Re: [Freeipa-users] Authenticating with tree root trusted domain of root DC in which the ipa trust is configured with / logs
On Thu, Jul 28, 2016 at 05:57:37PM +, Kimery, Roger wrote: > Here is requested sssd_nss.log > > > (Thu Jul 28 17:37:08 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running > command [277] with input [t443...@deluxetest1.com]. > (Thu Jul 28 17:37:08 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): > name 't443...@deluxetest1.com' matched expression for domain > 'deluxetest1.com', user is t443167 > (Thu Jul 28 17:37:08 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): > Requesting info for [t443167] from [deluxetest1.com] > (Thu Jul 28 17:37:08 2016) [sssd[nss]] [nss_cmd_getsidby_search] (0x0400): > Requesting info for [t443...@deluxetest1.com] > (Thu Jul 28 17:37:08 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a > LOCAL view, continuing with provided values. > (Thu Jul 28 17:37:08 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x7fa8a106b0d0:1:t443...@deluxetest1.com] > (Thu Jul 28 17:37:08 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): > Creating request for [deluxetest1.com][4097][1][name=t443167] > (Thu Jul 28 17:37:08 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): > Entering request [0x7fa8a106b0d0:1:t443...@deluxetest1.com] > (Thu Jul 28 17:37:09 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): > Unable to get information from Data Provider > Error: 3, 0, Account info lookup failed > Will try to return what we have in cache You need to look into the domain log to see why the lookup failed. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Authenticating with tree root trusted domain of root DC in which the ipa trust is configured with
On Wed, Jul 27, 2016 at 05:02:59PM +, Kimery, Roger wrote: > Hello, > > > We are running IPA version: 4.2.0, API_version: 2.156 on CentOS 7.2.1511 > (Core) > > > Trust is configured with Windows 2008 R2 Enterprise Domain roottest1.com > > > Below is output from ipa trustdomain-find > > Realm name: ROOTTEST1.COM > Domain name: deluxetest1.com > Domain NetBIOS name: DELUXETEST1 > Domain Security Identifier: S-1-5-21-254737954-3826080811-539560843 > Domain enabled: True > > Domain name: roottest1.com > Domain NetBIOS name: ROOTTEST1 > Domain Security Identifier: S-1-5-21-3637171213-1932491363-3141112745 > Domain enabled: True > > Number of entries returned 2 > > > Users from roottest1.com domain work fine but users from deluxetest1.com > domain can not authenticate. As root you can su to users from both domains > and run id with the expected output. Below is output from running id from a > user in each domain: > > id t4431...@roottest1.com > uid=908601177(t4431...@roottest1.com) gid=908601177(t4431...@roottest1.com) > groups=908601177(t4431...@roottest1.com),908601174(hbac-on-root-glo...@roottest1.com),908601175(lsar-on-root-glo...@roottest1.com),908600513(domain > > us...@roottest1.com),111487(hbac-on-root-global),111486(lsar-on-root-global) > > id t443...@deluxetest1.com > uid=959201836(t443...@deluxetest1.com) gid=959201836(t443...@deluxetest1.com) > groups=959201836(t443...@deluxetest1.com),908601174(hbac-on-root-glo...@roottest1.com),908601175(lsar-on-root-glo...@roottest1.com),959202271(hbac-on-glo...@deluxetest1.com),959202270(lsar-on-glo...@deluxetest1.com),959200512(domain > adm...@deluxetest1.com),959200513(domain > us...@deluxetest1.com),111487(hbac-on-root-global),111486(lsar-on-root-global),1114800010(lsar-on-global),111489(hbac-on-global) > > I have tried to make the groups in AD universal groups and have the groups > from deluxetest1 as members to the related groups in roottest1 with no change > in the results. These groups can be seen in the output above. > > Is there a way to get users from deluxetest1.com domain to function with the > same results as users from roottest1.com? > > Please let me know what other information you need. We need the SSSD logs: https://fedorahosted.org/sssd/wiki/Troubleshooting -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Authenticating with tree root trusted domain of root DC in which the ipa trust is configured with
Hello, We are running IPA version: 4.2.0, API_version: 2.156 on CentOS 7.2.1511 (Core) Trust is configured with Windows 2008 R2 Enterprise Domain roottest1.com Below is output from ipa trustdomain-find Realm name: ROOTTEST1.COM Domain name: deluxetest1.com Domain NetBIOS name: DELUXETEST1 Domain Security Identifier: S-1-5-21-254737954-3826080811-539560843 Domain enabled: True Domain name: roottest1.com Domain NetBIOS name: ROOTTEST1 Domain Security Identifier: S-1-5-21-3637171213-1932491363-3141112745 Domain enabled: True Number of entries returned 2 Users from roottest1.com domain work fine but users from deluxetest1.com domain can not authenticate. As root you can su to users from both domains and run id with the expected output. Below is output from running id from a user in each domain: id t4431...@roottest1.com uid=908601177(t4431...@roottest1.com) gid=908601177(t4431...@roottest1.com) groups=908601177(t4431...@roottest1.com),908601174(hbac-on-root-glo...@roottest1.com),908601175(lsar-on-root-glo...@roottest1.com),908600513(domain us...@roottest1.com),111487(hbac-on-root-global),111486(lsar-on-root-global) id t443...@deluxetest1.com uid=959201836(t443...@deluxetest1.com) gid=959201836(t443...@deluxetest1.com) groups=959201836(t443...@deluxetest1.com),908601174(hbac-on-root-glo...@roottest1.com),908601175(lsar-on-root-glo...@roottest1.com),959202271(hbac-on-glo...@deluxetest1.com),959202270(lsar-on-glo...@deluxetest1.com),959200512(domain adm...@deluxetest1.com),959200513(domain us...@deluxetest1.com),111487(hbac-on-root-global),111486(lsar-on-root-global),1114800010(lsar-on-global),111489(hbac-on-global) I have tried to make the groups in AD universal groups and have the groups from deluxetest1 as members to the related groups in roottest1 with no change in the results. These groups can be seen in the output above. Is there a way to get users from deluxetest1.com domain to function with the same results as users from roottest1.com? Please let me know what other information you need. Thanks! Roger Kimery Tech. Solutions Integration Engineer Deluxe Rewards 44747 Helm Ct Plymouth, Mi. 48170 877-706-4321 ext 314912 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project