On Fri, Dec 5, 2014 at 12:26 PM, <freeipa-users-requ...@redhat.com> wrote: > > Send Freeipa-users mailing list submissions to > freeipa-users@redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/freeipa-users > or, via email, send a message with subject or body 'help' to > freeipa-users-requ...@redhat.com > > You can reach the person managing the list at > freeipa-users-ow...@redhat.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeipa-users digest..." > > > Today's Topics: > > 1. ad trust and default_domain_suffix (Nicolas Zin) > 2. Re: ad trust and default_domain_suffix (Nicolas Zin) > 3. Re: strange error - disconnecting a replica? (Martin Kosek) > 4. Re: strange error - disconnecting a replica? (thierry bordaz) > 5. Re: strange error - disconnecting a replica? (thierry bordaz) > 6. Re: strange error - disconnecting a replica? (Martin Kosek) > 7. Re: Cross-Realm authentification (Andreas Ladanyi) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 4 Dec 2014 12:49:36 -0500 (EST) > From: Nicolas Zin <nicolas....@savoirfairelinux.com> > To: freeipa-users@redhat.com > Subject: [Freeipa-users] ad trust and default_domain_suffix > Message-ID: <227542639.160677.1417715376443.JavaMail.root@mail> > Content-Type: text/plain; charset=utf-8 > > Hi, > > I have a IDM (v3.3) installed on a Redhat7. > I have a IDM realm connected to an AD via trust relationship. > In the IDM realm there are Redhat6 and Redhat5 clients. > > > My client ask to be able to connect to the Linux machine with their AD > without entering their domain (just username). On Redhat 6 there is an > option for sssd (default_domain_suffix=) > Seems to be exactly what I need, but I have a problem. If I use this > option, I can indeed login with my AD username with domain name, but I > cannot login with my Linux IDM username anymore, even if I use my fully > qualified username@realm. i.e. In the middle of the PAM authentication it > seems to fails (when ssh to the machine with ssh <server> -l admin@<realm>, > I get Write failed: Broken pipe). If needed I can send more logs. > > I reproduce the problem in a more simple environment: just a Linux realm, > and default_domain_suffix set to a inexistant domain, and again I cannot > ssh to my server with my fully qualified username@realm > > Here is my sssd.conf: > [domain/idm1] > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = idm1 > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = dc.idm1 > chpass_provider = ipa > ipa_server = dc.idm1 > ipa_server_mode = True > ldap_tls_cacert = /etc/ipa/ca.crt > [sssd] > services = nss, pam, ssh > config_file_version = 2 > > domains = idm1 > > default_domain_suffix=toto.com > [nss] > > [pam] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > > > Here is my krb5.conf: > includedir /var/lib/sss/pubconf/krb5.include.d/ > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = IDM1 > dns_lookup_realm = false > dns_lookup_kdc = true > rdns = false > ticket_lifetime = 24h > forwardable = yes > default_ccache_name = KEYRING:persistent:%{uid} > ignore_acceptor_hostname = true > > [realms] > IDM1 = { > kdc = dc.idm1:88 > master_kdc = dc.idm1:88 > admin_server = dc.idm1:749 > default_domain = idm1 > pkinit_anchors = FILE:/etc/ipa/ca.crt > } > > [domain_realm] > .idm1 = IDM1 > idm1 = IDM1 > > [dbmodules] > IDM1 = { > db_library = ipadb.so > } > > > > is there something to add to make it working? > > > > > Site note: also with Redhat5 which is configured following ipa-advise > sssd-before-1.9, the default_domain_suffix is not understood with sssd<1.9. > Is there a way to connect to force RHEL5 to let my windows user connect > without entering their domain. I don?t know if there is a way to tune the > compatibility tree return by the ldap server for example. > > Or should I try to compile sssd 1.9 for RHEL5? (but I guess this is easier > said than done) or it doesn?t worth it? (incompatibility with kerberos, or > with the RHEL5 kernel?) > > > Regards, > > > Nicolas Zin > > > > ------------------------------ > > Message: 2 > Date: Thu, 4 Dec 2014 16:53:00 -0500 (EST) > From: Nicolas Zin <nicolas....@savoirfairelinux.com> > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] ad trust and default_domain_suffix > Message-ID: <992955671.305465.1417729980028.JavaMail.root@mail> > Content-Type: text/plain; charset=utf-8 > > I answer to myself. (but my problem is not resolved) > > > ----- Mail original ----- > > De: "Nicolas Zin" <nicolas....@savoirfairelinux.com> > > ?: freeipa-users@redhat.com > > Envoy?: Jeudi 4 D?cembre 2014 18:49:36 > > Objet: [Freeipa-users] ad trust and default_domain_suffix > > > > Hi, > > > > I have a IDM (v3.3) installed on a Redhat7. > > I have a IDM realm connected to an AD via trust relationship. > > In the IDM realm there are Redhat6 and Redhat5 clients. > > > > > > My client ask to be able to connect to the Linux machine with their AD > without entering their domain (just username). On Redhat 6 there is an > option for sssd (default_domain_suffix=) > > Seems to be exactly what I need, but I have a problem. If I use this > option, I can indeed login with my AD username with domain name, but I > cannot login with my Linux IDM username anymore, even if I use my fully > qualified username@realm. i.e. In the middle of the PAM authentication it > seems to fails (when ssh to the machine with ssh <server> -l admin@<realm>, > I get Write failed: Broken pipe). If needed I can send more logs. > > > > I reproduce the problem in a more simple environment: just a Linux > realm, and default_domain_suffix set to a inexistant domain, and again I > cannot ssh to my server with my fully qualified username@realm > > so when I try to do "ssh localhost -l admin@idm1" (idm is my domain name), > in the /var/log/sssd/sssd_nss.log I find: > ... > (Wed Dec 3 22:44:43 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): > Requesting info for [admin@idm1] > (Wed Dec 3 22:44:43 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0100): > Requesting info for [admin] from [idm1] > (Wed Dec 3 22:44:43 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): > Requesting info for [admin@idm1] > (Wed Dec 3 22:44:43 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0100): > Requesting info for [admin] from [idm1] > (Wed Dec 3 22:44:43 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): > Requesting info for [admin@idm1] > (Wed Dec 3 22:44:43 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0100): > Requesting info for [admin] from [idm1] > (Wed Dec 3 22:44:43 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): > Requesting info for [admin@idm1] > (Wed Dec 3 22:44:43 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0100): > Requesting info for [admin] from [idm1] > (Wed Dec 3 22:44:43 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): > Requesting info for [admin@idm1] > (Wed Dec 3 22:44:43 2014) [sssd[nss]] [nss_cmd_getbynam_done] (0x0040): > Invalid name received [admin] > > > So it seems to be a problem with nss not able to find my user. > Indeed, if I do a "getent passwd admin" it doesn't show anything, but if I > do a "getent passwd admin@idm1" it works. > > I found a "workardound": > getent passwd admin@idm1 >> /etc/passwd > > > Now I can ssh to my server: > ssh localhost -l admin@idm1 > > > > Is it a bug? is there a better "workaround"? > > > Regards, > > > > ------------------------------ > > Hi,
Did you find any other workaround for this issue? I am also having same issue. I am looking for migrating existing IPA to full trust with AD, this might be not acceptable to my end users. Anyone else has any workaround on using default_domain_suffix for AD users but without using fully qualified name for IPA users? I observed that if the IPA user is in sssd cache, id other command works for IPA user but ssh without @ipadomain does not work in any case. Regards, Shashikant
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project