Re: [Freeipa-users] LDAP bind failing on new IPA setup
On Fri, Apr 17, 2015 at 10:29:31AM -0400, Gould, Joshua wrote: > We setup our new IPA server (RHEL7) with a trust against our AD domain. The > trust and ID range look right in IPA > > [root sssd]# ipa trust-show > Realm name: example.com > Realm name: EXAMPLE.COM > Domain NetBIOS name: EXAMPLE > Domain Security Identifier: S-1-5-21- > Trust direction: Two-way trust > Trust type: Active Directory domain > [root sssd]# ipa idrange-find --all > > 2 ranges matched > > dn: cn=EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=examle,dc=com > Range name: EXAMPLE.COM_id_range > First Posix ID of the range: 200 > Number of IDs in the range: 90 > First RID of the corresponding RID range: 0 > Domain SID of the trusted domain: S-1-5-21- > Range type: Active Directory domain range > iparangetyperaw: ipa-ad-trust > objectclass: ipatrustedaddomainrange, ipaIDrange > > dn: cn=UNIX.EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=example,dc=com > Range name: UNIX.EXAMPLE.COM_id_range > First Posix ID of the range: 36960 > Number of IDs in the range: 20 > First RID of the corresponding RID range: 1000 > First RID of the secondary RID range: 1 > Range type: local domain range > iparangetyperaw: ipa-local > objectclass: top, ipaIDrange, ipaDomainIDRange > > Number of entries returned 2 > > [root sssd]# > > I see that the bind fails but I’m not sure why. Here are the errors. Could > someone point me in the right direction please? > > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] > [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level > to [4] > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_kinit_send] > (0x0400): Attempting kinit (default, host/xxx, UNIX.EXAMPLE.COM, 86400) > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_kinit_next_kdc] > (0x1000): Resolving next KDC for service EXAMPLE.COM > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'EXAMPLE.COM' > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [get_server_status] > (0x1000): Status of server 'domain_controller.EXAMPLE.COM' is 'name resolved' > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] > [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 > seconds > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [resolve_srv_send] > (0x0200): The status of SRV lookup is resolved > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [get_server_status] > (0x1000): Status of server 'domain_controller.EXAMPLE.COM' is 'name resolved' > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] > [be_resolve_server_process] (0x1000): Saving the first resolved server > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] > [be_resolve_server_process] (0x0200): Found address for server > domain_controller.EXAMPLE.COM: [1.2.3.4] TTL 3600 > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] > [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT... > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] > [create_tgt_req_send_buffer] (0x0400): buffer size: 70 > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [child_handler_setup] > (0x2000): Setting up signal handler up for pid [8734] > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [child_handler_setup] > (0x2000): Signal handler set up for pid [8734] > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] > [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_process_result] > (0x2000): Trace: sh[0x7f6ca7b71b70], connected[1], ops[(nil)], > ldap[0x7f6ca7b89f20] > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_process_result] > (0x2000): Trace: ldap_result found nothing! > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [write_pipe_handler] > (0x0400): All data has been sent! > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [child_sig_handler] > (0x1000): Waiting for child [8734]. > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [child_sig_handler] > (0x0100): child [8734] finished successfully. > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [read_pipe_handler] > (0x0400): EOF received, client finished > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_get_tgt_recv] > (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_UNIX.EXAMPLE.COM], > expired on [1429366284] > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_cli_auth_step] > (0x0100): expire timeout is 900 > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_cli_auth_step] > (0x1000): the connection will expire at 1429280784 > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sasl_bind_send] >
Re: [Freeipa-users] LDAP bind failing on new IPA setup
On Fri, 17 Apr 2015, Gould, Joshua wrote: We setup our new IPA server (RHEL7) with a trust against our AD domain. The trust and ID range look right in IPA [root sssd]# ipa trust-show Realm name: example.com Realm name: EXAMPLE.COM Domain NetBIOS name: EXAMPLE Domain Security Identifier: S-1-5-21- Trust direction: Two-way trust Trust type: Active Directory domain [root sssd]# ipa idrange-find --all 2 ranges matched dn: cn=EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=examle,dc=com Range name: EXAMPLE.COM_id_range First Posix ID of the range: 200 Number of IDs in the range: 90 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21- Range type: Active Directory domain range iparangetyperaw: ipa-ad-trust objectclass: ipatrustedaddomainrange, ipaIDrange dn: cn=UNIX.EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=example,dc=com Range name: UNIX.EXAMPLE.COM_id_range First Posix ID of the range: 36960 Number of IDs in the range: 20 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range iparangetyperaw: ipa-local objectclass: top, ipaIDrange, ipaDomainIDRange Number of entries returned 2 Either you obfuscated too much or your setup makes little sense as IPA local domain ID range is for unix.example.com while your realm is EXAMPLE.COM and AD realm is EXAMPLE.COM. This is not going to work -- IPA and AD has to have different realms. [root sssd]# I see that the bind fails but I’m not sure why. Here are the errors. Could someone point me in the right direction please? A single line you need to look at is this: (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC policy rejects request)] KDC policy rejects request is Kerberos way of saying "My realm doesn't trust your realm, go away". In order to know what exactly is wrong, do following (it is all written in the troubleshooting section of the trust documentation on FreeIPA wiki): 1. add 'log level = 100' to [global] section of /usr/share/ipa/smb.conf.empty 2. Without restarting anything, re-establish trust with 'ipa trust-add ...'. 3. Look into /var/log/http/error_log to see a response for something like this: s4_tevent: Run immediate event "tevent_req_trigger": 0x7f5ccc084a40 netr_LogonControl2Ex: struct netr_LogonControl2Ex out: struct netr_LogonControl2Ex query: * query: union netr_CONTROL_QUERY_INFORMATION(case 2) info2: * info2: struct netr_NETLOGON_INFO_2 flags: 0x00b0 (176) 0: NETLOGON_REPLICATION_NEEDED 0: NETLOGON_REPLICATION_IN_PROGRESS 0: NETLOGON_FULL_SYNC_REPLICATION 0: NETLOGON_REDO_NEEDED 1: NETLOGON_HAS_IP 1: NETLOGON_HAS_TIMESERV 0: NETLOGON_DNS_UPDATE_FAILURE 1: NETLOGON_VERIFY_STATUS_RETURNED pdc_connection_status: WERR_OK trusted_dc_name : * trusted_dc_name : '\\rh7-1.ipacloud7.test' tc_connection_status : WERR_OK result : WERR_OK If instead of WERR_OK in pdc_connection_status you have something else, that is telling an error. Show us the output like above. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] LDAP bind failing on new IPA setup
We setup our new IPA server (RHEL7) with a trust against our AD domain. The trust and ID range look right in IPA [root sssd]# ipa trust-show Realm name: example.com Realm name: EXAMPLE.COM Domain NetBIOS name: EXAMPLE Domain Security Identifier: S-1-5-21- Trust direction: Two-way trust Trust type: Active Directory domain [root sssd]# ipa idrange-find --all 2 ranges matched dn: cn=EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=examle,dc=com Range name: EXAMPLE.COM_id_range First Posix ID of the range: 200 Number of IDs in the range: 90 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21- Range type: Active Directory domain range iparangetyperaw: ipa-ad-trust objectclass: ipatrustedaddomainrange, ipaIDrange dn: cn=UNIX.EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=example,dc=com Range name: UNIX.EXAMPLE.COM_id_range First Posix ID of the range: 36960 Number of IDs in the range: 20 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range iparangetyperaw: ipa-local objectclass: top, ipaIDrange, ipaDomainIDRange Number of entries returned 2 [root sssd]# I see that the bind fails but I’m not sure why. Here are the errors. Could someone point me in the right direction please? (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [4] (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/xxx, UNIX.EXAMPLE.COM, 86400) (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service EXAMPLE.COM (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'EXAMPLE.COM' (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [get_server_status] (0x1000): Status of server 'domain_controller.EXAMPLE.COM' is 'name resolved' (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [get_server_status] (0x1000): Status of server 'domain_controller.EXAMPLE.COM' is 'name resolved' (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [be_resolve_server_process] (0x0200): Found address for server domain_controller.EXAMPLE.COM: [1.2.3.4] TTL 3600 (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT... (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 70 (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [8734] (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [child_handler_setup] (0x2000): Signal handler set up for pid [8734] (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x7f6ca7b71b70], connected[1], ops[(nil)], ldap[0x7f6ca7b89f20] (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [write_pipe_handler] (0x0400): All data has been sent! (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [child_sig_handler] (0x1000): Waiting for child [8734]. (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [child_sig_handler] (0x0100): child [8734] finished successfully. (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [read_pipe_handler] (0x0400): EOF received, client finished (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_UNIX.EXAMPLE.COM], expired on [1429366284] (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1429280784 (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: host/ipa_server.unix.EXAMPLE.COM (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE