13:25 rhel6 sshd[2710]: input_userauth_request: invalid user
 sdainard@miovision
 Feb  6 10:13:36 rhel6 sshd[2709]: pam_unix(sshd:auth): check pass; user
 unknown
 Feb  6 10:13:36 rhel6 sshd[2709]: pam_unix(sshd:auth): authentication
 failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
 Feb  6 10:13:38 rhel6 sshd[2709]: pam_succeed_if(sshd:auth): error
 retrieving information about user sdainard@miovision
 Feb  6 10:13:40 rhel6 sshd[2709]: Failed password for invalid user
 sdainard@miovision from ::1 port 47417 ssh2

 Note that there are no logs from sssd above which means sssd never
 consulted.



 No logs for sssd;
 # pwd
 /var/log/sssd
 [root@snapshot-test sssd]# ll
 total 0
 -rw---. 1 root root 0 Feb  5 17:38 krb5_child.log
 -rw---. 1 root root 0 Feb  5 17:38 ldap_child.log
 -rw---. 1 root root 0 Feb  5 17:37 sssd.log
 -rw---. 1 root root 0 Feb  5 17:38 sssd_miolinux.corp.log
 -rw---. 1 root root 0 Feb  5 17:38 sssd_nss.log
 -rw---. 1 root root 0 Feb  5 17:38 sssd_pac.log
 -rw---. 1 root root 0 Feb  5 17:38 sssd_pam.log
 -rw---. 1 root root 0 Feb  5 17:38 sssd_ssh.log

 sssd doesn't log if not asked. Each section of /etc/sssd/sssd.conf can
 have   debug_level = value
 line. For more details see sssd.conf(5).



 /etc/sssd/sssd.conf:
 [domain/miolinux.corp]

 cache_credentials = True
 krb5_store_password_if_offline = True
 ipa_domain = miolinux.corp
 id_provider = ipa
 auth_provider = ipa
 access_provider = ipa
 ipa_hostname = rhel6-client.miolinux.corp
 chpass_provider = ipa
 ipa_server = _srv_, ipa1.miolinux.corp
 ldap_tls_cacert = /etc/ipa/ca.crt

 you are missing SSSD configuration for trusts:

 subdomains_provider = ipa


  [sssd]
 services = nss, pam, ssh

 and here also service 'pac' has to be referenced in the 'services = '
 line


  config_file_version = 2

 domains = miolinux.corp
 [nss]

 [pam]

 [sudo]

 [autofs]

 [ssh]

 [pac]




 Basically, situation should look like this:

 1. IPA master server configured to talk to AD DC, by means of using
 winbindd in
background (on RHEL 6.x, in current Fedora it is done by directly
talking to AD LDAP services by SSSD). SSSD on IPA master uses it to
 resolve IDs for AD users
and groups. This requires special setup of SSSD on IPA master, with

[domain/...]
subdomains_provider = ipa

and

[sssd]
  services = ..., pac


Server side looks right:

[domain/miolinux.corp]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = miolinux.corp
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa1.miolinux.corp
chpass_provider = ipa
ipa_server = ipa1.miolinux.corp
ldap_tls_cacert = /etc/ipa/ca.crt
subdomains_provider = ipa

[sssd]
services = nss, pam, ssh, pac
config_file_version = 2

domains = miolinux.corp
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]




In newer versions (FreeIPA 3.3+, SSSD 1.11+) this is done on IPA master
automatically by setting   ipa_master_mode = True

On RHEL 6.x one needs to add the parameters manually.

 2. /etc/krb5.conf has to contain auth_to_local rules that map AD
principals to lower-cased versions because some applications (SSH)
are very picky about user/principal name mapping. This has to be done
on both IPA masters and IPA clients.


This was done on the IPA server, but the RHEL 6.5 client doesn't have this
file.

On the IPA server:

[realms]
 MIOLINUX.CORP = {
  kdc = ipa1.miolinux.corp:88
  master_kdc = ipa1.miolinux.corp:88
  admin_server = ipa1.miolinux.corp:749
  default_domain =

Re: [Freeipa-users] Cross domain trust

2014-02-06 Thread Alexander Bokovoy 

On Thu, 06 Feb 2014, Steve Dainard wrote:

   In newer versions (FreeIPA 3.3+, SSSD 1.11+) this is done on IPA master
   automatically by setting   ipa_master_mode = True

   On RHEL 6.x one needs to add the parameters manually.

2. /etc/krb5.conf has to contain auth_to_local rules that map AD
   principals to lower-cased versions because some applications (SSH)
   are very picky about user/principal name mapping. This has to be done
   on both IPA masters and IPA clients.



This was done on the IPA server, but the RHEL 6.5 client doesn't have this
file.

On the IPA server:

[realms]
MIOLINUX.CORP = {
 kdc = ipa1.miolinux.corp:88
 master_kdc = ipa1.miolinux.corp:88
 admin_server = ipa1.miolinux.corp:749
 default_domain = miolinux.corp
 pkinit_anchors = FILE:/etc/ipa/ca.crt
auth_to_local = RULE:[1:$1@$0](^.*@MIOVISION$)s/@MIOVISION/@miovision/
auth_to_local = DEFAULT

[root@ipa1 ~]# kinit sdain...@miovision.corp
Password for sdain...@miovision.corp:
kinit: KDC reply did not match expectations while getting initial
credentials
MIT Kerberos is case-sensitive for the realm, so it should always be 


 kinit sdain...@miovision.corp

make also sure that your rule above has proper realm. If your realm is
MIOVISION.CORP, then auth_to_local rule is

auth_to_local = 
RULE:[1:$1@$0](^.*@MIOVISION.CORP$)s/@MIOVISION.CORP/@miovision.corp/

In MIT Kerberos 1.13 we'll have an interface that will allow SSSD to
automatically generate (and supply) these rules. Prior to that we have
to have explicit configuration on all clients and servers.


A CentOS 6.5 client has this file. The docs didn't mention the manual
client config, I just assumed the IPA server would proxy the request. After
adding, no change.

A request to IPA server needs to come from a client and a client needs
to know about that. We changed SSSD 1.11+ to discover IPA capabilities
and self-configure but for older clients (1.9..1.10) you need to perform
it through explicit config.


   With these changes SSSD on IPA client will recognize AD users and
   request IPA master to perform name/SID/etc resolution, and also will
   make an attempt to parse special part of the Kerberos ticket
   generated by AD DC (MS-PAC) that contains signed cached copy of group
   ownership for AD users.

SSSD needs restart after each config change.

You can do checks step by step to see whether things are working:

1. Ensure that SSSD on IPA master resolves AD user properly:

   getent passwd user@ad.domain

   Should return non-empty entry.



Returns no values.

[root@ipa1 ~]# getent passwd sdain...@miovision.corp
[root@ipa1 ~]#

Can you add debug_level=9 to [domain/...] section in
/etc/sssd/sssd.conf, restart sssd and try again?

In /var/log/sssd/sssd_domain.log there will be a lot of debug
information that I'd like to see (send it privately).

If sssd properly tries to talk to winbindd to resolve id, I'd like to
see winbind logs then:

# smbcontrol all debug 100
# getent passwd sdain...@miovision.corp
# smbcontrol all debug 1

and send me logs from /var/log/samba.








2. Ensure that SSSD on IPA client resolves AD user properly:

   getent passwd user@ad.domain

   Should return non-empty entry.



[root@snapshot-test ~]# getent passwd sdain...@miovision.corp
[root@snapshot-test ~]#


Once we solve it for IPA master, we can continue with this part.







3. Ensure that Kerberos infrastructure works:

   kinit user@ad.domain
   kvno -S host ipa.client.domain



[root@ipa1 ~]# kinit sdain...@miovision.corp
Password for sdain...@miovision.corp:
kinit: KDC reply did not match expectations while getting initial
credentials

Expected (realm is case-sensitive).



[root@ipa1 ~]# kinit sdain...@miovision.corp
Password for sdain...@miovision.corp:

[root@ipa1 ~]# kvno cifs/dc1.miovision.c...@miovision.corp
cifs/dc1.miovision.c...@miovision.corp: kvno = 41

[root@ipa1 ~]# kvno -S host ipa1.miolinux.corp
host/ipa1.miolinux.c...@miolinux.corp: kvno = 2

[root@ipa1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: sdain...@miovision.corp

Valid starting ExpiresService principal
02/06/14 11:54:55  02/06/14 21:54:57  krbtgt/miovision.c...@miovision.corp
renew until 02/07/14 11:54:55
02/06/14 11:55:38  02/06/14 21:54:57  cifs/dc1.miovision.c...@miovision.corp
renew until 02/07/14 11:54:55
02/06/14 11:56:50  02/06/14 21:54:57  krbtgt/miolinux.c...@miovision.corp
renew until 02/07/14 11:54:55
02/06/14 11:57:05  02/06/14 21:54:57  host/ipa1.miolinux.c...@miolinux.corp
renew until 02/07/14 11:54:55

Kerberos infrastructure works fine.


--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Cross domain trust

2014-02-06 Thread Steve Dainard 
On Thu, Feb 6, 2014 at 12:42 PM, Alexander Bokovoy aboko...@redhat.comwrote:

 On Thu, 06 Feb 2014, Steve Dainard wrote:

In newer versions (FreeIPA 3.3+, SSSD 1.11+) this is done on IPA master
automatically by setting   ipa_master_mode = True

On RHEL 6.x one needs to add the parameters manually.

 2. /etc/krb5.conf has to contain auth_to_local rules that map AD
principals to lower-cased versions because some applications (SSH)
are very picky about user/principal name mapping. This has to be done
on both IPA masters and IPA clients.


 This was done on the IPA server, but the RHEL 6.5 client doesn't have this
 file.

 On the IPA server:

 [realms]
 MIOLINUX.CORP = {
  kdc = ipa1.miolinux.corp:88
  master_kdc = ipa1.miolinux.corp:88
  admin_server = ipa1.miolinux.corp:749
  default_domain = miolinux.corp
  pkinit_anchors = FILE:/etc/ipa/ca.crt
 auth_to_local = RULE:[1:$1@$0](^.*@MIOVISION$)s/@MIOVISION/@miovision/
 auth_to_local = DEFAULT

 [root@ipa1 ~]# kinit sdain...@miovision.corp
 Password for sdain...@miovision.corp:
 kinit: KDC reply did not match expectations while getting initial
 credentials

 MIT Kerberos is case-sensitive for the realm, so it should always be
  kinit sdain...@miovision.corp

 make also sure that your rule above has proper realm. If your realm is
 MIOVISION.CORP, then auth_to_local rule is

 auth_to_local = RULE:[1:$1@$0](^.*@MIOVISION.CORP$)s/@MIOVISION.CORP/@
 miovision.corp/


OK that makes sense. I wasn't sure if it was NETBIOS or not. Changed.


 In MIT Kerberos 1.13 we'll have an interface that will allow SSSD to
 automatically generate (and supply) these rules. Prior to that we have
 to have explicit configuration on all clients and servers.


Excellent, do you work with whomever is maintaining the Ubuntu PPA on this
as well? One of our dev teams is exclusively on Ubuntu 12.04 and I've had
some serious issues with the joining clients from distro.



  A CentOS 6.5 client has this file. The docs didn't mention the manual
 client config, I just assumed the IPA server would proxy the request.
 After
 adding, no change.

 A request to IPA server needs to come from a client and a client needs
 to know about that. We changed SSSD 1.11+ to discover IPA capabilities
 and self-configure but for older clients (1.9..1.10) you need to perform
 it through explicit config.


 With these changes SSSD on IPA client will recognize AD users and
request IPA master to perform name/SID/etc resolution, and also will
make an attempt to parse special part of the Kerberos ticket
generated by AD DC (MS-PAC) that contains signed cached copy of group
ownership for AD users.

 SSSD needs restart after each config change.

 You can do checks step by step to see whether things are working:

 1. Ensure that SSSD on IPA master resolves AD user properly:

getent passwd user@ad.domain

Should return non-empty entry.


 Returns no values.

 [root@ipa1 ~]# getent passwd sdain...@miovision.corp
 [root@ipa1 ~]#

 Can you add debug_level=9 to [domain/...] section in
 /etc/sssd/sssd.conf, restart sssd and try again?

 In /var/log/sssd/sssd_domain.log there will be a lot of debug
 information that I'd like to see (send it privately).

 If sssd properly tries to talk to winbindd to resolve id, I'd like to
 see winbind logs then:

 # smbcontrol all debug 100
 # getent passwd sdain...@miovision.corp
 # smbcontrol all debug 1

 and send me logs from /var/log/samba.



Done, sending logs outside of list.

There are some communications errors. I dropped the firewall on the IPA
server to test the last couple runs at 'getent passwd
sdain...@miovision.corp'.








 2. Ensure that SSSD on IPA client resolves AD user properly:

getent passwd user@ad.domain

Should return non-empty entry.


 [root@snapshot-test ~]# getent passwd sdain...@miovision.corp
 [root@snapshot-test ~]#

  Once we solve it for IPA master, we can continue with this part.






 3. Ensure that Kerberos infrastructure works:

kinit user@ad.domain
kvno -S host ipa.client.domain


 [root@ipa1 ~]# kinit sdain...@miovision.corp
 Password for sdain...@miovision.corp:
 kinit: KDC reply did not match expectations while getting initial
 credentials

 Expected (realm is case-sensitive).



 [root@ipa1 ~]# kinit sdain...@miovision.corp
 Password for sdain...@miovision.corp:

 [root@ipa1 ~]# kvno cifs/dc1.miovision.c...@miovision.corp
 cifs/dc1.miovision.c...@miovision.corp: kvno = 41

 [root@ipa1 ~]# kvno -S host ipa1.miolinux.corp
 host/ipa1.miolinux.c...@miolinux.corp: kvno = 2

 [root@ipa1 ~]# klist
 Ticket cache: FILE:/tmp/krb5cc_0
 Default principal: sdain...@miovision.corp

 Valid starting ExpiresService principal
 02/06/14 11:54:55  02/06/14 21:54:57  krbtgt/MIOVISION.CORP@
 MIOVISION.CORP
 renew until 02/07/14 11:54:55
 02/06/14 11:55:38  02/06/14 21:54:57  cifs/dc1.miovision.corp@
 MIOVISION.CORP
 renew until 02/07/14 11:54:55
 02/06/14 11:56:50  02/06/14 21:54:57

Re: [Freeipa-users] Cross domain trust

2014-02-06 Thread Alexander Bokovoy 

On Thu, 06 Feb 2014, Steve Dainard wrote:

On Thu, Feb 6, 2014 at 12:42 PM, Alexander Bokovoy aboko...@redhat.comwrote:


On Thu, 06 Feb 2014, Steve Dainard wrote:


   In newer versions (FreeIPA 3.3+, SSSD 1.11+) this is done on IPA master

   automatically by setting   ipa_master_mode = True

   On RHEL 6.x one needs to add the parameters manually.

2. /etc/krb5.conf has to contain auth_to_local rules that map AD
   principals to lower-cased versions because some applications (SSH)
   are very picky about user/principal name mapping. This has to be done
   on both IPA masters and IPA clients.



This was done on the IPA server, but the RHEL 6.5 client doesn't have this
file.

On the IPA server:

[realms]
MIOLINUX.CORP = {
 kdc = ipa1.miolinux.corp:88
 master_kdc = ipa1.miolinux.corp:88
 admin_server = ipa1.miolinux.corp:749
 default_domain = miolinux.corp
 pkinit_anchors = FILE:/etc/ipa/ca.crt
auth_to_local = RULE:[1:$1@$0](^.*@MIOVISION$)s/@MIOVISION/@miovision/
auth_to_local = DEFAULT

[root@ipa1 ~]# kinit sdain...@miovision.corp
Password for sdain...@miovision.corp:
kinit: KDC reply did not match expectations while getting initial
credentials


MIT Kerberos is case-sensitive for the realm, so it should always be
 kinit sdain...@miovision.corp

make also sure that your rule above has proper realm. If your realm is
MIOVISION.CORP, then auth_to_local rule is

auth_to_local = RULE:[1:$1@$0](^.*@MIOVISION.CORP$)s/@MIOVISION.CORP/@
miovision.corp/



OK that makes sense. I wasn't sure if it was NETBIOS or not. Changed.

It is realm, always, since krb5.conf rules deal with principal names.



In MIT Kerberos 1.13 we'll have an interface that will allow SSSD to
automatically generate (and supply) these rules. Prior to that we have
to have explicit configuration on all clients and servers.



Excellent, do you work with whomever is maintaining the Ubuntu PPA on this
as well? One of our dev teams is exclusively on Ubuntu 12.04 and I've had
some serious issues with the joining clients from distro.

Talk to Timo Aaltonen (Canonical) who maintains FreeIPA bits in Ubuntu
(and Debian). I believe he is on the list.

In any way, MIT 1.13 will be due this year and for sure will not be
available on Ubuntu 12.04 so you'll need to make sure there is a
delivery process for configuration management at your site (puppet, etc)
that will distribute proper krb5.conf and sssd.conf changes.


Done, sending logs outside of list.

There are some communications errors. I dropped the firewall on the IPA
server to test the last couple runs at 'getent passwd
sdain...@miovision.corp'.

Ok, waiting.

--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Cross domain trust

2014-02-05 Thread Steve Dainard 
After the initial setup of a trust I'm attempting to get kerberos tickets
against the AD domain.

Step 12 in this document:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.htmlsays:

Then, request service tickets for services within the Active Directory
domain.
[root@ipaserver ]# kvno cifs/adserver.adexample.com@AD.DOMAIN
If the Active Directory service ticket is succcessfully granted, then there
will be a cross-realm TGT listed with all of the other requested tickets.
This will have the name krbtgt/AD.DOMAIN@IPA.DOMAIN.

I get an error back:
# kvno cifs/dc1.miovision.c...@miovision.corp
kvno: Server not found in Kerberos database while getting credentials for
cifs/dc1.miovision.c...@miovision.corp

But I do have a krbtgt ticket/AD domain:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: sdainard-r...@miolinux.corp

Valid starting ExpiresService principal
02/05/14 14:21:06  02/06/14 14:21:06  krbtgt/miolinux.c...@miolinux.corp
02/05/14 14:21:17  02/06/14 14:21:06  host/ipa1.miolinux.c...@miolinux.corp
02/05/14 14:21:20  02/06/14 14:21:06  krbtgt/miovision.c...@miolinux.corp

Also, is it normal to not find the Linux realm listed in the domain trust
list on the AD DC?



*Steve Dainard *
IT Infrastructure Manager
Miovision http://miovision.com/ | *Rethink Traffic*
519-513-2407 ex.250
877-646-8476 (toll-free)

*Blog http://miovision.com/blog  |  **LinkedIn
https://www.linkedin.com/company/miovision-technologies  |  Twitter
https://twitter.com/miovision  |  Facebook
https://www.facebook.com/miovision*
--
 Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON,
Canada | N2C 1L3
This e-mail may contain information that is privileged or confidential. If
you are not the intended recipient, please delete the e-mail and any
attachments and notify us immediately.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Cross domain trust

2014-02-05 Thread Alexander Bokovoy 

On Wed, 05 Feb 2014, Steve Dainard wrote:

After the initial setup of a trust I'm attempting to get kerberos tickets
against the AD domain.

Step 12 in this document:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.htmlsays:

Then, request service tickets for services within the Active Directory
domain.
[root@ipaserver ]# kvno cifs/adserver.adexample.com@AD.DOMAIN
If the Active Directory service ticket is succcessfully granted, then there
will be a cross-realm TGT listed with all of the other requested tickets.
This will have the name krbtgt/AD.DOMAIN@IPA.DOMAIN.

I get an error back:
# kvno cifs/dc1.miovision.c...@miovision.corp
kvno: Server not found in Kerberos database while getting credentials for
cifs/dc1.miovision.c...@miovision.corp

Can you try 'KRB5_TRACE=/dev/stderr kvno -S cifs dc1.miovision.corp'?

Ideally, I'd like to see your /etc/krb5.conf, it should have mapping
between AD DNS domain and AD realm so that IPA KDC will be able to route
the ticket request properly to the AD DC. Without that it may assume
miovision.corp belongs to the IPA realm.



But I do have a krbtgt ticket/AD domain:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: sdainard-r...@miolinux.corp

Valid starting ExpiresService principal
02/05/14 14:21:06  02/06/14 14:21:06  krbtgt/miolinux.c...@miolinux.corp
02/05/14 14:21:17  02/06/14 14:21:06  host/ipa1.miolinux.c...@miolinux.corp
02/05/14 14:21:20  02/06/14 14:21:06  krbtgt/miovision.c...@miolinux.corp

Also, is it normal to not find the Linux realm listed in the domain trust
list on the AD DC?

It should be listed there. If it is not listed, it means no real trust
is established on the AD side.

--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Cross domain trust

2014-02-05 Thread Alexander Bokovoy 

On Wed, 05 Feb 2014, Alexander Bokovoy wrote:

On Wed, 05 Feb 2014, Steve Dainard wrote:

After the initial setup of a trust I'm attempting to get kerberos tickets
against the AD domain.

Step 12 in this document:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.htmlsays:

Then, request service tickets for services within the Active Directory
domain.
[root@ipaserver ]# kvno cifs/adserver.adexample.com@AD.DOMAIN
If the Active Directory service ticket is succcessfully granted, then there
will be a cross-realm TGT listed with all of the other requested tickets.
This will have the name krbtgt/AD.DOMAIN@IPA.DOMAIN.

I get an error back:
# kvno cifs/dc1.miovision.c...@miovision.corp
kvno: Server not found in Kerberos database while getting credentials for
cifs/dc1.miovision.c...@miovision.corp

Can you try 'KRB5_TRACE=/dev/stderr kvno -S cifs dc1.miovision.corp'?

Ideally, I'd like to see your /etc/krb5.conf, it should have mapping
between AD DNS domain and AD realm so that IPA KDC will be able to route
the ticket request properly to the AD DC. Without that it may assume
miovision.corp belongs to the IPA realm.

Actually, that mapping should be generated by sssd in
/var/lib/sss/pubconf/krb5.include.d/domain_realm_miolinux_corp

--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Cross domain trust

2014-02-05 Thread Steve Dainard 
I didn't have the firewall on my IPA server down while forming the trust.
All seems to be working now.

Thanks for your help.

Steve




 --
 / Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] cross domain trust between two IPA servers

2012-08-07 Thread Johnathan Phan 
Hi everyone,

Is it possible to create a cross domain trust between two IPA servers? I
would have thought FreeIPA would have dealt with this use case first rather
than jump directly into integrating with AD.

The reason for this is because your more likely to have satellite sites of
Redhat servers you want to manage.

Example of this is shown below.

You require user details to be separated for two separate organizations
that merge together. In the interim period or permanently you may want
members data to be stored in the two separate Realms for either legal
reasons or for company structure reasons (Management). As you do this quiet
freqently with Microsoft AD environments when corporations merge or buy one
another out. Or a parent company buys a smaller company but want to hook
the two systems together with out merging them completely to keep the
companies identity and major operations separate.

Is there anyway to do this with two IPA servers?

-- 
Johnathan Phan
ox-consulting

T: +44 (0)784 118 7080
j...@ox-consulting.com
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] cross domain trust between two IPA servers

2012-08-07 Thread Simo Sorce 
On Tue, 2012-08-07 at 14:54 +0100, Johnathan Phan wrote:
 Hi everyone,
 
 Is it possible to create a cross domain trust between two IPA servers?
 I would have thought FreeIPA would have dealt with this use case first
 rather than jump directly into integrating with AD.

Not yet, the reason we dealt with AD first is that there was more
request for that use case.


 The reason for this is because your more likely to have satellite
 sites of Redhat servers you want to manage.
 
 Example of this is shown below.
 
 You require user details to be separated for two separate
 organizations that merge together. In the interim period or
 permanently you may want members data to be stored in the two separate
 Realms for either legal reasons or for company structure reasons
 (Management). As you do this quiet freqently with Microsoft AD
 environments when corporations merge or buy one another out. Or a
 parent company buys a smaller company but want to hook the two systems
 together with out merging them completely to keep the companies
 identity and major operations separate.
 
 Is there anyway to do this with two IPA servers?

We are planning to add FreeIPA-FreeIPA trusts in due course, and a
kerberos level trust between 2 IPA servers can be done with some manual
work, but there are some details when it comes to providing identity to
the other domain that are missing. (Although SSSD can be configured
easily enough to use 2 separate FreeIPA domains if really needed).

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] cross domain trust between two IPA servers

2012-08-07 Thread Simo Sorce 
On Tue, 2012-08-07 at 16:36 +0100, Johnathan Phan wrote:
 Hi Simo,
 
 This document here implies that this does it.
 
 http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Setting_Up_Cross_Realm_Authentication.html#basic-trust

This document do not apply to Identity Management (FreeIPA in RHEL
speak), it is for a classic Kerberos KDC.
However it is a resonable guide to experiment with trusts.

 However during testing it does not behave as expected.
 
 Do you have any documentation on how SSSD can be configured so that
 when logging in on a server in a.example.com with a users that exists
 in the IPA server responsible for domain b.example.com can happen.
 Only based on the rights the group has in b.example.com.
 
 any reference material on how that could work will help me a long way.

You should look into the fact SSSD can be defined to have multiple
domains.

This means tho that the 'receiving' machines need to be configured for
both realms.

This is one of the gotchas, given the current lack of actual
integration, moving forward when we will have official integration
manual configuration of a separate SSSD domain will not be necessary and
group memberships will work better.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users