Re: [Freeipa-users] Trying To Debug AD Trust Quirks
On Tue, Mar 28, 2017 at 11:59:27AM -0500, Jason B. Nance wrote: > Hello, > > I'm using AD trusts with FreeIPA 4.4.0 and am having a heck of a time with > strange behavior. Some examples include: > > - Trust user's home directory sporadically getting set to '/' instead of > /home/domain/user > - Trust user losing HBAC privileges (granted via group membership) > - Trust user losing sudo privileges (granted via group membership) > - OS logging that trust user's account has expired when it hasn't > > I'm currently unable to predict/reproduce occurrences of these issues. I can > say that they aren't tied to a specific user or host. For example, a user > will login to a host without any issues and then later that same user's home > directory (as reported by getent) will suddenly be set to / instead of > /home/... > > My first step, of course, is to gather logs. Should I be focusing on the > SSSD on the client or on the IPA servers? I'm not entirely clear how/where > lots of this data get assigned/queried. > > My other question is if there is a way to pin down a client to [temporarily] > use a specific IPA server and specific AD server (even if it means a firewall > rule that only allows the host to communicate with one IPA and one AD host). Normally time-correlated logs from both the server's domain and nss sections of sssd.conf and the client's domain section are a good start. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Trying To Debug AD Trust Quirks
On Tue, Mar 28, 2017 at 11:59:27AM -0500, Jason B. Nance wrote: > My other question is if there is a way to pin down a client to > [temporarily] use a specific IPA server using the ipa_server directive in sssd.conf > and specific AD server (even if > it means a firewall rule that only allows the host to communicate with > one IPA and one AD host). the clients don't talk to ADs to resolve user information, only the servers do. The clients only talk to AD DCs for authentication (to make this a bit more complex, the authentication also involves parsing a Kerberos PAC blob by the authentication helper in SSSD which also includes the group memberships). And unfortunately until RHEL-7.4 and SSSD 1.15 are out, then pinning the SSSD on the IDM servers to a specific AD DC is only possible by modifying the DNS SRV records or creating an AD site for the IDM server. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Trying To Debug AD Trust Quirks
Hello, I'm using AD trusts with FreeIPA 4.4.0 and am having a heck of a time with strange behavior. Some examples include: - Trust user's home directory sporadically getting set to '/' instead of /home/domain/user - Trust user losing HBAC privileges (granted via group membership) - Trust user losing sudo privileges (granted via group membership) - OS logging that trust user's account has expired when it hasn't I'm currently unable to predict/reproduce occurrences of these issues. I can say that they aren't tied to a specific user or host. For example, a user will login to a host without any issues and then later that same user's home directory (as reported by getent) will suddenly be set to / instead of /home/... My first step, of course, is to gather logs. Should I be focusing on the SSSD on the client or on the IPA servers? I'm not entirely clear how/where lots of this data get assigned/queried. My other question is if there is a way to pin down a client to [temporarily] use a specific IPA server and specific AD server (even if it means a firewall rule that only allows the host to communicate with one IPA and one AD host). Thanks, j -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project