[Freeipa-users] Re: Unable to use externa groups or users, truster domain object not found

2022-02-04 Thread Mike Moser via FreeIPA-users 
Ran into the same issue, sharing this as it solved the issue for me:
https://access.redhat.com/solutions/3656641

[Logo  Description automatically generated]

Michael S. Moser
Sr. Linux Administrator, Aires
Office 1.412.677.1851 ● Mobile 412.719.7765
[cid:image002.png@01D81830.EDD86BB0]
[cid:image003.png@01D81830.EDD86BB0]
[cid:image004.png@01D81830.EDD86BB0]

CONFIDENTIALITY NOTICE -- This email produced by Aires, including any 
accompanying attachment(s), is intended 
only for the person(s) designated above. Unless otherwise indicated, it 
contains information that is confidential, 
privileged and/or exempt from disclosure under applicable law. If you have 
received this message in error, please 
notify the sender and delete the message. If the reader of this message is not 
the intended recipient, you are 
hereby notified that any use of this communication is strictly prohibited. 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Unable to use externa groups or users, truster domain object not found

2017-12-15 Thread Henrik Johansson via FreeIPA-users 


> On 13 Dec 2017, at 15:03, Jakub Hrozek via FreeIPA-users 
>  wrote:
> 
> On Mon, Dec 11, 2017 at 10:47:44PM +0200, Alexander Bokovoy wrote:
>> On ma, 11 joulu 2017, Henrik Johansson via FreeIPA-users wrote:
>>> 
>>> 
 On 11 Dec 2017, at 16:04, Alexander Bokovoy via FreeIPA-users 
  wrote:
 
 On ma, 11 joulu 2017, Henrik Johansson via FreeIPA-users wrote:
> Hi again,
> 
> I have generated debug, both in samba and in sssd and attached the log 
> files. From what I can see from the sssd-logfile we are talkin to the AD 
> domain but does not find any groups? The rest for the debug files are 
> from the whole session including the trust-add. If you could have a quick 
> look at it I would be grateful since pretty much stuck here.
> 
> Terminal output:
> # ipa -v trust-add --type=ad ad.test.net --admin aduser
> ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json
> ipa: INFO: [try 1]: Forwarding 'schema' to json server 
> 'https://ipaserver.idm.test.net/ipa/session/json'
> ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json
> Active Directory domain administrator's password:
> ipa: INFO: [try 1]: Forwarding 'trust_add/1' to json server 
> 'https://ipaserver.idm.test.net/ipa/session/json'
> -
> Added Active Directory trust for realm "ad.test.net"
> -
> Realm name: ad.test.net
> Domain NetBIOS name: AD
> Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543
> Trust direction: Trusting forest
> Trust type: Active Directory domain
> Trust status: Established and verified
> 
> # ipa trust-fetch-domains ad.test.net
> 
> List of trust domains successfully refreshed. Use trustdomain-find 
> command to list them.
> 
> 
> Number of entries returned 0
> 
> [root@ipaserver samba]# ipa trustdomain-find ad.test.net
> Domain name: ad.test.net
> Domain NetBIOS name: AD
> Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543
> Domain enabled: True
> 
> Domain name: corp.ad.test.net
> Domain NetBIOS name: CORP
> Domain Security Identifier: S-1-6-42-2417082233-1637723082-1916539915
> Domain enabled: True
> 
> Number of entries returned 2
> 
> ]# ipa -v group-add-member ad_users_external --external 'AD\Domain Users'
> ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json
> [member user]:
> [member group]:
> ipa: INFO: [try 1]: Forwarding 'group_add_member/1' to json server 
> 'https://ipaserver.idm.test.net/ipa/session/json'
> Group name: ad_users_external
> Description: AD users external map
> Failed members:
>  member user:
>  member group: AD\Domain Users: trusted domain object not found
> -
> Number of members added 0
 
 Did you try with a different group/user? Because Domain Users is a bit
 special group in AD, it is Domain Global group. Your logs show that a
 search done by SSSD against AD DC does not end up with any 'cn=domain
 users' result.
>>> 
>>> Yes, i’ve tried with a few groups and the user I am using to create the 
>>> trust witch, no luck.
>> Is there any additional policy applied on AD side that prevents a TDO to
>> access information about AD users/groups?
>> 
>> Something like 
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/VQZAHMM54XNKEWWE32N2RGLANS2DHCSZ/
>>  ?
> 
> I'm sorry for the late reply, but in general I agree with Alexander.
> 
> Could you run a test with ldapsearch? Something like:
> kinit -kt 'IDM$@AD.TEST.NET ' 
> /var/lib/sss/keytabs/ad.test.net.keytab
> ldapsearch -Y GSSAPI -H ldap://ADSERVERC.corp.ad.test.net 
>  -b dc=corp,dc=ad,dc=test,dc=net 
> '(&(sAMAccountName=domain\20users)(objectClass=group)(sAMAccountName=*)(&(gidNumber=*)(!(gidNumber=0'
> 
> if this doesn't find anything (and the search base and the server are as
> expected), could you re-run the same search binding as some known user
> with their password?
> 
> btw note that the ldapsearch is looking for POSIX attributes, is that
> expected? Do all users you search for have uidNumber set?

I had tested both, we have posix attributes in the AD schema. I seems to have 
stumbled over a solution to the problem while debuting. I seems that sssd was 
caching something even when we where unable to lookup anything, and it did nod 
invalidate the cache after several weeks, reboots or when removing trusts. 
After

[Freeipa-users] Re: Unable to use externa groups or users, truster domain object not found

2017-12-13 Thread Jakub Hrozek via FreeIPA-users 
On Mon, Dec 11, 2017 at 10:47:44PM +0200, Alexander Bokovoy wrote:
> On ma, 11 joulu 2017, Henrik Johansson via FreeIPA-users wrote:
> > 
> > 
> > > On 11 Dec 2017, at 16:04, Alexander Bokovoy via FreeIPA-users 
> > >  wrote:
> > > 
> > > On ma, 11 joulu 2017, Henrik Johansson via FreeIPA-users wrote:
> > > > Hi again,
> > > > 
> > > > I have generated debug, both in samba and in sssd and attached the log 
> > > > files. From what I can see from the sssd-logfile we are talkin to the 
> > > > AD domain but does not find any groups? The rest for the debug files 
> > > > are from the whole session including the trust-add. If you could have a 
> > > > quick look at it I would be grateful since pretty much stuck here.
> > > > 
> > > > Terminal output:
> > > > # ipa -v trust-add --type=ad ad.test.net --admin aduser
> > > > ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json
> > > > ipa: INFO: [try 1]: Forwarding 'schema' to json server 
> > > > 'https://ipaserver.idm.test.net/ipa/session/json'
> > > > ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json
> > > > Active Directory domain administrator's password:
> > > > ipa: INFO: [try 1]: Forwarding 'trust_add/1' to json server 
> > > > 'https://ipaserver.idm.test.net/ipa/session/json'
> > > > -
> > > > Added Active Directory trust for realm "ad.test.net"
> > > > -
> > > > Realm name: ad.test.net
> > > > Domain NetBIOS name: AD
> > > > Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543
> > > > Trust direction: Trusting forest
> > > > Trust type: Active Directory domain
> > > > Trust status: Established and verified
> > > > 
> > > > # ipa trust-fetch-domains ad.test.net
> > > > 
> > > > List of trust domains successfully refreshed. Use trustdomain-find 
> > > > command to list them.
> > > > 
> > > > 
> > > > Number of entries returned 0
> > > > 
> > > > [root@ipaserver samba]# ipa trustdomain-find ad.test.net
> > > > Domain name: ad.test.net
> > > > Domain NetBIOS name: AD
> > > > Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543
> > > > Domain enabled: True
> > > > 
> > > > Domain name: corp.ad.test.net
> > > > Domain NetBIOS name: CORP
> > > > Domain Security Identifier: S-1-6-42-2417082233-1637723082-1916539915
> > > > Domain enabled: True
> > > > 
> > > > Number of entries returned 2
> > > > 
> > > > ]# ipa -v group-add-member ad_users_external --external 'AD\Domain 
> > > > Users'
> > > > ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json
> > > > [member user]:
> > > > [member group]:
> > > > ipa: INFO: [try 1]: Forwarding 'group_add_member/1' to json server 
> > > > 'https://ipaserver.idm.test.net/ipa/session/json'
> > > > Group name: ad_users_external
> > > > Description: AD users external map
> > > > Failed members:
> > > >   member user:
> > > >   member group: AD\Domain Users: trusted domain object not found
> > > > -
> > > > Number of members added 0
> > > 
> > > Did you try with a different group/user? Because Domain Users is a bit
> > > special group in AD, it is Domain Global group. Your logs show that a
> > > search done by SSSD against AD DC does not end up with any 'cn=domain
> > > users' result.
> > 
> > Yes, i’ve tried with a few groups and the user I am using to create the 
> > trust witch, no luck.
> Is there any additional policy applied on AD side that prevents a TDO to
> access information about AD users/groups?
> 
> Something like 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/VQZAHMM54XNKEWWE32N2RGLANS2DHCSZ/
>  ?

I'm sorry for the late reply, but in general I agree with Alexander.

Could you run a test with ldapsearch? Something like:
kinit -kt 'IDM$@AD.TEST.NET' /var/lib/sss/keytabs/ad.test.net.keytab
ldapsearch -Y GSSAPI -H ldap://ADSERVERC.corp.ad.test.net -b 
dc=corp,dc=ad,dc=test,dc=net 
'(&(sAMAccountName=domain\20users)(objectClass=group)(sAMAccountName=*)(&(gidNumber=*)(!(gidNumber=0'

if this doesn't find anything (and the search base and the server are as
expected), could you re-run the same search binding as some known user
with their password?

btw note that the ldapsearch is looking for POSIX attributes, is that
expected? Do all users you search for have uidNumber set?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Unable to use externa groups or users, truster domain object not found

2017-12-11 Thread Alexander Bokovoy via FreeIPA-users 

On ma, 11 joulu 2017, Henrik Johansson via FreeIPA-users wrote:




On 11 Dec 2017, at 16:04, Alexander Bokovoy via FreeIPA-users 
 wrote:

On ma, 11 joulu 2017, Henrik Johansson via FreeIPA-users wrote:

Hi again,

I have generated debug, both in samba and in sssd and attached the log files. 
From what I can see from the sssd-logfile we are talkin to the AD domain but 
does not find any groups? The rest for the debug files are from the whole 
session including the trust-add. If you could have a quick look at it I would 
be grateful since pretty much stuck here.

Terminal output:
# ipa -v trust-add --type=ad ad.test.net --admin aduser
ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json
ipa: INFO: [try 1]: Forwarding 'schema' to json server 
'https://ipaserver.idm.test.net/ipa/session/json'
ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json
Active Directory domain administrator's password:
ipa: INFO: [try 1]: Forwarding 'trust_add/1' to json server 
'https://ipaserver.idm.test.net/ipa/session/json'
-
Added Active Directory trust for realm "ad.test.net"
-
Realm name: ad.test.net
Domain NetBIOS name: AD
Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543
Trust direction: Trusting forest
Trust type: Active Directory domain
Trust status: Established and verified

# ipa trust-fetch-domains ad.test.net

List of trust domains successfully refreshed. Use trustdomain-find command to 
list them.


Number of entries returned 0

[root@ipaserver samba]# ipa trustdomain-find ad.test.net
Domain name: ad.test.net
Domain NetBIOS name: AD
Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543
Domain enabled: True

Domain name: corp.ad.test.net
Domain NetBIOS name: CORP
Domain Security Identifier: S-1-6-42-2417082233-1637723082-1916539915
Domain enabled: True

Number of entries returned 2

]# ipa -v group-add-member ad_users_external --external 'AD\Domain Users'
ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json
[member user]:
[member group]:
ipa: INFO: [try 1]: Forwarding 'group_add_member/1' to json server 
'https://ipaserver.idm.test.net/ipa/session/json'
Group name: ad_users_external
Description: AD users external map
Failed members:
  member user:
  member group: AD\Domain Users: trusted domain object not found
-
Number of members added 0


Did you try with a different group/user? Because Domain Users is a bit
special group in AD, it is Domain Global group. Your logs show that a
search done by SSSD against AD DC does not end up with any 'cn=domain
users' result.


Yes, i’ve tried with a few groups and the user I am using to create the trust 
witch, no luck.

Is there any additional policy applied on AD side that prevents a TDO to
access information about AD users/groups?

Something like 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/VQZAHMM54XNKEWWE32N2RGLANS2DHCSZ/
 ?

--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Unable to use externa groups or users, truster domain object not found

2017-12-11 Thread Henrik Johansson via FreeIPA-users 


> On 11 Dec 2017, at 16:04, Alexander Bokovoy via FreeIPA-users 
>  wrote:
> 
> On ma, 11 joulu 2017, Henrik Johansson via FreeIPA-users wrote:
>> Hi again,
>> 
>> I have generated debug, both in samba and in sssd and attached the log 
>> files. From what I can see from the sssd-logfile we are talkin to the AD 
>> domain but does not find any groups? The rest for the debug files are from 
>> the whole session including the trust-add. If you could have a quick look at 
>> it I would be grateful since pretty much stuck here.
>> 
>> Terminal output:
>> # ipa -v trust-add --type=ad ad.test.net --admin aduser
>> ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json
>> ipa: INFO: [try 1]: Forwarding 'schema' to json server 
>> 'https://ipaserver.idm.test.net/ipa/session/json'
>> ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json
>> Active Directory domain administrator's password:
>> ipa: INFO: [try 1]: Forwarding 'trust_add/1' to json server 
>> 'https://ipaserver.idm.test.net/ipa/session/json'
>> -
>> Added Active Directory trust for realm "ad.test.net"
>> -
>> Realm name: ad.test.net
>> Domain NetBIOS name: AD
>> Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543
>> Trust direction: Trusting forest
>> Trust type: Active Directory domain
>> Trust status: Established and verified
>> 
>> # ipa trust-fetch-domains ad.test.net
>> 
>> List of trust domains successfully refreshed. Use trustdomain-find command 
>> to list them.
>> 
>> 
>> Number of entries returned 0
>> 
>> [root@ipaserver samba]# ipa trustdomain-find ad.test.net
>> Domain name: ad.test.net
>> Domain NetBIOS name: AD
>> Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543
>> Domain enabled: True
>> 
>> Domain name: corp.ad.test.net
>> Domain NetBIOS name: CORP
>> Domain Security Identifier: S-1-6-42-2417082233-1637723082-1916539915
>> Domain enabled: True
>> 
>> Number of entries returned 2
>> 
>> ]# ipa -v group-add-member ad_users_external --external 'AD\Domain Users'
>> ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json
>> [member user]:
>> [member group]:
>> ipa: INFO: [try 1]: Forwarding 'group_add_member/1' to json server 
>> 'https://ipaserver.idm.test.net/ipa/session/json'
>> Group name: ad_users_external
>> Description: AD users external map
>> Failed members:
>>   member user:
>>   member group: AD\Domain Users: trusted domain object not found
>> -
>> Number of members added 0
> 
> Did you try with a different group/user? Because Domain Users is a bit
> special group in AD, it is Domain Global group. Your logs show that a
> search done by SSSD against AD DC does not end up with any 'cn=domain
> users' result.

Yes, i’ve tried with a few groups and the user I am using to create the trust 
witch, no luck.

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Unable to use externa groups or users, truster domain object not found

2017-12-11 Thread Alexander Bokovoy via FreeIPA-users 

On ma, 11 joulu 2017, Henrik Johansson via FreeIPA-users wrote:

Hi again,

I have generated debug, both in samba and in sssd and attached the log files. 
From what I can see from the sssd-logfile we are talkin to the AD domain but 
does not find any groups? The rest for the debug files are from the whole 
session including the trust-add. If you could have a quick look at it I would 
be grateful since pretty much stuck here.

Terminal output:
# ipa -v trust-add --type=ad ad.test.net --admin aduser
ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json
ipa: INFO: [try 1]: Forwarding 'schema' to json server 
'https://ipaserver.idm.test.net/ipa/session/json'
ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json
Active Directory domain administrator's password:
ipa: INFO: [try 1]: Forwarding 'trust_add/1' to json server 
'https://ipaserver.idm.test.net/ipa/session/json'
-
Added Active Directory trust for realm "ad.test.net"
-
 Realm name: ad.test.net
 Domain NetBIOS name: AD
 Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543
 Trust direction: Trusting forest
 Trust type: Active Directory domain
 Trust status: Established and verified

# ipa trust-fetch-domains ad.test.net

List of trust domains successfully refreshed. Use trustdomain-find command to 
list them.


Number of entries returned 0

[root@ipaserver samba]# ipa trustdomain-find ad.test.net
 Domain name: ad.test.net
 Domain NetBIOS name: AD
 Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543
 Domain enabled: True

 Domain name: corp.ad.test.net
 Domain NetBIOS name: CORP
 Domain Security Identifier: S-1-6-42-2417082233-1637723082-1916539915
 Domain enabled: True

Number of entries returned 2

]# ipa -v group-add-member ad_users_external --external 'AD\Domain Users'
ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json
[member user]:
[member group]:
ipa: INFO: [try 1]: Forwarding 'group_add_member/1' to json server 
'https://ipaserver.idm.test.net/ipa/session/json'
 Group name: ad_users_external
 Description: AD users external map
 Failed members:
   member user:
   member group: AD\Domain Users: trusted domain object not found
-
Number of members added 0


Did you try with a different group/user? Because Domain Users is a bit
special group in AD, it is Domain Global group. Your logs show that a
search done by SSSD against AD DC does not end up with any 'cn=domain
users' result.

--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Unable to use externa groups or users, truster domain object not found

2017-12-11 Thread Henrik Johansson via FreeIPA-users 
Hi again,I have generated debug, both in samba and in sssd and attached the log files. From what I can see from the sssd-logfile we are talkin to the AD domain but does not find any groups? The rest for the debug files are from the whole session including the trust-add. If you could have a quick look at it I would be grateful since pretty much stuck here.Terminal output:# ipa -v trust-add --type=ad ad.test.net --admin aduseripa: INFO: trying https://ipaserver.idm.test.net/ipa/session/jsonipa: INFO: [try 1]: Forwarding 'schema' to json server 'https://ipaserver.idm.test.net/ipa/session/json'ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/jsonActive Directory domain administrator's password:ipa: INFO: [try 1]: Forwarding 'trust_add/1' to json server 'https://ipaserver.idm.test.net/ipa/session/json'-Added Active Directory trust for realm "ad.test.net"-  Realm name: ad.test.net  Domain NetBIOS name: AD  Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543  Trust direction: Trusting forest  Trust type: Active Directory domain  Trust status: Established and verified # ipa trust-fetch-domains ad.test.netList of trust domains successfully refreshed. Use trustdomain-find command to list them.Number of entries returned 0[root@ipaserver samba]# ipa trustdomain-find ad.test.net  Domain name: ad.test.net  Domain NetBIOS name: AD  Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543  Domain enabled: True   Domain name: corp.ad.test.net  Domain NetBIOS name: CORP  Domain Security Identifier: S-1-6-42-2417082233-1637723082-1916539915  Domain enabled: TrueNumber of entries returned 2 ]# ipa -v group-add-member ad_users_external --external 'AD\Domain Users'ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json[member user]:[member group]:ipa: INFO: [try 1]: Forwarding 'group_add_member/1' to json server 'https://ipaserver.idm.test.net/ipa/session/json'  Group name: ad_users_external  Description: AD users external map  Failed members:    member user:    member group: AD\Domain Users: trusted domain object not found-Number of members added 0

ipa-debug.tar.bz2
Description: BZip2 compressed data
RegardsHenrikOn 3 Dec 2017, at 21:14, Jakub Hrozek  wrote:On 1 Dec 2017, at 10:52, Henrik Johansson  wrote:Hi,Answers below, I found one thing that don’t look correct, on another virtualised test-system I can get a cifs ticket when I am admin on the IPA server, in this setup it only works if I get tickets from the AD domain manually first:[root@ipaserver httpd]# kinit adminPassword for ad...@idm.test.net:[root@ipaserver httpd]# klistTicket cache: KEYRING:persistent:0:0Default principal: ad...@idm.test.netValid starting   Expires  Service principal12/01/2017 10:25:48  12/02/2017 10:25:39  krbtgt/idm.test@idm.test.net[root@ipaserver httpd]# kvno -S cifs adserver.ad2.test.netkvno: Server krbtgt/ad2.test@idm.test.net not found in Kerberos database while getting credentials for cifs/adserver.ad2.test@ad2.test.net[root@ipaserver httpd]# kinit adminu...@ad2.test.netPassword for adminu...@ad2.test.net:Warning: Your password will expire in 5 days on Wed 06 Dec 2017 03:20:14 PM CET[root@ipaserver httpd]# kvno -S cifs adserver.ad2.test.netcifs/adserver.ad2.test@ad2.test.net: kvno = 13On 27 Nov 2017, at 14:06, Jakub Hrozek via FreeIPA-users  wrote:On Tue, Nov 21, 2017 at 01:55:31PM +0100, Henrik Stigendal via FreeIPA-users wrote:Hello everyone,I’m new to this and are trying to setup a working trust against an AD forrest, I seem to have a working trust but when I try to reference external groups (or users) I get:# ipa group-add-member ad_users_external --external "AD2\Domain Users"[member user]:[member group]: Group name: ad_users_external Description: AD users external map Failed members:   member user:   member group: AD2\Domain Users: trusted domain object not found-Number of members added 0-I think the lookup goes eventually from the ipa command line frameworkto SSSD, does lookup through the usual SSSD channels (getent passwdusername@domain) work?No, that does not work at all.I enable some logging and last in the mail is the output there from the command above, any suggestions what could cause this? Current version of IPA is 4.5.RegardsHenrikTue Nov 21 13:10:42.675713 2017] [:warn] [pid 38221] [client 192.168.6.82:34714] failed to set perms (3140) on file (/var/run/ipa/ccaches/ad...@idm.test.net)!, referer: https://ipaserver.idm.test.net/ipa/xmlstring_to_

[Freeipa-users] Re: Unable to use externa groups or users, truster domain object not found

2017-12-03 Thread Jakub Hrozek via FreeIPA-users 

> On 1 Dec 2017, at 10:52, Henrik Johansson  wrote:
> 
> Hi,
> 
> Answers below, I found one thing that don’t look correct, on another 
> virtualised test-system I can get a cifs ticket when I am admin on the IPA 
> server, in this setup it only works if I get tickets from the AD domain 
> manually first:
> 
> [root@ipaserver httpd]# kinit admin
> Password for ad...@idm.test.net:
> [root@ipaserver httpd]# klist
> Ticket cache: KEYRING:persistent:0:0
> Default principal: ad...@idm.test.net
>  
> Valid starting   Expires  Service principal
> 12/01/2017 10:25:48  12/02/2017 10:25:39  krbtgt/idm.test@idm.test.net
> [root@ipaserver httpd]# kvno -S cifs adserver.ad2.test.net
> kvno: Server krbtgt/ad2.test@idm.test.net not found in Kerberos database 
> while getting credentials for cifs/adserver.ad2.test@ad2.test.net
> [root@ipaserver httpd]# kinit adminu...@ad2.test.net
> Password for adminu...@ad2.test.net:
> Warning: Your password will expire in 5 days on Wed 06 Dec 2017 03:20:14 PM 
> CET
> [root@ipaserver httpd]# kvno -S cifs adserver.ad2.test.net
> cifs/adserver.ad2.test@ad2.test.net: kvno = 13
> 
> 
>> On 27 Nov 2017, at 14:06, Jakub Hrozek via FreeIPA-users 
>>  wrote:
>> 
>> On Tue, Nov 21, 2017 at 01:55:31PM +0100, Henrik Stigendal via FreeIPA-users 
>> wrote:
>>> Hello everyone,
>>> 
>>> I’m new to this and are trying to setup a working trust against an AD 
>>> forrest, I seem to have a working trust but when I try to reference 
>>> external groups (or users) I get:
>>> 
>>> # ipa group-add-member ad_users_external --external "AD2\Domain Users"
>>> [member user]:
>>> [member group]:
>>>  Group name: ad_users_external
>>>  Description: AD users external map
>>>  Failed members:
>>>member user:
>>>member group: AD2\Domain Users: trusted domain object not found
>>> -
>>> Number of members added 0
>>> -
>> 
>> I think the lookup goes eventually from the ipa command line framework
>> to SSSD, does lookup through the usual SSSD channels (getent passwd
>> username@domain) work?
> 
> No, that does not work at all.
> 
>> 
>>> 
>>> I enable some logging and last in the mail is the output there from the 
>>> command above, any suggestions what could cause this? Current version of 
>>> IPA is 4.5.
>>> 
>>> Regards
>>> Henrik
>>> 
>>> Tue Nov 21 13:10:42.675713 2017] [:warn] [pid 38221] [client 
>>> 192.168.6.82:34714] failed to set perms (3140) on file 
>>> (/var/run/ipa/ccaches/ad...@idm.test.net)!, referer: 
>>> https://ipaserver.idm.test.net/ipa/xml
>>> string_to_sid: SID AD2\Domain Users is not in a valid format
>> 
>> btw did you try also a lookup of a name qualified with the full AD domain
>> name (i.e. username@ad.domain instead of ad\\username)? I wonder if just
>> the flatname is acting up..
> 
> 
> I’ve tested both without luck.

I would suggest to find out why the lookups from the command line don’t work. 
You can check how to debug sssd here:
https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html

feel free to share your logs if they are not easy to read.

> 
>> 
>>> lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty
>>> Processing section "[global]"
>>> INFO: Current debug levels:
>>>  all: 11
>>>  tdb: 11
>>>  printdrivers: 11
>>>  lanman: 11
>>>  smb: 11
>>>  rpc_parse: 11
>>>  rpc_srv: 11
>>>  rpc_cli: 11
>>>  passdb: 11
>>>  sam: 11
>>>  auth: 11
>>>  winbind: 11
>>>  vfs: 11
>>>  idmap: 11
>>>  quota: 11
>>>  acls: 11
>>>  locking: 11
>>>  msdfs: 11
>>>  dmapi: 11
>>>  registry: 11
>>>  scavenger: 11
>>>  dns: 11
>>>  ldb: 11
>>>  tevent: 11
>>> pm_process() returned Yes
>>> added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 
>>> netmask=255.255.255.0
>>> added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 
>>> netmask=255.255.255.0
>>> added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 
>>> netmask=255.255.255.0
>>> added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 
>>> netmask=255.255.255.0
>>> added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 
>>> netmask=255.255.255.0
>>> added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 
>>> netmask=255.255.255.0
>>> added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 
>>> netmask=255.255.255.0
>>> added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 
>>> netmask=255.255.255.0
>>> finddcs: searching for a DC by DNS domain ad2.test.net
>>> finddcs: looking for SRV records for _ldap._tcp.ad2.test.net
>>> resolve_lmhosts: Attempting lmhosts lookup for name 
>>> _ldap._tcp.ad2.test.net<0x0>
>>> getlmhostsent: lmhost entry: 127.0.0.1 localhost
>>> ads_dns_lookup_srv: 2 records returned in the answer section.
>>> ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389]
>>> ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389]
>>> Addrs = 192.168.5.158@389/adserver,192.168.5.104@389/adserver
>>> finddcs: DNS SRV response

[Freeipa-users] Re: Unable to use externa groups or users, truster domain object not found

2017-12-01 Thread Henrik Johansson via FreeIPA-users 
Hi,

Answers below, I found one thing that don’t look correct, on another 
virtualised test-system I can get a cifs ticket when I am admin on the IPA 
server, in this setup it only works if I get tickets from the AD domain 
manually first:

[root@ipaserver httpd]# kinit admin
Password for ad...@idm.test.net:
[root@ipaserver httpd]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: ad...@idm.test.net
 
Valid starting   Expires  Service principal
12/01/2017 10:25:48  12/02/2017 10:25:39  krbtgt/idm.test@idm.test.net
[root@ipaserver httpd]# kvno -S cifs adserver.ad2.test.net
kvno: Server krbtgt/ad2.test@idm.test.net not found in Kerberos database 
while getting credentials for cifs/adserver.ad2.test@ad2.test.net
[root@ipaserver httpd]# kinit adminu...@ad2.test.net
Password for adminu...@ad2.test.net:
Warning: Your password will expire in 5 days on Wed 06 Dec 2017 03:20:14 PM CET
[root@ipaserver httpd]# kvno -S cifs adserver.ad2.test.net
cifs/adserver.ad2.test@ad2.test.net: kvno = 13


> On 27 Nov 2017, at 14:06, Jakub Hrozek via FreeIPA-users 
>  wrote:
> 
> On Tue, Nov 21, 2017 at 01:55:31PM +0100, Henrik Stigendal via FreeIPA-users 
> wrote:
>> Hello everyone,
>> 
>> I’m new to this and are trying to setup a working trust against an AD 
>> forrest, I seem to have a working trust but when I try to reference external 
>> groups (or users) I get:
>> 
>> # ipa group-add-member ad_users_external --external "AD2\Domain Users"
>> [member user]:
>> [member group]:
>>  Group name: ad_users_external
>>  Description: AD users external map
>>  Failed members:
>>member user:
>>member group: AD2\Domain Users: trusted domain object not found
>> -
>> Number of members added 0
>> -
> 
> I think the lookup goes eventually from the ipa command line framework
> to SSSD, does lookup through the usual SSSD channels (getent passwd
> username@domain) work?

No, that does not work at all.

> 
>> 
>> I enable some logging and last in the mail is the output there from the 
>> command above, any suggestions what could cause this? Current version of IPA 
>> is 4.5.
>> 
>> Regards
>> Henrik
>> 
>> Tue Nov 21 13:10:42.675713 2017] [:warn] [pid 38221] [client 
>> 192.168.6.82:34714] failed to set perms (3140) on file 
>> (/var/run/ipa/ccaches/ad...@idm.test.net 
>> )!, referer: 
>> https://ipaserver.idm.test.net/ipa/xml 
>> 
>> string_to_sid: SID AD2\Domain Users is not in a valid format
> 
> btw did you try also a lookup of a name qualified with the full AD domain
> name (i.e. username@ad.domain  instead of 
> ad\\username)? I wonder if just
> the flatname is acting up..


I’ve tested both without luck.

> 
>> lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty
>> Processing section "[global]"
>> INFO: Current debug levels:
>>  all: 11
>>  tdb: 11
>>  printdrivers: 11
>>  lanman: 11
>>  smb: 11
>>  rpc_parse: 11
>>  rpc_srv: 11
>>  rpc_cli: 11
>>  passdb: 11
>>  sam: 11
>>  auth: 11
>>  winbind: 11
>>  vfs: 11
>>  idmap: 11
>>  quota: 11
>>  acls: 11
>>  locking: 11
>>  msdfs: 11
>>  dmapi: 11
>>  registry: 11
>>  scavenger: 11
>>  dns: 11
>>  ldb: 11
>>  tevent: 11
>> pm_process() returned Yes
>> added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 
>> netmask=255.255.255.0
>> added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 
>> netmask=255.255.255.0
>> added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 
>> netmask=255.255.255.0
>> added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 
>> netmask=255.255.255.0
>> added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 
>> netmask=255.255.255.0
>> added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 
>> netmask=255.255.255.0
>> added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 
>> netmask=255.255.255.0
>> added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 
>> netmask=255.255.255.0
>> finddcs: searching for a DC by DNS domain ad2.test.net
>> finddcs: looking for SRV records for _ldap._tcp.ad2.test.net
>> resolve_lmhosts: Attempting lmhosts lookup for name 
>> _ldap._tcp.ad2.test.net<0x0>
>> getlmhostsent: lmhost entry: 127.0.0.1 localhost
>> ads_dns_lookup_srv: 2 records returned in the answer section.
>> ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389]
>> ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389]
>> Addrs = 192.168.5.158@389/adserver,192.168.5.104@389/adserver
>> finddcs: DNS SRV response 0 at '192.168.5.158'
>> finddcs: DNS SRV response 1 at '192.168.5.104'
>> finddcs: performing CLDAP query on 192.168.5.158
>> &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
>>command  : LOGON_SAM_LOGON_RESPONSE_EX (23)
>>sbz  : 0x (0)
>>server_type

[Freeipa-users] Re: Unable to use externa groups or users, truster domain object not found

2017-11-27 Thread Jakub Hrozek via FreeIPA-users 
On Tue, Nov 21, 2017 at 01:55:31PM +0100, Henrik Stigendal via FreeIPA-users 
wrote:
> Hello everyone,
> 
> I’m new to this and are trying to setup a working trust against an AD 
> forrest, I seem to have a working trust but when I try to reference external 
> groups (or users) I get:
> 
> # ipa group-add-member ad_users_external --external "AD2\Domain Users"
> [member user]:
> [member group]:
>   Group name: ad_users_external
>   Description: AD users external map
>   Failed members:
> member user:
> member group: AD2\Domain Users: trusted domain object not found
> -
> Number of members added 0
> -

I think the lookup goes eventually from the ipa command line framework
to SSSD, does lookup through the usual SSSD channels (getent passwd
username@domain) work?

> 
> I enable some logging and last in the mail is the output there from the 
> command above, any suggestions what could cause this? Current version of IPA 
> is 4.5.
> 
> Regards
> Henrik
> 
> Tue Nov 21 13:10:42.675713 2017] [:warn] [pid 38221] [client 
> 192.168.6.82:34714] failed to set perms (3140) on file 
> (/var/run/ipa/ccaches/ad...@idm.test.net)!, referer: 
> https://ipaserver.idm.test.net/ipa/xml
> string_to_sid: SID AD2\Domain Users is not in a valid format

btw did you try also a lookup of a name qualified with the full AD domain
name (i.e. username@ad.domain instead of ad\\username)? I wonder if just
the flatname is acting up..

> lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty
> Processing section "[global]"
> INFO: Current debug levels:
>   all: 11
>   tdb: 11
>   printdrivers: 11
>   lanman: 11
>   smb: 11
>   rpc_parse: 11
>   rpc_srv: 11
>   rpc_cli: 11
>   passdb: 11
>   sam: 11
>   auth: 11
>   winbind: 11
>   vfs: 11
>   idmap: 11
>   quota: 11
>   acls: 11
>   locking: 11
>   msdfs: 11
>   dmapi: 11
>   registry: 11
>   scavenger: 11
>   dns: 11
>   ldb: 11
>   tevent: 11
> pm_process() returned Yes
> added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 
> netmask=255.255.255.0
> added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 
> netmask=255.255.255.0
> added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 
> netmask=255.255.255.0
> added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 
> netmask=255.255.255.0
> added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 
> netmask=255.255.255.0
> added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 
> netmask=255.255.255.0
> added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 
> netmask=255.255.255.0
> added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 
> netmask=255.255.255.0
> finddcs: searching for a DC by DNS domain ad2.test.net
> finddcs: looking for SRV records for _ldap._tcp.ad2.test.net
> resolve_lmhosts: Attempting lmhosts lookup for name 
> _ldap._tcp.ad2.test.net<0x0>
> getlmhostsent: lmhost entry: 127.0.0.1 localhost
> ads_dns_lookup_srv: 2 records returned in the answer section.
> ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389]
> ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389]
> Addrs = 192.168.5.158@389/adserver,192.168.5.104@389/adserver
> finddcs: DNS SRV response 0 at '192.168.5.158'
> finddcs: DNS SRV response 1 at '192.168.5.104'
> finddcs: performing CLDAP query on 192.168.5.158
>  &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
> command  : LOGON_SAM_LOGON_RESPONSE_EX (23)
> sbz  : 0x (0)
> server_type  : 0x0001f1fc (127484)
>0: NBT_SERVER_PDC
>1: NBT_SERVER_GC
>1: NBT_SERVER_LDAP
>1: NBT_SERVER_DS
>1: NBT_SERVER_KDC
>1: NBT_SERVER_TIMESERV
>1: NBT_SERVER_CLOSEST
>1: NBT_SERVER_WRITABLE
>0: NBT_SERVER_GOOD_TIMESERV
>0: NBT_SERVER_NDNC
>0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
>1: NBT_SERVER_FULL_SECRET_DOMAIN_6
>1: NBT_SERVER_ADS_WEB_SERVICE
>1: NBT_SERVER_DS_8
>0: NBT_SERVER_HAS_DNS_NAME
>0: NBT_SERVER_IS_DEFAULT_NC
>0: NBT_SERVER_FOREST_ROOT
> domain_uuid  : 63c3a477-85f9-5f01-96e8-2597a5c48978
> forest   : 'ad2.test.net'
> dns_domain   : 'ad2.test.net'
> pdc_dns_name : 'adserver.ad2.test.net'
> domain_name  : 'AD2'
> pdc_name : 'adserver'
> user_name: ''
> server_site  : 'AS001'
> client_site  : 'AS002'
> sockaddr_size: 0x00 (0)
> sockaddr: struct nbt_sockaddr
> sockaddr_family  : 0x (0)
> pdc_ip   : (null)
> rem