Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.

2014-01-07 Thread Jakub Hrozek 
On Tue, Jan 07, 2014 at 12:00:56AM +0200, Genadi Postrilko wrote:
> sssd_example.com.log after changing the debug level:
> https://gist.github.com/anonymous/8290381#file-sssd_example-com-log

This info from the log:
(Mon Jan  6 13:23:11 2014) [sssd[be[example.com]]] [ipa_s2n_exop_done]
(0x0400): ldap_extended_operation result: Operations error(1), (null)
(Mon Jan  6 13:23:11 2014) [sssd[be[example.com]]]
[ipa_s2n_get_user_done] (0x0040): s2n exop request failed

Plus the wbinfo output below indicates that you are seeing a similar
kind of error as the user in thread called "AD - Freeipa trust
confusion".

Would you mind getting the same debug information on the IPA server? In
short, set "smbcontrol winbindd debug 10", run the testcase, then revert
the debug level. Feel free to chek the other thread for some more
details on debugging..

> 
> [genadi@ipaserver root]$ wbinfo -u
> (no output)
> 
> [genadi@ipaserver root]$ wbinfo -g
> admins
> editors
> default smb group
> ad_users
> ad_admins
> 
> [genadi@ipaserver root]$ wbinfo --trusted-domains
> BUILTIN
> EXAMPLE
> ADDC
> 
> [genadi@ipaserver root]$ wbinfo -i Administrator
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user Administrator
> 
> [genadi@ipaserver root]$ wbinfo --domain-info ADDC.COM
> Name  : ADDC
> Alt_Name  : addc.com
> SID   : S-1-5-21-33789592-1708006097-2663368750
> Active Directory  : No
> Native: No
> Primary   : No
> 
> 
> 
> 
> 
> 2014/1/6 Jakub Hrozek 
> 
> > On Fri, Jan 03, 2014 at 07:29:54PM +0200, Genadi Postrilko wrote:
> > > Here are the other logs as well (ldap_child.log, sssd_pac.log,
> > > sssd_ssh.log).
> > >
> > > https://gist.github.com/anonymous/8242061
> > >
> > > I attempted to log in (as administra...@addc.com) at 9:04.
> > >
> > > Thanks for the help.
> > >
> >
> > You need the *domain* log. According to the logs, your domain is called
> > example.com, do you need to put debug_level=6 (or higher, but 6 should
> > be enough) to the section called [domain/example.com] in sssd.conf,
> > restart sssd, attempt the login and then attach
> > /var/log/sssd/sssd_example.com.log
> >
> > Given that SSSD is complaining about not being able to find the user, I
> > suspect a similar problem as in the other thread, that is, Winbind on
> > the server not being able to talk to the AD. Does "wbinfo -u $user" work
> > on the server?
> >

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.

2014-01-06 Thread Genadi Postrilko 
sssd_example.com.log after changing the debug level:
https://gist.github.com/anonymous/8290381#file-sssd_example-com-log

[genadi@ipaserver root]$ wbinfo -u
(no output)

[genadi@ipaserver root]$ wbinfo -g
admins
editors
default smb group
ad_users
ad_admins

[genadi@ipaserver root]$ wbinfo --trusted-domains
BUILTIN
EXAMPLE
ADDC

[genadi@ipaserver root]$ wbinfo -i Administrator
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user Administrator

[genadi@ipaserver root]$ wbinfo --domain-info ADDC.COM
Name  : ADDC
Alt_Name  : addc.com
SID   : S-1-5-21-33789592-1708006097-2663368750
Active Directory  : No
Native: No
Primary   : No





2014/1/6 Jakub Hrozek 

> On Fri, Jan 03, 2014 at 07:29:54PM +0200, Genadi Postrilko wrote:
> > Here are the other logs as well (ldap_child.log, sssd_pac.log,
> > sssd_ssh.log).
> >
> > https://gist.github.com/anonymous/8242061
> >
> > I attempted to log in (as administra...@addc.com) at 9:04.
> >
> > Thanks for the help.
> >
>
> You need the *domain* log. According to the logs, your domain is called
> example.com, do you need to put debug_level=6 (or higher, but 6 should
> be enough) to the section called [domain/example.com] in sssd.conf,
> restart sssd, attempt the login and then attach
> /var/log/sssd/sssd_example.com.log
>
> Given that SSSD is complaining about not being able to find the user, I
> suspect a similar problem as in the other thread, that is, Winbind on
> the server not being able to talk to the AD. Does "wbinfo -u $user" work
> on the server?
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.

2014-01-06 Thread Jakub Hrozek 
On Fri, Jan 03, 2014 at 07:29:54PM +0200, Genadi Postrilko wrote:
> Here are the other logs as well (ldap_child.log, sssd_pac.log,
> sssd_ssh.log).
> 
> https://gist.github.com/anonymous/8242061
> 
> I attempted to log in (as administra...@addc.com) at 9:04.
> 
> Thanks for the help.
> 

You need the *domain* log. According to the logs, your domain is called
example.com, do you need to put debug_level=6 (or higher, but 6 should
be enough) to the section called [domain/example.com] in sssd.conf,
restart sssd, attempt the login and then attach
/var/log/sssd/sssd_example.com.log

Given that SSSD is complaining about not being able to find the user, I
suspect a similar problem as in the other thread, that is, Winbind on
the server not being able to talk to the AD. Does "wbinfo -u $user" work
on the server?

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.

2014-01-05 Thread Genadi Postrilko 
What is content of the log when SSSD is doing auth?

When i log in with IPA domain client, the output of the log is (anything
non standard?):

Jan  5 12:08:37 ipaserver sshd[24434]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.227.1  user=
r...@example.com
Jan  5 12:08:37 ipaserver sshd[24434]: pam_sss(sshd:auth): authentication
success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.227.1 user=
r...@example.com
Jan  5 12:08:37 ipaserver sshd[24434]: Accepted password for
ron@EXAMPLE.COMfrom 192.168.227.1 port 57144 ssh2
Jan  5 12:08:37 ipaserver sshd[24434]: pam_unix(sshd:session): session
opened for user r...@example.com by (uid=0)

Here is the /etc/pam.d/system-auth file :
https://gist.github.com/anonymous/8273507
it does contains pam_sss.so module.

When i created the the environment, first i installed the IPA server, then
joined the IPA clients and finally created the trust.

2014/1/5 Dmitri Pal 

>  On 01/04/2014 06:13 PM, Genadi Postrilko wrote:
>
>  Output from /var/log/secure:
>
> Jan  4 15:03:02 ipaserver sshd[5958]: Invalid user Administrator@ADDC.COMfrom 
> 192.168.227.1
> Jan  4 15:03:02 ipaserver sshd[5959]: input_userauth_request: invalid user
> administra...@addc.com
> Jan  4 15:03:06 ipaserver sshd[5958]: pam_unix(sshd:auth): check pass;
> user unknown
> Jan  4 15:03:06 ipaserver sshd[5958]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.227.1
> Jan  4 15:03:06 ipaserver sshd[5958]: pam_succeed_if(sshd:auth): error
> retrieving information about user administra...@addc.com
> Jan  4 15:03:08 ipaserver sshd[5958]: Failed password for invalid user
> administra...@addc.com from 192.168.227.1 port 53125 ssh2
>
>
> I do not see SSSD doing auth.
> Is pam_sss configured for PAM for SSH?
> See more details here:
>
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#installing-host-keys
> http://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf
>
> I do not see simple HowTo to configure SSH to use SSSD for cases when
> ipa-client-install is not used. May be we should provide one.
> The expectation is:
> You install IPA, create trust, join client to IPA using ipa-client-install
> and it configures everything you need.
> The order of last two steps can be reversed but the result should be the
> same.
>
>
>
>
> 2014/1/3 Genadi Postrilko 
>
>>  Here are the other logs as well (ldap_child.log, sssd_pac.log,
>> sssd_ssh.log).
>>
>> https://gist.github.com/anonymous/8242061
>>
>>  I attempted to log in (as administra...@addc.com) at 9:04.
>>
>>  Thanks for the help.
>>
>
>
> ___
> Freeipa-users mailing 
> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.

2014-01-04 Thread Dmitri Pal 
On 01/04/2014 06:13 PM, Genadi Postrilko wrote:
> Output from /var/log/secure:
>
> Jan  4 15:03:02 ipaserver sshd[5958]: Invalid user
> administra...@addc.com  from 192.168.227.1
> Jan  4 15:03:02 ipaserver sshd[5959]: input_userauth_request: invalid
> user administra...@addc.com 
> Jan  4 15:03:06 ipaserver sshd[5958]: pam_unix(sshd:auth): check pass;
> user unknown
> Jan  4 15:03:06 ipaserver sshd[5958]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=192.168.227.1
> Jan  4 15:03:06 ipaserver sshd[5958]: pam_succeed_if(sshd:auth): error
> retrieving information about user administra...@addc.com
> 
> Jan  4 15:03:08 ipaserver sshd[5958]: Failed password for invalid user
> administra...@addc.com  from
> 192.168.227.1 port 53125 ssh2

I do not see SSSD doing auth.
Is pam_sss configured for PAM for SSH?
See more details here:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#installing-host-keys
http://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf

I do not see simple HowTo to configure SSH to use SSSD for cases when
ipa-client-install is not used. May be we should provide one.
The expectation is:
You install IPA, create trust, join client to IPA using
ipa-client-install and it configures everything you need.
The order of last two steps can be reversed but the result should be the
same.

>
>
>
> 2014/1/3 Genadi Postrilko  >
>
> Here are the other logs as well (ldap_child.log, sssd_pac.log,
> sssd_ssh.log).
>
> https://gist.github.com/anonymous/8242061
>
> I attempted to log in (as administra...@addc.com
> ) at 9:04.
>
> Thanks for the help.
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.

2014-01-04 Thread Genadi Postrilko 
Output from /var/log/secure:

Jan  4 15:03:02 ipaserver sshd[5958]: Invalid user
Administrator@ADDC.COMfrom 192.168.227.1
Jan  4 15:03:02 ipaserver sshd[5959]: input_userauth_request: invalid user
administra...@addc.com
Jan  4 15:03:06 ipaserver sshd[5958]: pam_unix(sshd:auth): check pass; user
unknown
Jan  4 15:03:06 ipaserver sshd[5958]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.227.1
Jan  4 15:03:06 ipaserver sshd[5958]: pam_succeed_if(sshd:auth): error
retrieving information about user administra...@addc.com
Jan  4 15:03:08 ipaserver sshd[5958]: Failed password for invalid user
administra...@addc.com from 192.168.227.1 port 53125 ssh2



2014/1/3 Genadi Postrilko 

> Here are the other logs as well (ldap_child.log, sssd_pac.log,
> sssd_ssh.log).
>
> https://gist.github.com/anonymous/8242061
>
> I attempted to log in (as administra...@addc.com) at 9:04.
>
> Thanks for the help.
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.

2014-01-03 Thread Genadi Postrilko 
Here are the other logs as well (ldap_child.log, sssd_pac.log,
sssd_ssh.log).

https://gist.github.com/anonymous/8242061

I attempted to log in (as administra...@addc.com) at 9:04.

Thanks for the help.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.

2014-01-03 Thread Jakub Hrozek 
On Fri, Jan 03, 2014 at 12:33:16AM +0200, Genadi Postrilko wrote:
> Here are the *sssd.log, **sssd_nss.log. *Other logs where empty of did not
> contain the output for the relevant log in.
> 
> https://gist.github.com/anonymous/8228284

According to gist, you only provided the debug logs from the [sssd] and
[nss] sections. Can you also paste the logs from the [domain/xxx]
section ?

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.

2014-01-02 Thread Genadi Postrilko 
Here are the *sssd.log, **sssd_nss.log. *Other logs where empty of did not
contain the output for the relevant log in.

https://gist.github.com/anonymous/8228284


2014/1/2 Dmitri Pal 

>  On 01/02/2014 04:45 PM, Genadi Postrilko wrote:
>
>  Its a newly installed IPA Server, haven't added any Rules.
>
>  The relevant output from /var/log/secure :
>
> Jan  2 13:36:24 ipaserver sshd[4864]: Invalid user  from 192.168.227.100
> Jan  2 13:36:24 ipaserver sshd[4865]: input_userauth_request: invalid user
> Jan  2 13:36:26 ipaserver sshd[4865]: Connection closed by 192.168.227.100
> Jan  2 13:36:35 ipaserver sshd[4868]: Invalid user Administrator@ADDC.COMfrom 
> 192.168.227.100
> Jan  2 13:36:35 ipaserver sshd[4869]: input_userauth_request: invalid user
> administra...@addc.com
> Jan  2 13:36:44 ipaserver sshd[4868]: pam_unix(sshd:auth): check pass;
> user unknown
> Jan  2 13:36:44 ipaserver sshd[4868]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.227.100
> Jan  2 13:36:44 ipaserver sshd[4868]: pam_succeed_if(sshd:auth): error
> retrieving information about user administra...@addc.com
> Jan  2 13:36:46 ipaserver sshd[4868]: Failed password for invalid user
> administra...@addc.com from 192.168.227.100 port 62484 ssh2
>
>
>
>  2014/1/2 Rob Crittenden 
>
>> Genadi Postrilko wrote:
>>
>>>  Hi all.
>>>
>>> I have a running IPA Server (3.0.0-37) on RHEL 6.2.
>>> I'm trying  to create Trust between IPA server and AD (In different DNS
>>> domains). I followed the red hat guide
>>>
>>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/pdf/Identity_Management_Guide/Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US.pdf
>>> .
>>>
>>> When i completed the needed step to create the trust and retrieved a krb
>>> ticket from the AD server:
>>>
>>> [root@ipaserver ~]# kinit administra...@addc.com
>>>  
>>> Password for administra...@addc.com :
>>>
>>> [root@ipaserver ~]# klist
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>  Default principal: administra...@addc.com >> administra...@addc.com>
>>>
>>>
>>> Valid starting ExpiresService principal
>>> 01/02/14 12:20:30  01/02/14 22:20:34  krbtgt/addc@addc.com
>>>  
>>>
>>>  renew until 01/03/14 12:20:30
>>>
>>> But when i try to connect to the IPA server via SHH (Putty) i get
>>> "Access denied" message:
>>>
>>>  login as: administra...@addc.com 
>>> administra...@addc.com@192.168.227.128 's
>>> password:
>>>
>>> Access denied
>>>
>>> Any ideas on what i could have done wrong in the process of creating the
>>> trust?
>>>
>>
>> I'd check the sssd logs and /var/log/secure.
>>
>> Do you have any HBAC rules?
>>
>> rob
>>
>
>
>
> ___
> Freeipa-users mailing 
> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> Looks an error similar to what I see in the other thread.
> Unfortunately be might need to wait till Monday for Alexander, Sumit and
> Jakub to come back and provide help.
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.

2014-01-02 Thread Andrew Holway 
If you add "debug_level = 5" into every section of "/etc/sssd/sssd.conf"

Restart sssd

Try and log in again

cat /var/log/sssd/*

And paste that somewhere.



On 2 January 2014 21:45, Genadi Postrilko  wrote:
> Its a newly installed IPA Server, haven't added any Rules.
>
> The relevant output from /var/log/secure :
>
> Jan  2 13:36:24 ipaserver sshd[4864]: Invalid user  from 192.168.227.100
> Jan  2 13:36:24 ipaserver sshd[4865]: input_userauth_request: invalid user
> Jan  2 13:36:26 ipaserver sshd[4865]: Connection closed by 192.168.227.100
> Jan  2 13:36:35 ipaserver sshd[4868]: Invalid user administra...@addc.com
> from 192.168.227.100
> Jan  2 13:36:35 ipaserver sshd[4869]: input_userauth_request: invalid user
> administra...@addc.com
> Jan  2 13:36:44 ipaserver sshd[4868]: pam_unix(sshd:auth): check pass; user
> unknown
> Jan  2 13:36:44 ipaserver sshd[4868]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.227.100
> Jan  2 13:36:44 ipaserver sshd[4868]: pam_succeed_if(sshd:auth): error
> retrieving information about user administra...@addc.com
> Jan  2 13:36:46 ipaserver sshd[4868]: Failed password for invalid user
> administra...@addc.com from 192.168.227.100 port 62484 ssh2
>
>
>
> 2014/1/2 Rob Crittenden 
>>
>> Genadi Postrilko wrote:
>>>
>>> Hi all.
>>>
>>> I have a running IPA Server (3.0.0-37) on RHEL 6.2.
>>> I'm trying  to create Trust between IPA server and AD (In different DNS
>>> domains). I followed the red hat guide
>>>
>>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/pdf/Identity_Management_Guide/Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US.pdf.
>>>
>>> When i completed the needed step to create the trust and retrieved a krb
>>> ticket from the AD server:
>>>
>>> [root@ipaserver ~]# kinit administra...@addc.com
>>> 
>>> Password for administra...@addc.com :
>>>
>>> [root@ipaserver ~]# klist
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: administra...@addc.com 
>>>
>>>
>>> Valid starting ExpiresService principal
>>> 01/02/14 12:20:30  01/02/14 22:20:34  krbtgt/addc@addc.com
>>> 
>>>
>>>  renew until 01/03/14 12:20:30
>>>
>>> But when i try to connect to the IPA server via SHH (Putty) i get
>>> "Access denied" message:
>>>
>>> login as: administra...@addc.com 
>>> administra...@addc.com@192.168.227.128 's
>>> password:
>>>
>>> Access denied
>>>
>>> Any ideas on what i could have done wrong in the process of creating the
>>> trust?
>>
>>
>> I'd check the sssd logs and /var/log/secure.
>>
>> Do you have any HBAC rules?
>>
>> rob
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.

2014-01-02 Thread Dmitri Pal 
On 01/02/2014 04:45 PM, Genadi Postrilko wrote:
> Its a newly installed IPA Server, haven't added any Rules.
>
> The relevant output from /var/log/secure :
>
> Jan  2 13:36:24 ipaserver sshd[4864]: Invalid user  from 192.168.227.100
> Jan  2 13:36:24 ipaserver sshd[4865]: input_userauth_request: invalid user
> Jan  2 13:36:26 ipaserver sshd[4865]: Connection closed by 192.168.227.100
> Jan  2 13:36:35 ipaserver sshd[4868]: Invalid user
> administra...@addc.com  from
> 192.168.227.100
> Jan  2 13:36:35 ipaserver sshd[4869]: input_userauth_request: invalid
> user administra...@addc.com 
> Jan  2 13:36:44 ipaserver sshd[4868]: pam_unix(sshd:auth): check pass;
> user unknown
> Jan  2 13:36:44 ipaserver sshd[4868]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=192.168.227.100
> Jan  2 13:36:44 ipaserver sshd[4868]: pam_succeed_if(sshd:auth): error
> retrieving information about user administra...@addc.com
> 
> Jan  2 13:36:46 ipaserver sshd[4868]: Failed password for invalid user
> administra...@addc.com  from
> 192.168.227.100 port 62484 ssh2
>
>
>
> 2014/1/2 Rob Crittenden mailto:rcrit...@redhat.com>>
>
> Genadi Postrilko wrote:
>
> Hi all.
>
> I have a running IPA Server (3.0.0-37) on RHEL 6.2.
> I'm trying  to create Trust between IPA server and AD (In
> different DNS
> domains). I followed the red hat guide
> 
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/pdf/Identity_Management_Guide/Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US.pdf.
>
> When i completed the needed step to create the trust and
> retrieved a krb
> ticket from the AD server:
>
> [root@ipaserver ~]# kinit administra...@addc.com
> 
> >
> Password for administra...@addc.com
>   >:
>
> [root@ipaserver ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administra...@addc.com
>   >
>
>
> Valid starting ExpiresService principal
> 01/02/14 12:20:30  01/02/14 22:20:34  krbtgt/addc@addc.com
> 
> >
>
>  renew until 01/03/14 12:20:30
>
> But when i try to connect to the IPA server via SHH (Putty) i get
> "Access denied" message:
>
> login as: administra...@addc.com
>   >
> administra...@addc.com@192.168.227.128
>  's password:
>
> Access denied
>
> Any ideas on what i could have done wrong in the process of
> creating the
> trust?
>
>
> I'd check the sssd logs and /var/log/secure.
>
> Do you have any HBAC rules?
>
> rob
>
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

Looks an error similar to what I see in the other thread.
Unfortunately be might need to wait till Monday for Alexander, Sumit and
Jakub to come back and provide help.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.

2014-01-02 Thread Genadi Postrilko 
Its a newly installed IPA Server, haven't added any Rules.

The relevant output from /var/log/secure :

Jan  2 13:36:24 ipaserver sshd[4864]: Invalid user  from 192.168.227.100
Jan  2 13:36:24 ipaserver sshd[4865]: input_userauth_request: invalid user
Jan  2 13:36:26 ipaserver sshd[4865]: Connection closed by 192.168.227.100
Jan  2 13:36:35 ipaserver sshd[4868]: Invalid user
Administrator@ADDC.COMfrom 192.168.227.100
Jan  2 13:36:35 ipaserver sshd[4869]: input_userauth_request: invalid user
administra...@addc.com
Jan  2 13:36:44 ipaserver sshd[4868]: pam_unix(sshd:auth): check pass; user
unknown
Jan  2 13:36:44 ipaserver sshd[4868]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.227.100
Jan  2 13:36:44 ipaserver sshd[4868]: pam_succeed_if(sshd:auth): error
retrieving information about user administra...@addc.com
Jan  2 13:36:46 ipaserver sshd[4868]: Failed password for invalid user
administra...@addc.com from 192.168.227.100 port 62484 ssh2



2014/1/2 Rob Crittenden 

> Genadi Postrilko wrote:
>
>> Hi all.
>>
>> I have a running IPA Server (3.0.0-37) on RHEL 6.2.
>> I'm trying  to create Trust between IPA server and AD (In different DNS
>> domains). I followed the red hat guide
>> https://access.redhat.com/site/documentation/en-US/Red_
>> Hat_Enterprise_Linux/6/pdf/Identity_Management_Guide/Red_
>> Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US.pdf.
>>
>> When i completed the needed step to create the trust and retrieved a krb
>> ticket from the AD server:
>>
>> [root@ipaserver ~]# kinit administra...@addc.com
>> 
>> Password for administra...@addc.com :
>>
>> [root@ipaserver ~]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: administra...@addc.com 
>>
>>
>> Valid starting ExpiresService principal
>> 01/02/14 12:20:30  01/02/14 22:20:34  krbtgt/addc@addc.com
>> 
>>
>>  renew until 01/03/14 12:20:30
>>
>> But when i try to connect to the IPA server via SHH (Putty) i get
>> "Access denied" message:
>>
>> login as: administra...@addc.com 
>> administra...@addc.com@192.168.227.128 's
>> password:
>>
>> Access denied
>>
>> Any ideas on what i could have done wrong in the process of creating the
>> trust?
>>
>
> I'd check the sssd logs and /var/log/secure.
>
> Do you have any HBAC rules?
>
> rob
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.

2014-01-02 Thread Rob Crittenden 

Genadi Postrilko wrote:

Hi all.

I have a running IPA Server (3.0.0-37) on RHEL 6.2.
I'm trying  to create Trust between IPA server and AD (In different DNS
domains). I followed the red hat guide
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/pdf/Identity_Management_Guide/Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US.pdf.

When i completed the needed step to create the trust and retrieved a krb
ticket from the AD server:

[root@ipaserver ~]# kinit administra...@addc.com

Password for administra...@addc.com :
[root@ipaserver ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administra...@addc.com 

Valid starting ExpiresService principal
01/02/14 12:20:30  01/02/14 22:20:34  krbtgt/addc@addc.com

 renew until 01/03/14 12:20:30

But when i try to connect to the IPA server via SHH (Putty) i get
"Access denied" message:

login as: administra...@addc.com 
administra...@addc.com@192.168.227.128 's password:
Access denied

Any ideas on what i could have done wrong in the process of creating the
trust?


I'd check the sssd logs and /var/log/secure.

Do you have any HBAC rules?

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.

2014-01-02 Thread Genadi Postrilko 
Hi all.

I have a running IPA Server (3.0.0-37) on RHEL 6.2.
I'm trying  to create Trust between IPA server and AD (In different DNS
domains). I followed the red hat guide
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/pdf/Identity_Management_Guide/Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US.pdf
.

When i completed the needed step to create the trust and retrieved a krb
ticket from the AD server:

[root@ipaserver ~]# kinit administra...@addc.com
Password for administra...@addc.com:
[root@ipaserver ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administra...@addc.com

Valid starting ExpiresService principal
01/02/14 12:20:30  01/02/14 22:20:34  krbtgt/addc@addc.com
renew until 01/03/14 12:20:30

But when i try to connect to the IPA server via SHH (Putty) i get "Access
denied" message:

login as: administra...@addc.com
administra...@addc.com@192.168.227.128's password:
Access denied

Any ideas on what i could have done wrong in the process of creating the
trust?

Thank you in advance.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users