Re: [Freeipa-users] FreeIPA ActiveDirectory Integration, Fedora and Windows 2008 R2 AD: "ipa: ERROR: an internal error has occurred"
On Sat, 13 Sep 2014, Traiano Welcome wrote: On Sat, Sep 13, 2014 at 7:03 PM, Alexander Bokovoy wrote: On Sat, 13 Sep 2014, Traiano Welcome wrote: Hi I've managed to get trusts working with CentOS 7 as an IdM server, Win2K8R2 AD DC and CentOS6.5 as a client, using the exact same series of steps as in the documentation. Attached is the process I used. You got one step wrong: 8. Modify /etc/krb5.conf [realms] ENGENEON.LOCAL = { kdc = idm003.engeneon.local:88 master_kdc = idm003.engeneon.local:88 admin_server = idm003.engeneon.local:749 default_domain = engeneon.local pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[1:$1@$0](^.*@AD_DOMAIN$)s/@AD_DOMAIN/@ad_domain/ auth_to_local = DEFAULT } Here you have to substitute AD_DOMAIN and ad_domain by your actual AD domain name. This change has to be done currently on every IPA machine where you are expecting AD users to log in. Doh! ok, fixed. Although, I didn't notice any login failures testing with a bunch of users. Is it possible this behavior is already being adapted around in either one of PAM, OpenSSH or KRB5? This affects single sign-on logins, i.e. when you try to logon with Kerberos ticket. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA ActiveDirectory Integration, Fedora and Windows 2008 R2 AD: "ipa: ERROR: an internal error has occurred"
On Sat, Sep 13, 2014 at 7:03 PM, Alexander Bokovoy wrote: > On Sat, 13 Sep 2014, Traiano Welcome wrote: > >> Hi >> >> I've managed to get trusts working with CentOS 7 as an IdM server, >> Win2K8R2 >> AD DC and CentOS6.5 as a client, using the exact same series of steps as >> in >> the documentation. Attached is the process I used. >> > You got one step wrong: > > > 8. Modify /etc/krb5.conf > > [realms] > ENGENEON.LOCAL = { > kdc = idm003.engeneon.local:88 > master_kdc = idm003.engeneon.local:88 > admin_server = idm003.engeneon.local:749 > default_domain = engeneon.local > pkinit_anchors = FILE:/etc/ipa/ca.crt > auth_to_local = RULE:[1:$1@$0](^.*@AD_DOMAIN$)s/@AD_DOMAIN/@ad_domain/ > auth_to_local = DEFAULT > } > > > > Here you have to substitute AD_DOMAIN and ad_domain by your actual > AD domain name. This change has to be done currently on every IPA > machine where you are expecting AD users to log in. > > Doh! ok, fixed. Although, I didn't notice any login failures testing with a bunch of users. Is it possible this behavior is already being adapted around in either one of PAM, OpenSSH or KRB5? > For each domain in the trusted AD forest, AD_DOMAIN should be its realm > and ad_domain should be the same in low-case as SSSD normalizes user > names to lower case. The rule tells Kerberos library how to transform a > Kerberos principal (thus REALM has to be upper case as it is required in > MIT Kerberos) to a POSIX user name (thus put domain name in lower case > as SSSD will normalize the user name). OpenSSH and some other software > actually checks that POSIX user name corresponds to the value Kerberos > library will return to OpenSSH daemon after running through > auth_to_local rules. > > I.e., in your case it would be > > auth_to_local = RULE:[1:$1@$0](^.*@MHATEST.LOCAL$)s/@MHATEST.LOCAL/@ > mhatest.local/ > > and if you have multiple subdomains, there should be multiple rules like > this, each for the domain which users you want to be able to log in. > We are improving this in MIT Kerberos 1.12 and SSSD 1.12.1 where all > these rules will be replaced with a plugin that fetches list of domains > from IPA servers and automatically manage it. However, it is currently > not available in any released distribution. > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA ActiveDirectory Integration, Fedora and Windows 2008 R2 AD: "ipa: ERROR: an internal error has occurred"
On Sat, 13 Sep 2014, Traiano Welcome wrote: Hi I've managed to get trusts working with CentOS 7 as an IdM server, Win2K8R2 AD DC and CentOS6.5 as a client, using the exact same series of steps as in the documentation. Attached is the process I used. You got one step wrong: 8. Modify /etc/krb5.conf [realms] ENGENEON.LOCAL = { kdc = idm003.engeneon.local:88 master_kdc = idm003.engeneon.local:88 admin_server = idm003.engeneon.local:749 default_domain = engeneon.local pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[1:$1@$0](^.*@AD_DOMAIN$)s/@AD_DOMAIN/@ad_domain/ auth_to_local = DEFAULT } Here you have to substitute AD_DOMAIN and ad_domain by your actual AD domain name. This change has to be done currently on every IPA machine where you are expecting AD users to log in. For each domain in the trusted AD forest, AD_DOMAIN should be its realm and ad_domain should be the same in low-case as SSSD normalizes user names to lower case. The rule tells Kerberos library how to transform a Kerberos principal (thus REALM has to be upper case as it is required in MIT Kerberos) to a POSIX user name (thus put domain name in lower case as SSSD will normalize the user name). OpenSSH and some other software actually checks that POSIX user name corresponds to the value Kerberos library will return to OpenSSH daemon after running through auth_to_local rules. I.e., in your case it would be auth_to_local = RULE:[1:$1@$0](^.*@MHATEST.LOCAL$)s/@MHATEST.LOCAL/@mhatest.local/ and if you have multiple subdomains, there should be multiple rules like this, each for the domain which users you want to be able to log in. We are improving this in MIT Kerberos 1.12 and SSSD 1.12.1 where all these rules will be replaced with a plugin that fetches list of domains from IPA servers and automatically manage it. However, it is currently not available in any released distribution. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA ActiveDirectory Integration, Fedora and Windows 2008 R2 AD: "ipa: ERROR: an internal error has occurred"
Hi I've managed to get trusts working with CentOS 7 as an IdM server, Win2K8R2 AD DC and CentOS6.5 as a client, using the exact same series of steps as in the documentation. Attached is the process I used. I'll continue testing RHEL7 and Fedora 20.1 and submit a bug report if necessary. Thanks for the assistance all!! Traiano On Sat, Sep 13, 2014 at 12:07 AM, Alexander Bokovoy wrote: > On Fri, 12 Sep 2014, Traiano Welcome wrote: > >> Hi List >> >> >> I'm following the guide at >> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Assumptions , this >> time with Fedora 20.1. >> >> >> Everything proceeds smoothly until I try to establish trust with the AD >> domain controller, at which point IPA crashes: >> >> --- >> [root@idm001 ~]# ipa trust-add --type=ad mhatest.local --admin >> Administrator --password >> Active directory domain administrator's password: >> ipa: ERROR: an internal error has occurred >> [root@idm001 ~]# >> --- >> >> I've attached the exact, step by step process I used to arrive at this >> point. Attached also are the debug logs (as per the debugging guidelines). >> > Looks like you have connectivity problems (or firewall?): > finddcs: Found matching DC 172.16.107.109 with server_type=0x31fd > [Fri Sep 12 23:30:00.471404 2014] [:error] [pid 3876] ipa: ERROR: LDAP > error when connecting to KWTTSTADDC002: {'desc': "Can't contact LDAP > server"} > > Anyway, please file a bug for Fedora and attach the logs there, we'll > try to improve error messaging here. > > >> >> Many thanks in advance for any insight I could use to understand and fix >> this issue! I am also moving on to re/testing the same process on >> CentOS 7, CentOS 6.5 to rule out the possibility of subtle variations in >> package version bugs (or basically net any that might exist :-p) >> > Yep. > > > -- > / Alexander Bokovoy > 1. AD DC Details - Provides DNS via Windows DNS Server for MHATEST.LOCAL, ENGENEON.LOCAL, LINUX.MHATEST.LOCAL - Win2K8 R2 Enterprise (VM running on Hyper-V) - DNS hostname: kwttstaddc001.mhatest.local - IP Address: 172.16.107.109 2. IdM Server Details - CentOS Linux release 7.0.1406 (Core) - DNS hostname: idm003.engeneon.local - IP Address: 172.16.107.106 3. Linux Client machine: - 172.16.104.145 ronin.engeneon.local ronin - CentOS6.5 Summary: - IPA server IP address: 172.16.107.106 - IPA server hostname: idm003.engeneon.local - IPA domain: ipa_domain engeneon.local - IPA NetBIOS: ENGENEON - IPA Kerberos realm, IPA_DOMAIN, is equal to IPA domain: ENGENEON.LOCAL - AD DC IP address: ad_ip_address: 172.16.107.109 - AD DC hostname: ad_hostname: kwttstaddc001.mhatest.local - AD domain: ad_domain: MHATEST.LOCAL - AD NetBIOS: ad_netbios: MHATEST - AD admins group SID: 4. Windows 2008 R2 AD DC Configuration Settings (172.16.107.109) Printout summary from the "DCPROMO" configuration wizard: - Configure this server as the first Active Directory domain controller in a new forest. - The new domain name is "MHATEST.LOCAL". This is also the name of the new forest. - The NetBIOS name of the domain is "MHATEST". - Forest Functional Level: Windows Server 2008 R2 - Domain Functional Level: Windows Server 2008 R2 - Site: Default-First-Site-Name - Additional Options: Read-only domain controller: "No" Global catalog: Yes DNS Server: Yes - Create DNS Delegation: No - Database folder: C:\Windows\NTDS - Log file folder: C:\Windows\NTDS - SYSVOL folder: C:\Windows\SYSVOL - The DNS Server service will be installed on this computer. - The DNS Server service will be configured on this computer. - This computer will be configured to use this DNS server as its preferred DNS server. - The password of the new domain Administrator will be the same as the password of the local Administrator of this computer. A second AD integrated zone was created on the AD server for the IPA domain: Name: ENGENEON.LOCAL Type: Active Directory-Integrated Primary Lookup type: Forward 5. IDM Server Configuration Sequence: - Guide #1 (IPA Setup) http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Assumptions - Guide #2 (AD setup) http://stef.thewalter.net/2012/08/how-to-create-active-directory-domain.html - Guide #3 (NOT USED IN THIS SEQUENCE!!): Mark Heslin's guide: "Integrating OSE for IdMfor RHEL 1.0" 5.1 Installing the IPA server (CentOS 7, on VMware ESXI 5.5): [done] yum update -y Setup the local caching name-server: [DONE] yum install caching-nameserver [DONE] configure forwarders in /etc/named.conf: forwarders { 172.16.107.109; /* ... or the address of your ISP DNS server */ }; Zone configuration on the IPA server: --- zone "mhatest.local" { type stub; masters { 172.16.107.109; }; }; zone "engeneon.local" { type stub; masters { 172.16.107.109; }; }; --- - Testing that the IPA server can use the local caching dns servicet to resolve the test AD domain: --- [root@idm001 ~]# dig +short soa mhatest.local @127.0.0.1
Re: [Freeipa-users] FreeIPA ActiveDirectory Integration, Fedora and Windows 2008 R2 AD: "ipa: ERROR: an internal error has occurred"
On Fri, 12 Sep 2014, Traiano Welcome wrote: Hi List I'm following the guide at http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Assumptions , this time with Fedora 20.1. Everything proceeds smoothly until I try to establish trust with the AD domain controller, at which point IPA crashes: --- [root@idm001 ~]# ipa trust-add --type=ad mhatest.local --admin Administrator --password Active directory domain administrator's password: ipa: ERROR: an internal error has occurred [root@idm001 ~]# --- I've attached the exact, step by step process I used to arrive at this point. Attached also are the debug logs (as per the debugging guidelines). Looks like you have connectivity problems (or firewall?): finddcs: Found matching DC 172.16.107.109 with server_type=0x31fd [Fri Sep 12 23:30:00.471404 2014] [:error] [pid 3876] ipa: ERROR: LDAP error when connecting to KWTTSTADDC002: {'desc': "Can't contact LDAP server"} Anyway, please file a bug for Fedora and attach the logs there, we'll try to improve error messaging here. Many thanks in advance for any insight I could use to understand and fix this issue! I am also moving on to re/testing the same process on CentOS 7, CentOS 6.5 to rule out the possibility of subtle variations in package version bugs (or basically net any that might exist :-p) Yep. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA ActiveDirectory Integration, Fedora and Windows 2008 R2 AD: "ipa: ERROR: an internal error has occurred"
Hi List I'm following the guide at http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Assumptions , this time with Fedora 20.1. Everything proceeds smoothly until I try to establish trust with the AD domain controller, at which point IPA crashes: --- [root@idm001 ~]# ipa trust-add --type=ad mhatest.local --admin Administrator --password Active directory domain administrator's password: ipa: ERROR: an internal error has occurred [root@idm001 ~]# --- I've attached the exact, step by step process I used to arrive at this point. Attached also are the debug logs (as per the debugging guidelines). Many thanks in advance for any insight I could use to understand and fix this issue! I am also moving on to re/testing the same process on CentOS 7, CentOS 6.5 to rule out the possibility of subtle variations in package version bugs (or basically net any that might exist :-p) Regards, Traiano 1. AD DC Details - Provides DNS via Windows DNS Server for MHATEST.LOCAL, ENGENEON.LOCAL, LINUX.MHATEST.LOCAL - Win2K8 R2 Enterprise (VM running on Hyper-V) - DNS hostname: kwttstaddc001.mhatest.local - IP Address: 172.16.107.109 2. IdM Server Details - Fedora 20.??? (Fedora-Live-Desktop-x86_64-20-1) - DNS hostname: idm001.engeneon.local - IP Address: 172.16.107.108 3. Linux Client machine: - 172.16.104.145 ronin.engeneon.local ronin - CentOS6.5 Summary: - IPA server IP address: 172.16.107.108 - IPA server hostname: idm001.engeneon.local - IPA domain: ipa_domain engeneon.local - IPA NetBIOS: ENGENEON - IPA Kerberos realm, IPA_DOMAIN, is equal to IPA domain: ENGENEON.LOCAL - AD DC IP address: ad_ip_address: 172.16.107.109 - AD DC hostname: ad_hostname: kwttstaddc001.mhatest.local - AD domain: ad_domain: MHATEST.LOCAL - AD NetBIOS: ad_netbios: MHATEST - AD admins group SID: 4. Windows 2008 R2 AD DC Configuration Settings (172.16.107.109) Printout summary from the "DCPROMO" configuration wizard: - Configure this server as the first Active Directory domain controller in a new forest. - The new domain name is "MHATEST.LOCAL". This is also the name of the new forest. - The NetBIOS name of the domain is "MHATEST". - Forest Functional Level: Windows Server 2008 R2 - Domain Functional Level: Windows Server 2008 R2 - Site: Default-First-Site-Name - Additional Options: Read-only domain controller: "No" Global catalog: Yes DNS Server: Yes - Create DNS Delegation: No - Database folder: C:\Windows\NTDS - Log file folder: C:\Windows\NTDS - SYSVOL folder: C:\Windows\SYSVOL - The DNS Server service will be installed on this computer. - The DNS Server service will be configured on this computer. - This computer will be configured to use this DNS server as its preferred DNS server. - The password of the new domain Administrator will be the same as the password of the local Administrator of this computer. A second AD integrated zone was created on the AD server for the IPA domain: Name: ENGENEON.LOCAL Type: Active Directory-Integrated Primary Lookup type: Forward 5. IDM Server Configuration Sequence: - Guide #1 (IPA Setup) http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Assumptions - Guide #2 (AD setup) http://stef.thewalter.net/2012/08/how-to-create-active-directory-domain.html - Guide #3 (NOT USED IN THIS SEQUENCE!!): Mark Heslin's guide: "Integrating OSE for IdMfor RHEL 1.0" 5.1 Installing the IPA server (Fedora 20.x, on VMware ESXI 5.5): [done] yum update -y Setup the local caching name-server: [DONE] yum install caching-nameserver [DONE] configure forwarders in /etc/named.conf: forwarders { 172.16.107.109; /* ... or the address of your ISP DNS server */ }; Zone configuration on the IPA server: --- zone "mhatest.local" { type stub; masters { 172.16.107.109; }; }; zone "engeneon.local" { type stub; masters { 172.16.107.109; }; }; --- - Testing that the IPA server can use the local caching dns servicet to resolve the test AD domain: --- [root@idm001 ~]# dig +short soa mhatest.local @127.0.0.1 kwttstaddc002.mhatest.local. hostmaster.mhatest.local. 23 900 600 86400 3600 --- [DONE] yum install -y "*ipa-server" "*ipa-server-trust-ad" samba4-winbind-clients samba4-winbind samba4-client bind bind-dyndb-ldap --- Package freeipa-server-3.3.5-1.fc20.x86_64 already installed and latest version Package freeipa-server-trust-ad-3.3.5-1.fc20.x86_64 already installed and latest version Package 2:samba-winbind-clients-4.1.9-4.fc20.x86_64 already installed and latest version Package 2:samba-winbind-4.1.9-4.fc20.x86_64 already installed and latest version Package 2:samba-client-4.1.9-4.fc20.x86_64 already installed and latest version Package 32:bind-9.9.4-15.P2.fc20.x86_64 already installed and latest version Package bind-dyndb-ldap-4.3-1.fc20.x86_64 already installed and latest version --- [DONE] Configure hostname and /etc/hosts: --- [root@idm001 ~]# cat /etc/hosts 127.0.0.1 localhost.localdomain loc