[Freeipa-users] Re: freeipa trust issues

[Alexander Bokovoy via FreeIPA-users]

On ti, 14 marras 2017, Zach Bayne wrote:

trust add completes and logs attached.
appreciate the help

Zach, I'd suggest you to re-establish trust again, to re-generate
cross-forest trust object passwords which you made public by posting
link to logs to the list.

Anyway, the trust itself seems to get established just fine. What failed
is an attempt to login as AD user to Web UI. Am I correct?

If so, then you need first to enable each AD user to login by creating
(even empty) ID override for this user in the default trust view:

ipa idoverrideuser-add 'Default Trust View' foo@ad.domain

this would create an empty ID override that should allow foo@ad.domain
to authenticate to IPA LDAP server with GSSAPI. This is exactly what Web
UI needs because it always uses GSSAPI to authenticate to LDAP on behalf
of users trying to login to it.


On Mon, Nov 13, 2017 at 3:01 PM, Alexander Bokovoy 
wrote:


On ma, 13 marras 2017, Zach Bayne via FreeIPA-users wrote:


I have active directory as dc1.ad.domainname and dc2.ad.domainname
I also have freeipa at ipa1.ipa.domainname and ipa2.ipa.domainname
both of them seem to work fine independently, I then created a trust and
set smb min and max to 2. from the server 2k12 side  the trust validates
and from the ipa side i can kinit user@ad.domainname but thats where the
working ends. I can not login to webinterface as ad it says my session has
expired and to relogin. wbinfo status shows ad as offline
both ldap dns records for ipa and ad look correct
[root@ipa1 ~]# wbinfo -n 'AD\Domain Admins'
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name AD\Domain Admins


[root@ipa1 ~]# ipa --version
VERSION: 4.5.0, API_VERSION: 2.228

[root@ipa1 ~]# sssd --version
1.15.2
attached below is the log.wd.ad
I am happy to provide any more information and thank anyone who can help
me
solve this, have been beaten up for a bit on it.


Forget about looking into Samba logs alone. They aren't relevant here.
IPA uses SSSD to look up users/groups, not winbindd. Winbindd is used by
Samba itself for topology details and not for user lookups. It is
expected to see wbinfo reporting "offline" state because it is not
relevant at all.

See
https://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust
and provide information requested there.

--
/ Alexander Bokovoy



--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: freeipa trust issues

[Zach Bayne via FreeIPA-users]

trust add completes and logs attached.
appreciate the help
https://drive.google.com/open?id=1SwiAaQkq4PttVaGNUBS_DoVP12Z53kZM

--
Golden Dog Development
z...@goldendogdev.net
636/395-0804
http://goldendogdev.net
--
All messages should be signed
27D1 C230 E66F BEF6 9697
D40E 2A04 2009 B9BD 15C5
27D1 C230 E66F BEF6 9697
D40E 2A04 2009 B9BD 15C5

On Mon, Nov 13, 2017 at 3:01 PM, Alexander Bokovoy 
wrote:

> On ma, 13 marras 2017, Zach Bayne via FreeIPA-users wrote:
>
>> I have active directory as dc1.ad.domainname and dc2.ad.domainname
>> I also have freeipa at ipa1.ipa.domainname and ipa2.ipa.domainname
>> both of them seem to work fine independently, I then created a trust and
>> set smb min and max to 2. from the server 2k12 side  the trust validates
>> and from the ipa side i can kinit user@ad.domainname but thats where the
>> working ends. I can not login to webinterface as ad it says my session has
>> expired and to relogin. wbinfo status shows ad as offline
>> both ldap dns records for ipa and ad look correct
>> [root@ipa1 ~]# wbinfo -n 'AD\Domain Admins'
>> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not lookup name AD\Domain Admins
>>
>>
>> [root@ipa1 ~]# ipa --version
>> VERSION: 4.5.0, API_VERSION: 2.228
>>
>> [root@ipa1 ~]# sssd --version
>> 1.15.2
>> attached below is the log.wd.ad
>> I am happy to provide any more information and thank anyone who can help
>> me
>> solve this, have been beaten up for a bit on it.
>>
> Forget about looking into Samba logs alone. They aren't relevant here.
> IPA uses SSSD to look up users/groups, not winbindd. Winbindd is used by
> Samba itself for topology details and not for user lookups. It is
> expected to see wbinfo reporting "offline" state because it is not
> relevant at all.
>
> See
> https://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust
> and provide information requested there.
>
> --
> / Alexander Bokovoy
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: freeipa trust issues

[Alexander Bokovoy via FreeIPA-users]

On ma, 13 marras 2017, Zach Bayne via FreeIPA-users wrote:

I have active directory as dc1.ad.domainname and dc2.ad.domainname
I also have freeipa at ipa1.ipa.domainname and ipa2.ipa.domainname
both of them seem to work fine independently, I then created a trust and
set smb min and max to 2. from the server 2k12 side  the trust validates
and from the ipa side i can kinit user@ad.domainname but thats where the
working ends. I can not login to webinterface as ad it says my session has
expired and to relogin. wbinfo status shows ad as offline
both ldap dns records for ipa and ad look correct
[root@ipa1 ~]# wbinfo -n 'AD\Domain Admins'
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name AD\Domain Admins


[root@ipa1 ~]# ipa --version
VERSION: 4.5.0, API_VERSION: 2.228

[root@ipa1 ~]# sssd --version
1.15.2
attached below is the log.wd.ad
I am happy to provide any more information and thank anyone who can help me
solve this, have been beaten up for a bit on it.

Forget about looking into Samba logs alone. They aren't relevant here.
IPA uses SSSD to look up users/groups, not winbindd. Winbindd is used by
Samba itself for topology details and not for user lookups. It is
expected to see wbinfo reporting "offline" state because it is not
relevant at all.

See
https://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust
and provide information requested there.

--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org