Re: [Freeipa-users] FreeIPA ActiveDirectory Integration, Fedora and Windows 2008 R2 AD: "ipa: ERROR: an internal error has occurred"
On Sat, 13 Sep 2014, Traiano Welcome wrote:
On Sat, Sep 13, 2014 at 7:03 PM, Alexander Bokovoy
wrote:
On Sat, 13 Sep 2014, Traiano Welcome wrote:
Hi
I've managed to get trusts working with CentOS 7 as an IdM server,
Win2K8R2
AD DC and CentOS6.5 as a client, using the exact same series of steps as
in
the documentation. Attached is the process I used.
You got one step wrong:
8. Modify /etc/krb5.conf
[realms]
ENGENEON.LOCAL = {
kdc = idm003.engeneon.local:88
master_kdc = idm003.engeneon.local:88
admin_server = idm003.engeneon.local:749
default_domain = engeneon.local
pkinit_anchors = FILE:/etc/ipa/ca.crt
auth_to_local = RULE:[1:$1@$0](^.*@AD_DOMAIN$)s/@AD_DOMAIN/@ad_domain/
auth_to_local = DEFAULT
}
Here you have to substitute AD_DOMAIN and ad_domain by your actual
AD domain name. This change has to be done currently on every IPA
machine where you are expecting AD users to log in.
Doh! ok, fixed. Although, I didn't notice any login failures testing with a
bunch of users. Is it possible this behavior is already being adapted
around in either one of PAM, OpenSSH or KRB5?
This affects single sign-on logins, i.e. when you try to logon with
Kerberos ticket.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA ActiveDirectory Integration, Fedora and Windows 2008 R2 AD: "ipa: ERROR: an internal error has occurred"
On Sat, Sep 13, 2014 at 7:03 PM, Alexander Bokovoy
wrote:
> On Sat, 13 Sep 2014, Traiano Welcome wrote:
>
>> Hi
>>
>> I've managed to get trusts working with CentOS 7 as an IdM server,
>> Win2K8R2
>> AD DC and CentOS6.5 as a client, using the exact same series of steps as
>> in
>> the documentation. Attached is the process I used.
>>
> You got one step wrong:
>
>
> 8. Modify /etc/krb5.conf
>
> [realms]
> ENGENEON.LOCAL = {
> kdc = idm003.engeneon.local:88
> master_kdc = idm003.engeneon.local:88
> admin_server = idm003.engeneon.local:749
> default_domain = engeneon.local
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> auth_to_local = RULE:[1:$1@$0](^.*@AD_DOMAIN$)s/@AD_DOMAIN/@ad_domain/
> auth_to_local = DEFAULT
> }
>
>
>
> Here you have to substitute AD_DOMAIN and ad_domain by your actual
> AD domain name. This change has to be done currently on every IPA
> machine where you are expecting AD users to log in.
>
>
Doh! ok, fixed. Although, I didn't notice any login failures testing with a
bunch of users. Is it possible this behavior is already being adapted
around in either one of PAM, OpenSSH or KRB5?
> For each domain in the trusted AD forest, AD_DOMAIN should be its realm
> and ad_domain should be the same in low-case as SSSD normalizes user
> names to lower case. The rule tells Kerberos library how to transform a
> Kerberos principal (thus REALM has to be upper case as it is required in
> MIT Kerberos) to a POSIX user name (thus put domain name in lower case
> as SSSD will normalize the user name). OpenSSH and some other software
> actually checks that POSIX user name corresponds to the value Kerberos
> library will return to OpenSSH daemon after running through
> auth_to_local rules.
>
> I.e., in your case it would be
>
> auth_to_local = RULE:[1:$1@$0](^.*@MHATEST.LOCAL$)s/@MHATEST.LOCAL/@
> mhatest.local/
>
> and if you have multiple subdomains, there should be multiple rules like
> this, each for the domain which users you want to be able to log in.
> We are improving this in MIT Kerberos 1.12 and SSSD 1.12.1 where all
> these rules will be replaced with a plugin that fetches list of domains
> from IPA servers and automatically manage it. However, it is currently
> not available in any released distribution.
>
> --
> / Alexander Bokovoy
>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA ActiveDirectory Integration, Fedora and Windows 2008 R2 AD: "ipa: ERROR: an internal error has occurred"
On Sat, 13 Sep 2014, Traiano Welcome wrote:
Hi
I've managed to get trusts working with CentOS 7 as an IdM server, Win2K8R2
AD DC and CentOS6.5 as a client, using the exact same series of steps as in
the documentation. Attached is the process I used.
You got one step wrong:
8. Modify /etc/krb5.conf
[realms]
ENGENEON.LOCAL = {
kdc = idm003.engeneon.local:88
master_kdc = idm003.engeneon.local:88
admin_server = idm003.engeneon.local:749
default_domain = engeneon.local
pkinit_anchors = FILE:/etc/ipa/ca.crt
auth_to_local = RULE:[1:$1@$0](^.*@AD_DOMAIN$)s/@AD_DOMAIN/@ad_domain/
auth_to_local = DEFAULT
}
Here you have to substitute AD_DOMAIN and ad_domain by your actual
AD domain name. This change has to be done currently on every IPA
machine where you are expecting AD users to log in.
For each domain in the trusted AD forest, AD_DOMAIN should be its realm
and ad_domain should be the same in low-case as SSSD normalizes user
names to lower case. The rule tells Kerberos library how to transform a
Kerberos principal (thus REALM has to be upper case as it is required in
MIT Kerberos) to a POSIX user name (thus put domain name in lower case
as SSSD will normalize the user name). OpenSSH and some other software
actually checks that POSIX user name corresponds to the value Kerberos
library will return to OpenSSH daemon after running through
auth_to_local rules.
I.e., in your case it would be
auth_to_local =
RULE:[1:$1@$0](^.*@MHATEST.LOCAL$)s/@MHATEST.LOCAL/@mhatest.local/
and if you have multiple subdomains, there should be multiple rules like
this, each for the domain which users you want to be able to log in.
We are improving this in MIT Kerberos 1.12 and SSSD 1.12.1 where all
these rules will be replaced with a plugin that fetches list of domains
from IPA servers and automatically manage it. However, it is currently
not available in any released distribution.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA ActiveDirectory Integration, Fedora and Windows 2008 R2 AD: "ipa: ERROR: an internal error has occurred"
Hi
I've managed to get trusts working with CentOS 7 as an IdM server, Win2K8R2
AD DC and CentOS6.5 as a client, using the exact same series of steps as in
the documentation. Attached is the process I used.
I'll continue testing RHEL7 and Fedora 20.1 and submit a bug report if
necessary.
Thanks for the assistance all!!
Traiano
On Sat, Sep 13, 2014 at 12:07 AM, Alexander Bokovoy
wrote:
> On Fri, 12 Sep 2014, Traiano Welcome wrote:
>
>> Hi List
>>
>>
>> I'm following the guide at
>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Assumptions , this
>> time with Fedora 20.1.
>>
>>
>> Everything proceeds smoothly until I try to establish trust with the AD
>> domain controller, at which point IPA crashes:
>>
>> ---
>> [root@idm001 ~]# ipa trust-add --type=ad mhatest.local --admin
>> Administrator --password
>> Active directory domain administrator's password:
>> ipa: ERROR: an internal error has occurred
>> [root@idm001 ~]#
>> ---
>>
>> I've attached the exact, step by step process I used to arrive at this
>> point. Attached also are the debug logs (as per the debugging guidelines).
>>
> Looks like you have connectivity problems (or firewall?):
> finddcs: Found matching DC 172.16.107.109 with server_type=0x31fd
> [Fri Sep 12 23:30:00.471404 2014] [:error] [pid 3876] ipa: ERROR: LDAP
> error when connecting to KWTTSTADDC002: {'desc': "Can't contact LDAP
> server"}
>
> Anyway, please file a bug for Fedora and attach the logs there, we'll
> try to improve error messaging here.
>
>
>>
>> Many thanks in advance for any insight I could use to understand and fix
>> this issue! I am also moving on to re/testing the same process on
>> CentOS 7, CentOS 6.5 to rule out the possibility of subtle variations in
>> package version bugs (or basically net any that might exist :-p)
>>
> Yep.
>
>
> --
> / Alexander Bokovoy
>
1. AD DC Details
- Provides DNS via Windows DNS Server for MHATEST.LOCAL, ENGENEON.LOCAL,
LINUX.MHATEST.LOCAL
- Win2K8 R2 Enterprise (VM running on Hyper-V)
- DNS hostname: kwttstaddc001.mhatest.local
- IP Address: 172.16.107.109
2. IdM Server Details
- CentOS Linux release 7.0.1406 (Core)
- DNS hostname: idm003.engeneon.local
- IP Address: 172.16.107.106
3. Linux Client machine:
- 172.16.104.145 ronin.engeneon.local ronin
- CentOS6.5
Summary:
- IPA server IP address: 172.16.107.106
- IPA server hostname: idm003.engeneon.local
- IPA domain: ipa_domain engeneon.local
- IPA NetBIOS: ENGENEON
- IPA Kerberos realm, IPA_DOMAIN, is equal to IPA domain: ENGENEON.LOCAL
- AD DC IP address: ad_ip_address: 172.16.107.109
- AD DC hostname: ad_hostname: kwttstaddc001.mhatest.local
- AD domain: ad_domain: MHATEST.LOCAL
- AD NetBIOS: ad_netbios: MHATEST
- AD admins group SID:
4. Windows 2008 R2 AD DC Configuration Settings (172.16.107.109)
Printout summary from the "DCPROMO" configuration wizard:
- Configure this server as the first Active Directory domain controller in a
new forest.
- The new domain name is "MHATEST.LOCAL". This is also the name of the new
forest.
- The NetBIOS name of the domain is "MHATEST".
- Forest Functional Level: Windows Server 2008 R2
- Domain Functional Level: Windows Server 2008 R2
- Site: Default-First-Site-Name
- Additional Options:
Read-only domain controller: "No"
Global catalog: Yes
DNS Server: Yes
- Create DNS Delegation: No
- Database folder: C:\Windows\NTDS
- Log file folder: C:\Windows\NTDS
- SYSVOL folder: C:\Windows\SYSVOL
- The DNS Server service will be installed on this computer.
- The DNS Server service will be configured on this computer.
- This computer will be configured to use this DNS server as its preferred DNS
server.
- The password of the new domain Administrator will be the same as the password
of the local Administrator of this computer.
A second AD integrated zone was created on the AD server for the IPA domain:
Name: ENGENEON.LOCAL
Type: Active Directory-Integrated Primary
Lookup type: Forward
5. IDM Server Configuration Sequence:
- Guide #1 (IPA Setup)
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Assumptions
- Guide #2 (AD setup)
http://stef.thewalter.net/2012/08/how-to-create-active-directory-domain.html
- Guide #3 (NOT USED IN THIS SEQUENCE!!): Mark Heslin's guide: "Integrating
OSE for IdMfor RHEL 1.0"
5.1 Installing the IPA server (CentOS 7, on VMware ESXI 5.5):
[done] yum update -y
Setup the local caching name-server:
[DONE] yum install caching-nameserver
[DONE] configure forwarders in /etc/named.conf: forwarders { 172.16.107.109; /*
... or the address of your ISP DNS server */ };
Zone configuration on the IPA server:
---
zone "mhatest.local" {
type stub;
masters { 172.16.107.109; };
};
zone "engeneon.local" {
type stub;
masters { 172.16.107.109; };
};
---
- Testing that the IPA server can use the local caching dns servicet to resolve
the test AD domain:
---
[root@idm001 ~]# dig +short soa mhatest.local @127.0.0.1
Re: [Freeipa-users] FreeIPA ActiveDirectory Integration, Fedora and Windows 2008 R2 AD: "ipa: ERROR: an internal error has occurred"
On Fri, 12 Sep 2014, Traiano Welcome wrote:
Hi List
I'm following the guide at
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Assumptions , this
time with Fedora 20.1.
Everything proceeds smoothly until I try to establish trust with the AD
domain controller, at which point IPA crashes:
---
[root@idm001 ~]# ipa trust-add --type=ad mhatest.local --admin
Administrator --password
Active directory domain administrator's password:
ipa: ERROR: an internal error has occurred
[root@idm001 ~]#
---
I've attached the exact, step by step process I used to arrive at this
point. Attached also are the debug logs (as per the debugging guidelines).
Looks like you have connectivity problems (or firewall?):
finddcs: Found matching DC 172.16.107.109 with server_type=0x31fd
[Fri Sep 12 23:30:00.471404 2014] [:error] [pid 3876] ipa: ERROR: LDAP
error when connecting to KWTTSTADDC002: {'desc': "Can't contact LDAP
server"}
Anyway, please file a bug for Fedora and attach the logs there, we'll
try to improve error messaging here.
Many thanks in advance for any insight I could use to understand and fix
this issue! I am also moving on to re/testing the same process on
CentOS 7, CentOS 6.5 to rule out the possibility of subtle variations in
package version bugs (or basically net any that might exist :-p)
Yep.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA ActiveDirectory Integration, Fedora and Windows 2008 R2 AD: "ipa: ERROR: an internal error has occurred"
Hi List
I'm following the guide at
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Assumptions , this
time with Fedora 20.1.
Everything proceeds smoothly until I try to establish trust with the AD
domain controller, at which point IPA crashes:
---
[root@idm001 ~]# ipa trust-add --type=ad mhatest.local --admin
Administrator --password
Active directory domain administrator's password:
ipa: ERROR: an internal error has occurred
[root@idm001 ~]#
---
I've attached the exact, step by step process I used to arrive at this
point. Attached also are the debug logs (as per the debugging guidelines).
Many thanks in advance for any insight I could use to understand and fix
this issue! I am also moving on to re/testing the same process on
CentOS 7, CentOS 6.5 to rule out the possibility of subtle variations in
package version bugs (or basically net any that might exist :-p)
Regards,
Traiano
1. AD DC Details
- Provides DNS via Windows DNS Server for MHATEST.LOCAL, ENGENEON.LOCAL,
LINUX.MHATEST.LOCAL
- Win2K8 R2 Enterprise (VM running on Hyper-V)
- DNS hostname: kwttstaddc001.mhatest.local
- IP Address: 172.16.107.109
2. IdM Server Details
- Fedora 20.??? (Fedora-Live-Desktop-x86_64-20-1)
- DNS hostname: idm001.engeneon.local
- IP Address: 172.16.107.108
3. Linux Client machine:
- 172.16.104.145 ronin.engeneon.local ronin
- CentOS6.5
Summary:
- IPA server IP address: 172.16.107.108
- IPA server hostname: idm001.engeneon.local
- IPA domain: ipa_domain engeneon.local
- IPA NetBIOS: ENGENEON
- IPA Kerberos realm, IPA_DOMAIN, is equal to IPA domain: ENGENEON.LOCAL
- AD DC IP address: ad_ip_address: 172.16.107.109
- AD DC hostname: ad_hostname: kwttstaddc001.mhatest.local
- AD domain: ad_domain: MHATEST.LOCAL
- AD NetBIOS: ad_netbios: MHATEST
- AD admins group SID:
4. Windows 2008 R2 AD DC Configuration Settings (172.16.107.109)
Printout summary from the "DCPROMO" configuration wizard:
- Configure this server as the first Active Directory domain controller in a
new forest.
- The new domain name is "MHATEST.LOCAL". This is also the name of the new
forest.
- The NetBIOS name of the domain is "MHATEST".
- Forest Functional Level: Windows Server 2008 R2
- Domain Functional Level: Windows Server 2008 R2
- Site: Default-First-Site-Name
- Additional Options:
Read-only domain controller: "No"
Global catalog: Yes
DNS Server: Yes
- Create DNS Delegation: No
- Database folder: C:\Windows\NTDS
- Log file folder: C:\Windows\NTDS
- SYSVOL folder: C:\Windows\SYSVOL
- The DNS Server service will be installed on this computer.
- The DNS Server service will be configured on this computer.
- This computer will be configured to use this DNS server as its preferred DNS
server.
- The password of the new domain Administrator will be the same as the password
of the local Administrator of this computer.
A second AD integrated zone was created on the AD server for the IPA domain:
Name: ENGENEON.LOCAL
Type: Active Directory-Integrated Primary
Lookup type: Forward
5. IDM Server Configuration Sequence:
- Guide #1 (IPA Setup)
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Assumptions
- Guide #2 (AD setup)
http://stef.thewalter.net/2012/08/how-to-create-active-directory-domain.html
- Guide #3 (NOT USED IN THIS SEQUENCE!!): Mark Heslin's guide: "Integrating
OSE for IdMfor RHEL 1.0"
5.1 Installing the IPA server (Fedora 20.x, on VMware ESXI 5.5):
[done] yum update -y
Setup the local caching name-server:
[DONE] yum install caching-nameserver
[DONE] configure forwarders in /etc/named.conf: forwarders { 172.16.107.109; /*
... or the address of your ISP DNS server */ };
Zone configuration on the IPA server:
---
zone "mhatest.local" {
type stub;
masters { 172.16.107.109; };
};
zone "engeneon.local" {
type stub;
masters { 172.16.107.109; };
};
---
- Testing that the IPA server can use the local caching dns servicet to resolve
the test AD domain:
---
[root@idm001 ~]# dig +short soa mhatest.local @127.0.0.1
kwttstaddc002.mhatest.local. hostmaster.mhatest.local. 23 900 600 86400 3600
---
[DONE] yum install -y "*ipa-server" "*ipa-server-trust-ad"
samba4-winbind-clients samba4-winbind samba4-client bind bind-dyndb-ldap
---
Package freeipa-server-3.3.5-1.fc20.x86_64 already installed and latest version
Package freeipa-server-trust-ad-3.3.5-1.fc20.x86_64 already installed and
latest version
Package 2:samba-winbind-clients-4.1.9-4.fc20.x86_64 already installed and
latest version
Package 2:samba-winbind-4.1.9-4.fc20.x86_64 already installed and latest version
Package 2:samba-client-4.1.9-4.fc20.x86_64 already installed and latest version
Package 32:bind-9.9.4-15.P2.fc20.x86_64 already installed and latest version
Package bind-dyndb-ldap-4.3-1.fc20.x86_64 already installed and latest version
---
[DONE] Configure hostname and /etc/hosts:
---
[root@idm001 ~]# cat /etc/hosts
127.0.0.1 localhost.localdomain loc
