[Freeipa-users] Re: AD trust setup woes

2017-09-28 Thread Igor Sever via FreeIPA-users
There is IPA provider, but no sssd_pac module.
[service_startup_handler] (0x0010): Could not exec /usr/lib/sssd/sssd_pac
--debug-to-files, reason: No such file or directory
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: AD trust setup woes

2017-09-12 Thread Alexander Bokovoy via FreeIPA-users

On ti, 12 syys 2017, Igor Sever via FreeIPA-users wrote:

Unfortunately, I cannot upgrade systems and packages as I want because of 
legacy applications.
Is there somewhere information how would I approach to configure SSSD
to use FreeIPA as Kerberos and LDAP provider and for policies to work?
I can only find where access is enforced with LDAP filter in SSSD
configuration in that case.  Thanks.

If SUSE version of SSSD is built without IPA provider, then HBAC rules
wouldn't be available. Part of functionality is implemented in the IPA
provider and does not exist in a pure LDAP provider.

--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: AD trust setup woes

2017-09-12 Thread Igor Sever via FreeIPA-users
Unfortunately, I cannot upgrade systems and packages as I want because of 
legacy applications.
Is there somewhere information how would I approach to configure SSSD to use 
FreeIPA as Kerberos and LDAP provider and for policies to work? I can only find 
where access is enforced with LDAP filter in SSSD configuration in that case.
Thanks. 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: AD trust setup woes

2017-09-11 Thread Lukas Slebodnik via FreeIPA-users
On (11/09/17 07:42), Igor Sever via FreeIPA-users wrote:
>Can I use FreeIPA as Kerberos and LDAP provider (not as IPA) and still use 
>policies somehow?

Yes you can, but sssd-1.11.5.1 was quite broken and contained many bugs.
1.11.8 should be much better but from sssd upstream POV 1.13 is long term
maintenance branch. Older branches are not supported by upstream anymore.

LS
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: AD trust setup woes

2017-09-11 Thread Igor Sever via FreeIPA-users
Can I use FreeIPA as Kerberos and LDAP provider (not as IPA) and still use 
policies somehow?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: AD trust setup woes

2017-09-11 Thread Igor Sever via FreeIPA-users
sssd-krb5-common-1.11.5.1-14.1.x86_64
sssd-32bit-1.11.5.1-28.1.x86_64
sssd-ad-1.11.5.1-14.1.x86_64
sssd-ipa-1.11.5.1-14.1.x86_64
python-sssd-config-1.11.5.1-14.1.x86_64
sssd-1.11.5.1-14.1.x86_64
sssd-tools-1.11.5.1-14.1.x86_64
sssd-krb5-1.11.5.1-14.1.x86_64
sssd-ldap-1.11.5.1-14.1.x86_64
ipa-client:~ # rpm -qa | grep krb5
sssd-krb5-common-1.11.5.1-14.1.x86_64
krb5-plugin-preauth-pkinit-1.12.1-19.1.x86_64
libndr-krb5pac0-4.2.4-28.3.1.x86_64
krb5-1.12.1-36.4.x86_64
libndr-krb5pac0-32bit-4.2.4-28.3.1.x86_64
krb5-client-1.12.1-19.1.x86_64
sssd-krb5-1.11.5.1-14.1.x86_64
krb5-32bit-1.12.1-36.4.x86_64

On Suse site there is no any info about integration with FreeIPA. They are 
mostly focused on LDAP authentication. No mention of sssd_pac existing in their 
sssd packages. I think I am out of luck with this.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: AD trust setup woes

2017-09-10 Thread Jakub Hrozek via FreeIPA-users

> On 10 Sep 2017, at 16:36, Igor Sever via FreeIPA-users 
>  wrote:
> 
> It looks like my problems with AD trust on server side went away when I 
> upgraded to FreeIPA 4.5 using Centos 7.4 packages, but unfortunately this is 
> only half of the way. 
> I have alot of SLES servers 11 and 12, but it looks like SSSD that comes with 
> SLES is not fully featured as RHEL or Centos. Basic authentication is working 
> , but policies are not working because group membership is not available on 
> SLES SSSD client (when checking with id command). Even on SLES 12 SP1 I 
> cannot get it to work.
> In krb5_child.log I see error: 
> [validate_tgt] (0x0040): sss_extract_and_send_pac failed, group membership 
> for user with principal [**] might not be correct.
> When I try to enable PAC service starting of SSSD fails and I get:
> [service_startup_handler] (0x0010): Could not exec /usr/lib/sssd/sssd_pac 
> --debug-to-files, reason: No such file or directory
> I installed all packages related to SSSD and all dependencies.
> Is PAC service necessary for group resolution? Is there any other option?

Umm, how old is the sssd there? What version?

> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: AD trust setup woes

2017-09-10 Thread Igor Sever via FreeIPA-users
It looks like my problems with AD trust on server side went away when I 
upgraded to FreeIPA 4.5 using Centos 7.4 packages, but unfortunately this is 
only half of the way. 
I have alot of SLES servers 11 and 12, but it looks like SSSD that comes with 
SLES is not fully featured as RHEL or Centos. Basic authentication is working , 
but policies are not working because group membership is not available on SLES 
SSSD client (when checking with id command). Even on SLES 12 SP1 I cannot get 
it to work.
In krb5_child.log I see error: 
[validate_tgt] (0x0040): sss_extract_and_send_pac failed, group membership for 
user with principal [**] might not be correct.
When I try to enable PAC service starting of SSSD fails and I get:
[service_startup_handler] (0x0010): Could not exec /usr/lib/sssd/sssd_pac 
--debug-to-files, reason: No such file or directory
I installed all packages related to SSSD and all dependencies.
Is PAC service necessary for group resolution? Is there any other option?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: AD trust setup woes

2017-08-03 Thread Alexander Bokovoy via FreeIPA-users

On to, 03 elo 2017, Igor Sever via FreeIPA-users wrote:

I didn’t specify any ID range. This was all done automagically by
setup. I read a lot of documentation, and I can’t remember that ever
been mentioned. We indeed had NIS at some point, but this is not
supported any more by MS, and FreeIPA should not just presume that we
have gidNumber on all accounts. Where should I look for settings that
you specify?

For a succinct answer look at what Justin wrote you yesterday.

Documentation is available here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#id-ranges

You have all the options to either go with automated detection or
override which ID range type to use.

--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: AD trust setup woes

2017-08-02 Thread Igor Sever via FreeIPA-users
I didn’t specify any ID range. This was all done automagically by setup. I read 
a lot of documentation, and I can’t remember that ever been mentioned. We 
indeed had NIS at some point, but this is not supported any more by MS, and 
FreeIPA should not just presume that we have gidNumber on all accounts. Where 
should I look for settings that you specify? 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: AD trust setup woes

2017-08-02 Thread Alexander Bokovoy via FreeIPA-users

On ke, 02 elo 2017, Igor Sever via FreeIPA-users wrote:

There is no gidNumber attribute on AD group objects. If I want to apply
posix attributes directly in AD, then I don't need FreeIPA, do I...
https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/

Can you show details about your trust configuration?

# ipa trust-show my.ad.domain
# ipa idrange-show MY.AD.DOMAIN_id_range

My hunch is that you established a trust with an ID range that defines
you have POSIX IDs in your Active Directory. Thus, SSSD assumes you have
allocated uidNumber/gidNumber yourself in user/group entries in AD LDAP.

If you definitely don't have POSIX IDs in AD, then it might be that you
had at some point NIS integration enabled on AD side and thus 'ipa
trust-add' detected appropriate settings for this mode in AD and
configured the ID range accordingly.


It is obvious that FreeIPA integration with AD is not production ready,
and probably never will be for numerous reasons, just like samba...

It does not help to throw accusations without providing any details on
how you configured a system.

--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: AD trust setup woes

2017-08-02 Thread Jakub Hrozek via FreeIPA-users
On Wed, Aug 02, 2017 at 11:40:46AM -, Igor Sever via FreeIPA-users wrote:
> There is no gidNumber attribute on AD group objects. If I want to apply
> posix attributes directly in AD, then I don't need FreeIPA, do I...

Many users and customers have an existing environment where some
machines are enrolled directly to AD and new ones are being added
directly to IPA and they want to use the same POSIX IDs every where.

Others choose to ID-map. 

As per why the idrange was selected as posix, see Justin's answer.

> https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/

Well, only the tools are deprecated, the schema is there to stay.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: AD trust setup woes

2017-08-02 Thread Igor Sever via FreeIPA-users
There is no gidNumber attribute on AD group objects. If I want to apply posix 
attributes directly in AD, then I don't need FreeIPA, do I...
https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/
It is obvious that FreeIPA integration with AD is not production ready, and 
probably never will be for numerous reasons, just like samba...
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: AD trust setup woes

2017-08-01 Thread Jakub Hrozek via FreeIPA-users
On Tue, Aug 01, 2017 at 11:20:16AM -, Igor Sever via FreeIPA-users wrote:
> I have the same error.
> I established two-way trust with AD which went fine.
> Authentication with Kerberos to AD is working.
> Since I have one test FreeIPA which is working correctly (relatively) I 
> compared logs and pinpointed problem to strange LDAP search which is FreeIPA 
> sending to DC:
> (&(sAMAccountName=domain\20admins)(objectClass=group)(sAMAccountName=*)(&(gidNumber=*)(!(gidNumber=0
> This LDAP query is of course not working on AD. I don’t know why FreeIPA is 
> sending this kind of query to AD in this case?
> Only difference that I can think of in this case is that I didn’t establish 
> trust in two steps, but in one step from FreeIPA using command switch 
> --two-way=true.

Pardon my ignorance, but what part of that query doesn't work?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: AD trust setup woes

2017-08-01 Thread Igor Sever via FreeIPA-users
I have the same error.
I established two-way trust with AD which went fine.
Authentication with Kerberos to AD is working.
Since I have one test FreeIPA which is working correctly (relatively) I 
compared logs and pinpointed problem to strange LDAP search which is FreeIPA 
sending to DC:
(&(sAMAccountName=domain\20admins)(objectClass=group)(sAMAccountName=*)(&(gidNumber=*)(!(gidNumber=0
This LDAP query is of course not working on AD. I don’t know why FreeIPA is 
sending this kind of query to AD in this case?
Only difference that I can think of in this case is that I didn’t establish 
trust in two steps, but in one step from FreeIPA using command switch 
--two-way=true.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: AD trust setup woes

2017-07-26 Thread Jakub Hrozek via FreeIPA-users
On Tue, Jul 25, 2017 at 10:12:38AM -0400, Jason Hensley via FreeIPA-users wrote:
> On Tue, Jul 25, 2017 at 2:29 AM, Jakub Hrozek via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
> 
> > On Mon, Jul 24, 2017 at 04:25:14PM -0400, Jason Beck via FreeIPA-users
> > wrote:
> > > On Mon, Jul 24, 2017 at 2:53 PM, Jason Beck 
> > wrote:
> > >
> > > > On Mon, Jul 24, 2017 at 2:23 PM, Jakub Hrozek 
> > wrote:
> > > >
> > > >> On Mon, Jul 24, 2017 at 01:53:20PM -0400, Jason Beck wrote:
> > > >> > On Mon, Jul 24, 2017 at 9:25 AM, Jakub Hrozek 
> > > >> wrote:
> > > >> >
> > > >> > > On Mon, Jul 24, 2017 at 09:05:59AM -0400, Jason Beck wrote:
> > > >> > > > On Jul 24, 2017 4:14 AM, "Jakub Hrozek via FreeIPA-users" <
> > > >> > > > freeipa-users@lists.fedorahosted.org> wrote:
> > > >> > > >
> > > >> > > > > On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via
> > > >> FreeIPA-users
> > > >> > > > > wrote:
> > > >> > > > > > I have been trying to reliably get an AD trust setup for a
> > few
> > > >> weeks
> > > >> > > and
> > > >> > > > > no
> > > >> > > > > > matter what I try, when I goto add AD users to an external
> > > >> group in
> > > >> > > > > > FreeIPA, I get:
> > > >> > > > > >
> > > >> > > > > > "trusted domain object not found"
> > > >> > > > > >
> > > >> > > > > > Googling around tends to always yield the same suggestions:
> > > >> > > > > >
> > > >> > > > > > 1) Check time sync
> > > >> > > > > > 2) Check DNS
> > > >> > > > > > 3) Check firewall
> > > >> > > > > >
> > > >> > > > > > I have done all of this ad nauseam in several different
> > > >> environments
> > > >> > > with
> > > >> > > > > > several different versions of FreeIPA and Windows servers.
> > I
> > > >> have
> > > >> > > > > gotten a
> > > >> > > > > > setup to work maybe 2% of the time out of hundreds of
> > attempts.
> > > >> > > > > >
> > > >> > > > > > I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the
> > COPR
> > > >> > > repo).
> > > >> > > > > I
> > > >> > > > > > am trying to establish trust with a mixed Windows 2012 &
> > 2008
> > > >> > > forest. I
> > > >> > > > > > have tried both one and two way trusts.  Everything seems to
> > > >> work
> > > >> > > fine up
> > > >> > > > > > until I try to add AD users to FreeIPA.
> > > >> > > > > >
> > > >> > > > > > I have verified all of the requisite DNS records exist and
> > > >> return the
> > > >> > > > > > proper information on both sides, there are no firewalls
> > > >> between any
> > > >> > > of
> > > >> > > > > the
> > > >> > > > > > hosts, and the AD servers and FreeIPA servers are
> > synchronized
> > > >> by the
> > > >> > > > > same
> > > >> > > > > > NTP servers.
> > > >> > > > > >
> > > >> > > > > > What could I possibly be missing?
> > > >> > > > >
> > > >> > > > > Can you resolve the object you're trying to add with sssd?
> > > >> > > > >
> > > >> > > > > e.g. id foo@windows.domain
> > > >> > > > > ___
> > > >> > > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahost
> > > >> ed.org
> > > >> > > > > To unsubscribe send an email to freeipa-users-leave@lists.
> > > >> > > fedorahosted.org
> > > >> > > >
> > > >> > > >
> > > >> > > > No.  I can login via Kerberos, kinit user@ad.domain.  But
> > neither
> > > >> id
> > > >> > > > user@ad.domain nor getent passwd user@ad.domain are successful.
> > > >> > >
> > > >> > > Then please follow
> > > >> > > https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
> > > >> > >
> > > >> >
> > > >> > Jakub,
> > > >> >
> > > >> >   Thank you for the support thus far.  I have followed some
> > suggestions
> > > >> in
> > > >> > the sssd troubleshooting link you provided.  I am seeing these
> > errors
> > > >> > whenever I try to perform an operation that would lookup an AD user,
> > > >> e.g.
> > > >> > id user@ad.domain.  I am performing the user lookups on the
> > primary IPA
> > > >> > server itself.
> > > >> >
> > > >> > *sssd.conf:*
> > > >> >
> > > >> > [domain/ipa.domain]
> > > >> >
> > > >> > debug_level = 10
> > > >> >
> > > >> > cache_credentials = True
> > > >> >
> > > >> > enumerate = False
> > > >> >
> > > >> > krb5_store_password_if_offline = True
> > > >> >
> > > >> > ipa_domain = ipa.domain
> > > >> >
> > > >> > id_provider = ipa
> > > >> >
> > > >> > auth_provider = ipa
> > > >> >
> > > >> > access_provider = ipa
> > > >> >
> > > >> > ipa_hostname = ipa01.ipa.domain
> > > >> >
> > > >> > chpass_provider = ipa
> > > >> >
> > > >> > ipa_server = _srv_
> > > >> >
> > > >> > ldap_tls_cacert = /etc/ipa/ca.crt
> > > >> >
> > > >> > [sssd]
> > > >> >
> > > >> > services = sudo, nss, ifp, pam, ssh, pac
> > > >> >
> > > >> > debug_level = 10
> > > >> >
> > > >> > domains = ipa.domain
> > > >> >
> > > >> > [nss]
> > > >> >
> > > >> > debug_level = 10
> > > >> >
> > > >> > [pam]
> > > >> >
> > > >> > debug_level = 10
> > > >> >
> > > >> > [sudo]
> > > >> >
> > > >> > debug_level = 

[Freeipa-users] Re: AD trust setup woes

2017-07-25 Thread Jason Hensley via FreeIPA-users
On Tue, Jul 25, 2017 at 2:29 AM, Jakub Hrozek via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> On Mon, Jul 24, 2017 at 04:25:14PM -0400, Jason Beck via FreeIPA-users
> wrote:
> > On Mon, Jul 24, 2017 at 2:53 PM, Jason Beck 
> wrote:
> >
> > > On Mon, Jul 24, 2017 at 2:23 PM, Jakub Hrozek 
> wrote:
> > >
> > >> On Mon, Jul 24, 2017 at 01:53:20PM -0400, Jason Beck wrote:
> > >> > On Mon, Jul 24, 2017 at 9:25 AM, Jakub Hrozek 
> > >> wrote:
> > >> >
> > >> > > On Mon, Jul 24, 2017 at 09:05:59AM -0400, Jason Beck wrote:
> > >> > > > On Jul 24, 2017 4:14 AM, "Jakub Hrozek via FreeIPA-users" <
> > >> > > > freeipa-users@lists.fedorahosted.org> wrote:
> > >> > > >
> > >> > > > > On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via
> > >> FreeIPA-users
> > >> > > > > wrote:
> > >> > > > > > I have been trying to reliably get an AD trust setup for a
> few
> > >> weeks
> > >> > > and
> > >> > > > > no
> > >> > > > > > matter what I try, when I goto add AD users to an external
> > >> group in
> > >> > > > > > FreeIPA, I get:
> > >> > > > > >
> > >> > > > > > "trusted domain object not found"
> > >> > > > > >
> > >> > > > > > Googling around tends to always yield the same suggestions:
> > >> > > > > >
> > >> > > > > > 1) Check time sync
> > >> > > > > > 2) Check DNS
> > >> > > > > > 3) Check firewall
> > >> > > > > >
> > >> > > > > > I have done all of this ad nauseam in several different
> > >> environments
> > >> > > with
> > >> > > > > > several different versions of FreeIPA and Windows servers.
> I
> > >> have
> > >> > > > > gotten a
> > >> > > > > > setup to work maybe 2% of the time out of hundreds of
> attempts.
> > >> > > > > >
> > >> > > > > > I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the
> COPR
> > >> > > repo).
> > >> > > > > I
> > >> > > > > > am trying to establish trust with a mixed Windows 2012 &
> 2008
> > >> > > forest. I
> > >> > > > > > have tried both one and two way trusts.  Everything seems to
> > >> work
> > >> > > fine up
> > >> > > > > > until I try to add AD users to FreeIPA.
> > >> > > > > >
> > >> > > > > > I have verified all of the requisite DNS records exist and
> > >> return the
> > >> > > > > > proper information on both sides, there are no firewalls
> > >> between any
> > >> > > of
> > >> > > > > the
> > >> > > > > > hosts, and the AD servers and FreeIPA servers are
> synchronized
> > >> by the
> > >> > > > > same
> > >> > > > > > NTP servers.
> > >> > > > > >
> > >> > > > > > What could I possibly be missing?
> > >> > > > >
> > >> > > > > Can you resolve the object you're trying to add with sssd?
> > >> > > > >
> > >> > > > > e.g. id foo@windows.domain
> > >> > > > > ___
> > >> > > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahost
> > >> ed.org
> > >> > > > > To unsubscribe send an email to freeipa-users-leave@lists.
> > >> > > fedorahosted.org
> > >> > > >
> > >> > > >
> > >> > > > No.  I can login via Kerberos, kinit user@ad.domain.  But
> neither
> > >> id
> > >> > > > user@ad.domain nor getent passwd user@ad.domain are successful.
> > >> > >
> > >> > > Then please follow
> > >> > > https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
> > >> > >
> > >> >
> > >> > Jakub,
> > >> >
> > >> >   Thank you for the support thus far.  I have followed some
> suggestions
> > >> in
> > >> > the sssd troubleshooting link you provided.  I am seeing these
> errors
> > >> > whenever I try to perform an operation that would lookup an AD user,
> > >> e.g.
> > >> > id user@ad.domain.  I am performing the user lookups on the
> primary IPA
> > >> > server itself.
> > >> >
> > >> > *sssd.conf:*
> > >> >
> > >> > [domain/ipa.domain]
> > >> >
> > >> > debug_level = 10
> > >> >
> > >> > cache_credentials = True
> > >> >
> > >> > enumerate = False
> > >> >
> > >> > krb5_store_password_if_offline = True
> > >> >
> > >> > ipa_domain = ipa.domain
> > >> >
> > >> > id_provider = ipa
> > >> >
> > >> > auth_provider = ipa
> > >> >
> > >> > access_provider = ipa
> > >> >
> > >> > ipa_hostname = ipa01.ipa.domain
> > >> >
> > >> > chpass_provider = ipa
> > >> >
> > >> > ipa_server = _srv_
> > >> >
> > >> > ldap_tls_cacert = /etc/ipa/ca.crt
> > >> >
> > >> > [sssd]
> > >> >
> > >> > services = sudo, nss, ifp, pam, ssh, pac
> > >> >
> > >> > debug_level = 10
> > >> >
> > >> > domains = ipa.domain
> > >> >
> > >> > [nss]
> > >> >
> > >> > debug_level = 10
> > >> >
> > >> > [pam]
> > >> >
> > >> > debug_level = 10
> > >> >
> > >> > [sudo]
> > >> >
> > >> > debug_level = 10
> > >> >
> > >> > [autofs]
> > >> >
> > >> > debug_level = 10
> > >> >
> > >> > [ssh]
> > >> >
> > >> > debug_level = 10
> > >> >
> > >> > [pac]
> > >> >
> > >> > debug_level = 10
> > >> >
> > >> > [ifp]
> > >> >
> > >> > debug_level = 10
> > >> >
> > >> > [secrets]
> > >> >
> > >> > debug_level = 10
> > >> >
> > >> Are you sure it's the server itself? Because for one, I would expect

[Freeipa-users] Re: AD trust setup woes

2017-07-25 Thread Jakub Hrozek via FreeIPA-users
On Mon, Jul 24, 2017 at 04:25:14PM -0400, Jason Beck via FreeIPA-users wrote:
> On Mon, Jul 24, 2017 at 2:53 PM, Jason Beck  wrote:
> 
> > On Mon, Jul 24, 2017 at 2:23 PM, Jakub Hrozek  wrote:
> >
> >> On Mon, Jul 24, 2017 at 01:53:20PM -0400, Jason Beck wrote:
> >> > On Mon, Jul 24, 2017 at 9:25 AM, Jakub Hrozek 
> >> wrote:
> >> >
> >> > > On Mon, Jul 24, 2017 at 09:05:59AM -0400, Jason Beck wrote:
> >> > > > On Jul 24, 2017 4:14 AM, "Jakub Hrozek via FreeIPA-users" <
> >> > > > freeipa-users@lists.fedorahosted.org> wrote:
> >> > > >
> >> > > > > On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via
> >> FreeIPA-users
> >> > > > > wrote:
> >> > > > > > I have been trying to reliably get an AD trust setup for a few
> >> weeks
> >> > > and
> >> > > > > no
> >> > > > > > matter what I try, when I goto add AD users to an external
> >> group in
> >> > > > > > FreeIPA, I get:
> >> > > > > >
> >> > > > > > "trusted domain object not found"
> >> > > > > >
> >> > > > > > Googling around tends to always yield the same suggestions:
> >> > > > > >
> >> > > > > > 1) Check time sync
> >> > > > > > 2) Check DNS
> >> > > > > > 3) Check firewall
> >> > > > > >
> >> > > > > > I have done all of this ad nauseam in several different
> >> environments
> >> > > with
> >> > > > > > several different versions of FreeIPA and Windows servers.  I
> >> have
> >> > > > > gotten a
> >> > > > > > setup to work maybe 2% of the time out of hundreds of attempts.
> >> > > > > >
> >> > > > > > I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the COPR
> >> > > repo).
> >> > > > > I
> >> > > > > > am trying to establish trust with a mixed Windows 2012 & 2008
> >> > > forest. I
> >> > > > > > have tried both one and two way trusts.  Everything seems to
> >> work
> >> > > fine up
> >> > > > > > until I try to add AD users to FreeIPA.
> >> > > > > >
> >> > > > > > I have verified all of the requisite DNS records exist and
> >> return the
> >> > > > > > proper information on both sides, there are no firewalls
> >> between any
> >> > > of
> >> > > > > the
> >> > > > > > hosts, and the AD servers and FreeIPA servers are synchronized
> >> by the
> >> > > > > same
> >> > > > > > NTP servers.
> >> > > > > >
> >> > > > > > What could I possibly be missing?
> >> > > > >
> >> > > > > Can you resolve the object you're trying to add with sssd?
> >> > > > >
> >> > > > > e.g. id foo@windows.domain
> >> > > > > ___
> >> > > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahost
> >> ed.org
> >> > > > > To unsubscribe send an email to freeipa-users-leave@lists.
> >> > > fedorahosted.org
> >> > > >
> >> > > >
> >> > > > No.  I can login via Kerberos, kinit user@ad.domain.  But neither
> >> id
> >> > > > user@ad.domain nor getent passwd user@ad.domain are successful.
> >> > >
> >> > > Then please follow
> >> > > https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
> >> > >
> >> >
> >> > Jakub,
> >> >
> >> >   Thank you for the support thus far.  I have followed some suggestions
> >> in
> >> > the sssd troubleshooting link you provided.  I am seeing these errors
> >> > whenever I try to perform an operation that would lookup an AD user,
> >> e.g.
> >> > id user@ad.domain.  I am performing the user lookups on the primary IPA
> >> > server itself.
> >> >
> >> > *sssd.conf:*
> >> >
> >> > [domain/ipa.domain]
> >> >
> >> > debug_level = 10
> >> >
> >> > cache_credentials = True
> >> >
> >> > enumerate = False
> >> >
> >> > krb5_store_password_if_offline = True
> >> >
> >> > ipa_domain = ipa.domain
> >> >
> >> > id_provider = ipa
> >> >
> >> > auth_provider = ipa
> >> >
> >> > access_provider = ipa
> >> >
> >> > ipa_hostname = ipa01.ipa.domain
> >> >
> >> > chpass_provider = ipa
> >> >
> >> > ipa_server = _srv_
> >> >
> >> > ldap_tls_cacert = /etc/ipa/ca.crt
> >> >
> >> > [sssd]
> >> >
> >> > services = sudo, nss, ifp, pam, ssh, pac
> >> >
> >> > debug_level = 10
> >> >
> >> > domains = ipa.domain
> >> >
> >> > [nss]
> >> >
> >> > debug_level = 10
> >> >
> >> > [pam]
> >> >
> >> > debug_level = 10
> >> >
> >> > [sudo]
> >> >
> >> > debug_level = 10
> >> >
> >> > [autofs]
> >> >
> >> > debug_level = 10
> >> >
> >> > [ssh]
> >> >
> >> > debug_level = 10
> >> >
> >> > [pac]
> >> >
> >> > debug_level = 10
> >> >
> >> > [ifp]
> >> >
> >> > debug_level = 10
> >> >
> >> > [secrets]
> >> >
> >> > debug_level = 10
> >> >
> >> Are you sure it's the server itself? Because for one, I would expect to
> >> see ipa_server_mode=True in sssd.conf and also ipa_server set to fqdn of
> >> 'self', not to _srv_.
> >>
> >> Also the s2n exop failed messages make it look like the debug messages
> >> are from a client.
> >>
> >> Anyway, one thing to examine is:
> >> > Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017)
> >> > [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #49: Data Provider
> >> > Error: 3, 5, Failed to get reply 

[Freeipa-users] Re: AD trust setup woes

2017-07-24 Thread Jason Beck via FreeIPA-users
On Mon, Jul 24, 2017 at 2:23 PM, Jakub Hrozek  wrote:

> On Mon, Jul 24, 2017 at 01:53:20PM -0400, Jason Beck wrote:
> > On Mon, Jul 24, 2017 at 9:25 AM, Jakub Hrozek 
> wrote:
> >
> > > On Mon, Jul 24, 2017 at 09:05:59AM -0400, Jason Beck wrote:
> > > > On Jul 24, 2017 4:14 AM, "Jakub Hrozek via FreeIPA-users" <
> > > > freeipa-users@lists.fedorahosted.org> wrote:
> > > >
> > > > > On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via
> FreeIPA-users
> > > > > wrote:
> > > > > > I have been trying to reliably get an AD trust setup for a few
> weeks
> > > and
> > > > > no
> > > > > > matter what I try, when I goto add AD users to an external group
> in
> > > > > > FreeIPA, I get:
> > > > > >
> > > > > > "trusted domain object not found"
> > > > > >
> > > > > > Googling around tends to always yield the same suggestions:
> > > > > >
> > > > > > 1) Check time sync
> > > > > > 2) Check DNS
> > > > > > 3) Check firewall
> > > > > >
> > > > > > I have done all of this ad nauseam in several different
> environments
> > > with
> > > > > > several different versions of FreeIPA and Windows servers.  I
> have
> > > > > gotten a
> > > > > > setup to work maybe 2% of the time out of hundreds of attempts.
> > > > > >
> > > > > > I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the COPR
> > > repo).
> > > > > I
> > > > > > am trying to establish trust with a mixed Windows 2012 & 2008
> > > forest. I
> > > > > > have tried both one and two way trusts.  Everything seems to work
> > > fine up
> > > > > > until I try to add AD users to FreeIPA.
> > > > > >
> > > > > > I have verified all of the requisite DNS records exist and
> return the
> > > > > > proper information on both sides, there are no firewalls between
> any
> > > of
> > > > > the
> > > > > > hosts, and the AD servers and FreeIPA servers are synchronized
> by the
> > > > > same
> > > > > > NTP servers.
> > > > > >
> > > > > > What could I possibly be missing?
> > > > >
> > > > > Can you resolve the object you're trying to add with sssd?
> > > > >
> > > > > e.g. id foo@windows.domain
> > > > > ___
> > > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > > > > To unsubscribe send an email to freeipa-users-leave@lists.
> > > fedorahosted.org
> > > >
> > > >
> > > > No.  I can login via Kerberos, kinit user@ad.domain.  But neither id
> > > > user@ad.domain nor getent passwd user@ad.domain are successful.
> > >
> > > Then please follow
> > > https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
> > >
> >
> > Jakub,
> >
> >   Thank you for the support thus far.  I have followed some suggestions
> in
> > the sssd troubleshooting link you provided.  I am seeing these errors
> > whenever I try to perform an operation that would lookup an AD user, e.g.
> > id user@ad.domain.  I am performing the user lookups on the primary IPA
> > server itself.
> >
> > *sssd.conf:*
> >
> > [domain/ipa.domain]
> >
> > debug_level = 10
> >
> > cache_credentials = True
> >
> > enumerate = False
> >
> > krb5_store_password_if_offline = True
> >
> > ipa_domain = ipa.domain
> >
> > id_provider = ipa
> >
> > auth_provider = ipa
> >
> > access_provider = ipa
> >
> > ipa_hostname = ipa01.ipa.domain
> >
> > chpass_provider = ipa
> >
> > ipa_server = _srv_
> >
> > ldap_tls_cacert = /etc/ipa/ca.crt
> >
> > [sssd]
> >
> > services = sudo, nss, ifp, pam, ssh, pac
> >
> > debug_level = 10
> >
> > domains = ipa.domain
> >
> > [nss]
> >
> > debug_level = 10
> >
> > [pam]
> >
> > debug_level = 10
> >
> > [sudo]
> >
> > debug_level = 10
> >
> > [autofs]
> >
> > debug_level = 10
> >
> > [ssh]
> >
> > debug_level = 10
> >
> > [pac]
> >
> > debug_level = 10
> >
> > [ifp]
> >
> > debug_level = 10
> >
> > [secrets]
> >
> > debug_level = 10
> >
> Are you sure it's the server itself? Because for one, I would expect to
> see ipa_server_mode=True in sssd.conf and also ipa_server set to fqdn of
> 'self', not to _srv_.
>
> Also the s2n exop failed messages make it look like the debug messages
> are from a client.
>
> Anyway, one thing to examine is:
> > Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017)
> > [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #49: Data Provider
> > Error: 3, 5, Failed to get reply from Data Provider
> >
> > Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017)
> > [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an
> > error [org.freedesktop.sssd.Error.DataProvider.Offline]
> >
>
> This indicates a communication issue towards the server. You should look
> for messages that say that 'a port is not working'.
>

Sorry, I've been troubleshooting this for weeks, trying various settings.
When I add the variables to sssd.conf

[domain/ipa.domain]
...
ipa_server_mode = True
ipa_server = ipa01.ipa.domain
...

and restart sssd:

I am now getting the following errors, also id user@ad.domain and/or getent
passwd 

[Freeipa-users] Re: AD trust setup woes

2017-07-24 Thread Jason Beck via FreeIPA-users
On Jul 24, 2017 4:14 AM, "Jakub Hrozek via FreeIPA-users" <
freeipa-users@lists.fedorahosted.org> wrote:

> On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via FreeIPA-users
> wrote:
> > I have been trying to reliably get an AD trust setup for a few weeks and
> no
> > matter what I try, when I goto add AD users to an external group in
> > FreeIPA, I get:
> >
> > "trusted domain object not found"
> >
> > Googling around tends to always yield the same suggestions:
> >
> > 1) Check time sync
> > 2) Check DNS
> > 3) Check firewall
> >
> > I have done all of this ad nauseam in several different environments with
> > several different versions of FreeIPA and Windows servers.  I have
> gotten a
> > setup to work maybe 2% of the time out of hundreds of attempts.
> >
> > I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the COPR repo).
> I
> > am trying to establish trust with a mixed Windows 2012 & 2008 forest. I
> > have tried both one and two way trusts.  Everything seems to work fine up
> > until I try to add AD users to FreeIPA.
> >
> > I have verified all of the requisite DNS records exist and return the
> > proper information on both sides, there are no firewalls between any of
> the
> > hosts, and the AD servers and FreeIPA servers are synchronized by the
> same
> > NTP servers.
> >
> > What could I possibly be missing?
>
> Can you resolve the object you're trying to add with sssd?
>
> e.g. id foo@windows.domain
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


No.  I can login via Kerberos, kinit user@ad.domain.  But neither id
user@ad.domain nor getent passwd user@ad.domain are successful.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: AD trust setup woes

2017-07-24 Thread Jakub Hrozek via FreeIPA-users
On Mon, Jul 24, 2017 at 09:05:59AM -0400, Jason Beck wrote:
> On Jul 24, 2017 4:14 AM, "Jakub Hrozek via FreeIPA-users" <
> freeipa-users@lists.fedorahosted.org> wrote:
> 
> > On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via FreeIPA-users
> > wrote:
> > > I have been trying to reliably get an AD trust setup for a few weeks and
> > no
> > > matter what I try, when I goto add AD users to an external group in
> > > FreeIPA, I get:
> > >
> > > "trusted domain object not found"
> > >
> > > Googling around tends to always yield the same suggestions:
> > >
> > > 1) Check time sync
> > > 2) Check DNS
> > > 3) Check firewall
> > >
> > > I have done all of this ad nauseam in several different environments with
> > > several different versions of FreeIPA and Windows servers.  I have
> > gotten a
> > > setup to work maybe 2% of the time out of hundreds of attempts.
> > >
> > > I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the COPR repo).
> > I
> > > am trying to establish trust with a mixed Windows 2012 & 2008 forest. I
> > > have tried both one and two way trusts.  Everything seems to work fine up
> > > until I try to add AD users to FreeIPA.
> > >
> > > I have verified all of the requisite DNS records exist and return the
> > > proper information on both sides, there are no firewalls between any of
> > the
> > > hosts, and the AD servers and FreeIPA servers are synchronized by the
> > same
> > > NTP servers.
> > >
> > > What could I possibly be missing?
> >
> > Can you resolve the object you're trying to add with sssd?
> >
> > e.g. id foo@windows.domain
> > ___
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
> 
> No.  I can login via Kerberos, kinit user@ad.domain.  But neither id
> user@ad.domain nor getent passwd user@ad.domain are successful.

Then please follow
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: AD trust setup woes

2017-07-24 Thread Jakub Hrozek via FreeIPA-users
On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via FreeIPA-users wrote:
> I have been trying to reliably get an AD trust setup for a few weeks and no
> matter what I try, when I goto add AD users to an external group in
> FreeIPA, I get:
> 
> "trusted domain object not found"
> 
> Googling around tends to always yield the same suggestions:
> 
> 1) Check time sync
> 2) Check DNS
> 3) Check firewall
> 
> I have done all of this ad nauseam in several different environments with
> several different versions of FreeIPA and Windows servers.  I have gotten a
> setup to work maybe 2% of the time out of hundreds of attempts.
> 
> I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the COPR repo).  I
> am trying to establish trust with a mixed Windows 2012 & 2008 forest. I
> have tried both one and two way trusts.  Everything seems to work fine up
> until I try to add AD users to FreeIPA.
> 
> I have verified all of the requisite DNS records exist and return the
> proper information on both sides, there are no firewalls between any of the
> hosts, and the AD servers and FreeIPA servers are synchronized by the same
> NTP servers.
> 
> What could I possibly be missing?

Can you resolve the object you're trying to add with sssd?

e.g. id foo@windows.domain
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org