subject:"\[Freeipa\-users\] Trust Issues W\/ Logins on Windows Desktops"

Re: [Freeipa-users] Trust Issues W/ Logins on Windows Desktops

2015-10-02 Thread Alexander Bokovoy


On Fri, 02 Oct 2015, Simo Sorce wrote:

On 02/10/15 04:06, Alexander Bokovoy wrote:

On Thu, 01 Oct 2015, Simo Sorce wrote:

On 01/10/15 03:15, Petr Spacek wrote:

On 30.9.2015 20:36, Matt Wells wrote:

Hi all, I hoped I may glean some brilliance from the group.
I have a Freeipa Server sitting atop a Fedora 21 server.  The
initial plan
was to replicate users+passwords with Windows 2012R2 server but
following
some of the information in the other posts and docs we've moved to a
trust.  The trust has been setup using the documentation and in
short it's
worked without issue.  I'm able to get principles from the Windows
realm (
marvel.comics.com).  So what I'm attempting and failing to do is
authenticating my IPA users to the Windows 8 desktops.  Ideally I don't
want any users in AD, it's simply there to deliver a GPO and in the
next
year it will be phased out and we'll be replacing Windows 8 with linux
desktops.

So
marvel.comics.com = windows
dc.comics.com = freeipa

# rpm -qi freeipa-server
Name: freeipa-server
Version : 4.1.4
Release : 1.fc21
Architecture: x86_64
Install Date: Tue 25 Aug 2015 08:17:56 PM UTC
Group   : System Environment/Base
Size: 4521059
License : GPLv3+
Signature   : RSA/SHA256, Thu 26 Mar 2015 10:58:02 PM UTC, Key ID
89ad4e8795a43f54
Source RPM  : freeipa-4.1.4-1.fc21.src.rpm
Build Date  : Thu 26 Mar 2015 03:16:19 PM UTC
Build Host  : buildhw-07.phx2.fedoraproject.org
[root@freeipaServer slapd-DEV-MOSAIC451-COM]# uname -a
Linux freeipaServer.dc.comics.com 4.1.6-100.fc21.x86_64 #1 SMP Mon
Aug 17
22:20:37 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[root@freeipaServer slapd-DEV-MOSAIC451-COM]# cat /etc/redhat-release
Fedora release 21 (Twenty One)

To cut to the chase here's me logging into a Windows 8 desktop
system.  I
try to login 3 different ways; this system is a member of the marvel
domain.  Time is extremely close, close enough that I feel really good
about ruling it out.  Any light you all could shed on this would be
outstanding.  Thank you all for your time on this, I really
appreciate all
the time and effort this team puts into reading these posts.

Username: dc/greenlantern
Password: 

[root@freeipaServer slapd-DC-COMICS-COM]# tail -f * | egrep --color -i
greenlantern
[30/Sep/2015:17:55:33 +] conn=1172 op=46 SRCH
base="dc=dc,dc=comics,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern@dc

)(krbPrincipalName=greenlantern@dc)))" attrs="krbPrincipalName
krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType
ipatokenRadiusConfigLink
objectClass"

Username: greenlanter@dc
Password: 


[30/Sep/2015:17:59:48 +] conn=1172 op=86 SRCH
base="dc=dc,dc=comics,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern@dc

)(krbPrincipalName=greenlantern@dc)))" attrs="krbPrincipalName
krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType
ipatokenRadiusConfigLink
objectClass"


Username: greenlan...@dc.comics.com
Password: 

[30/Sep/2015:17:59:35 +] conn=1172 op=84 SRCH
base="dc=dc,dc=comics,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern\5...@dc.comics.com

@DC.COMICS.COM 
)(krbPrincipalName=greenlantern\5...@dc.comics.com@DC.COMICS.COM
)))" attrs="krbPrincipalName krbCanonicalName
ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
krbExtraData
krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
ipaUserAuthType ipatokenRadiusConfigLink objectClass"



From what I can tell, everything looks good to wbinfo; we see the
domain

and he see's us.  In the AD trust I can go under the trust and
validate the
trust with

Re: [Freeipa-users] Trust Issues W/ Logins on Windows Desktops

2015-10-02 Thread Alexander Bokovoy


On Fri, 02 Oct 2015, Simo Sorce wrote:

On 02/10/15 04:06, Alexander Bokovoy wrote:

On Thu, 01 Oct 2015, Simo Sorce wrote:

On 01/10/15 03:15, Petr Spacek wrote:

On 30.9.2015 20:36, Matt Wells wrote:

Hi all, I hoped I may glean some brilliance from the group.
I have a Freeipa Server sitting atop a Fedora 21 server.  The
initial plan
was to replicate users+passwords with Windows 2012R2 server but
following
some of the information in the other posts and docs we've moved to a
trust.  The trust has been setup using the documentation and in
short it's
worked without issue.  I'm able to get principles from the Windows
realm (
marvel.comics.com).  So what I'm attempting and failing to do is
authenticating my IPA users to the Windows 8 desktops.  Ideally I don't
want any users in AD, it's simply there to deliver a GPO and in the
next
year it will be phased out and we'll be replacing Windows 8 with linux
desktops.

So
marvel.comics.com = windows
dc.comics.com = freeipa

# rpm -qi freeipa-server
Name: freeipa-server
Version : 4.1.4
Release : 1.fc21
Architecture: x86_64
Install Date: Tue 25 Aug 2015 08:17:56 PM UTC
Group   : System Environment/Base
Size: 4521059
License : GPLv3+
Signature   : RSA/SHA256, Thu 26 Mar 2015 10:58:02 PM UTC, Key ID
89ad4e8795a43f54
Source RPM  : freeipa-4.1.4-1.fc21.src.rpm
Build Date  : Thu 26 Mar 2015 03:16:19 PM UTC
Build Host  : buildhw-07.phx2.fedoraproject.org
[root@freeipaServer slapd-DEV-MOSAIC451-COM]# uname -a
Linux freeipaServer.dc.comics.com 4.1.6-100.fc21.x86_64 #1 SMP Mon
Aug 17
22:20:37 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[root@freeipaServer slapd-DEV-MOSAIC451-COM]# cat /etc/redhat-release
Fedora release 21 (Twenty One)

To cut to the chase here's me logging into a Windows 8 desktop
system.  I
try to login 3 different ways; this system is a member of the marvel
domain.  Time is extremely close, close enough that I feel really good
about ruling it out.  Any light you all could shed on this would be
outstanding.  Thank you all for your time on this, I really
appreciate all
the time and effort this team puts into reading these posts.

Username: dc/greenlantern
Password: 

[root@freeipaServer slapd-DC-COMICS-COM]# tail -f * | egrep --color -i
greenlantern
[30/Sep/2015:17:55:33 +] conn=1172 op=46 SRCH
base="dc=dc,dc=comics,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern@dc

)(krbPrincipalName=greenlantern@dc)))" attrs="krbPrincipalName
krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType
ipatokenRadiusConfigLink
objectClass"

Username: greenlanter@dc
Password: 


[30/Sep/2015:17:59:48 +] conn=1172 op=86 SRCH
base="dc=dc,dc=comics,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern@dc

)(krbPrincipalName=greenlantern@dc)))" attrs="krbPrincipalName
krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType
ipatokenRadiusConfigLink
objectClass"


Username: greenlan...@dc.comics.com
Password: 

[30/Sep/2015:17:59:35 +] conn=1172 op=84 SRCH
base="dc=dc,dc=comics,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern\5...@dc.comics.com

@DC.COMICS.COM 
)(krbPrincipalName=greenlantern\5...@dc.comics.com@DC.COMICS.COM
)))" attrs="krbPrincipalName krbCanonicalName
ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
krbExtraData
krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
ipaUserAuthType ipatokenRadiusConfigLink objectClass"



From what I can tell, everything looks good to wbinfo; we see the
domain

and he see's us.  In the AD trust I can go under the trust and
validate the
trust with

Re: [Freeipa-users] Trust Issues W/ Logins on Windows Desktops

2015-10-02 Thread Simo Sorce


On 02/10/15 04:06, Alexander Bokovoy wrote:

On Thu, 01 Oct 2015, Simo Sorce wrote:

On 01/10/15 03:15, Petr Spacek wrote:

On 30.9.2015 20:36, Matt Wells wrote:

Hi all, I hoped I may glean some brilliance from the group.
I have a Freeipa Server sitting atop a Fedora 21 server.  The
initial plan
was to replicate users+passwords with Windows 2012R2 server but
following
some of the information in the other posts and docs we've moved to a
trust.  The trust has been setup using the documentation and in
short it's
worked without issue.  I'm able to get principles from the Windows
realm (
marvel.comics.com).  So what I'm attempting and failing to do is
authenticating my IPA users to the Windows 8 desktops.  Ideally I don't
want any users in AD, it's simply there to deliver a GPO and in the
next
year it will be phased out and we'll be replacing Windows 8 with linux
desktops.

So
marvel.comics.com = windows
dc.comics.com = freeipa

# rpm -qi freeipa-server
Name: freeipa-server
Version : 4.1.4
Release : 1.fc21
Architecture: x86_64
Install Date: Tue 25 Aug 2015 08:17:56 PM UTC
Group   : System Environment/Base
Size: 4521059
License : GPLv3+
Signature   : RSA/SHA256, Thu 26 Mar 2015 10:58:02 PM UTC, Key ID
89ad4e8795a43f54
Source RPM  : freeipa-4.1.4-1.fc21.src.rpm
Build Date  : Thu 26 Mar 2015 03:16:19 PM UTC
Build Host  : buildhw-07.phx2.fedoraproject.org
[root@freeipaServer slapd-DEV-MOSAIC451-COM]# uname -a
Linux freeipaServer.dc.comics.com 4.1.6-100.fc21.x86_64 #1 SMP Mon
Aug 17
22:20:37 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[root@freeipaServer slapd-DEV-MOSAIC451-COM]# cat /etc/redhat-release
Fedora release 21 (Twenty One)

To cut to the chase here's me logging into a Windows 8 desktop
system.  I
try to login 3 different ways; this system is a member of the marvel
domain.  Time is extremely close, close enough that I feel really good
about ruling it out.  Any light you all could shed on this would be
outstanding.  Thank you all for your time on this, I really
appreciate all
the time and effort this team puts into reading these posts.

Username: dc/greenlantern
Password: 

[root@freeipaServer slapd-DC-COMICS-COM]# tail -f * | egrep --color -i
greenlantern
[30/Sep/2015:17:55:33 +] conn=1172 op=46 SRCH
base="dc=dc,dc=comics,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern@dc

)(krbPrincipalName=greenlantern@dc)))" attrs="krbPrincipalName
krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType
ipatokenRadiusConfigLink
objectClass"

Username: greenlanter@dc
Password: 


[30/Sep/2015:17:59:48 +] conn=1172 op=86 SRCH
base="dc=dc,dc=comics,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern@dc

)(krbPrincipalName=greenlantern@dc)))" attrs="krbPrincipalName
krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType
ipatokenRadiusConfigLink
objectClass"


Username: greenlan...@dc.comics.com
Password: 

[30/Sep/2015:17:59:35 +] conn=1172 op=84 SRCH
base="dc=dc,dc=comics,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern\5...@dc.comics.com

@DC.COMICS.COM 
)(krbPrincipalName=greenlantern\5...@dc.comics.com@DC.COMICS.COM
)))" attrs="krbPrincipalName krbCanonicalName
ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
krbExtraData
krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
ipaUserAuthType ipatokenRadiusConfigLink objectClass"



From what I can tell, everything looks good to wbinfo; we see the
domain

and he see's us.  In the AD trust I can go under the trust and
validate the
trust with no issues.
[root@freeipaServer slapd-MAR

Re: [Freeipa-users] Trust Issues W/ Logins on Windows Desktops

2015-10-02 Thread Alexander Bokovoy


On Thu, 01 Oct 2015, Simo Sorce wrote:

On 01/10/15 03:15, Petr Spacek wrote:

On 30.9.2015 20:36, Matt Wells wrote:

Hi all, I hoped I may glean some brilliance from the group.
I have a Freeipa Server sitting atop a Fedora 21 server.  The initial plan
was to replicate users+passwords with Windows 2012R2 server but following
some of the information in the other posts and docs we've moved to a
trust.  The trust has been setup using the documentation and in short it's
worked without issue.  I'm able to get principles from the Windows realm (
marvel.comics.com).  So what I'm attempting and failing to do is
authenticating my IPA users to the Windows 8 desktops.  Ideally I don't
want any users in AD, it's simply there to deliver a GPO and in the next
year it will be phased out and we'll be replacing Windows 8 with linux
desktops.

So
marvel.comics.com = windows
dc.comics.com = freeipa

# rpm -qi freeipa-server
Name: freeipa-server
Version : 4.1.4
Release : 1.fc21
Architecture: x86_64
Install Date: Tue 25 Aug 2015 08:17:56 PM UTC
Group   : System Environment/Base
Size: 4521059
License : GPLv3+
Signature   : RSA/SHA256, Thu 26 Mar 2015 10:58:02 PM UTC, Key ID
89ad4e8795a43f54
Source RPM  : freeipa-4.1.4-1.fc21.src.rpm
Build Date  : Thu 26 Mar 2015 03:16:19 PM UTC
Build Host  : buildhw-07.phx2.fedoraproject.org
[root@freeipaServer slapd-DEV-MOSAIC451-COM]# uname -a
Linux freeipaServer.dc.comics.com 4.1.6-100.fc21.x86_64 #1 SMP Mon Aug 17
22:20:37 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[root@freeipaServer slapd-DEV-MOSAIC451-COM]# cat /etc/redhat-release
Fedora release 21 (Twenty One)

To cut to the chase here's me logging into a Windows 8 desktop system.  I
try to login 3 different ways; this system is a member of the marvel
domain.  Time is extremely close, close enough that I feel really good
about ruling it out.  Any light you all could shed on this would be
outstanding.  Thank you all for your time on this, I really appreciate all
the time and effort this team puts into reading these posts.

Username: dc/greenlantern
Password: 

[root@freeipaServer slapd-DC-COMICS-COM]# tail -f * | egrep --color -i
greenlantern
[30/Sep/2015:17:55:33 +] conn=1172 op=46 SRCH
base="dc=dc,dc=comics,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern@dc
)(krbPrincipalName=greenlantern@dc)))" attrs="krbPrincipalName
krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
objectClass"

Username: greenlanter@dc
Password: 


[30/Sep/2015:17:59:48 +] conn=1172 op=86 SRCH
base="dc=dc,dc=comics,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern@dc
)(krbPrincipalName=greenlantern@dc)))" attrs="krbPrincipalName
krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
objectClass"


Username: greenlan...@dc.comics.com
Password: 

[30/Sep/2015:17:59:35 +] conn=1172 op=84 SRCH
base="dc=dc,dc=comics,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern\5...@dc.comics.com
@DC.COMICS.COM 
)(krbPrincipalName=greenlantern\5...@dc.comics.com@DC.COMICS.COM
)))" attrs="krbPrincipalName krbCanonicalName
ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
ipaUserAuthType ipatokenRadiusConfigLink objectClass"



From what I can tell, everything looks good to wbinfo; we see the domain

and he see's us.  In the AD trust I can go under the trust and validate the
trust with no issues.
[root@freeipaServer slapd-MARVEL-COMICS-COM]#  wbinfo --online-status
BUILTIN

Re: [Freeipa-users] Trust Issues W/ Logins on Windows Desktops

2015-10-01 Thread Simo Sorce


On 01/10/15 03:15, Petr Spacek wrote:

On 30.9.2015 20:36, Matt Wells wrote:

Hi all, I hoped I may glean some brilliance from the group.
I have a Freeipa Server sitting atop a Fedora 21 server.  The initial plan
was to replicate users+passwords with Windows 2012R2 server but following
some of the information in the other posts and docs we've moved to a
trust.  The trust has been setup using the documentation and in short it's
worked without issue.  I'm able to get principles from the Windows realm (
marvel.comics.com).  So what I'm attempting and failing to do is
authenticating my IPA users to the Windows 8 desktops.  Ideally I don't
want any users in AD, it's simply there to deliver a GPO and in the next
year it will be phased out and we'll be replacing Windows 8 with linux
desktops.

So
marvel.comics.com = windows
dc.comics.com = freeipa

# rpm -qi freeipa-server
Name: freeipa-server
Version : 4.1.4
Release : 1.fc21
Architecture: x86_64
Install Date: Tue 25 Aug 2015 08:17:56 PM UTC
Group   : System Environment/Base
Size: 4521059
License : GPLv3+
Signature   : RSA/SHA256, Thu 26 Mar 2015 10:58:02 PM UTC, Key ID
89ad4e8795a43f54
Source RPM  : freeipa-4.1.4-1.fc21.src.rpm
Build Date  : Thu 26 Mar 2015 03:16:19 PM UTC
Build Host  : buildhw-07.phx2.fedoraproject.org
[root@freeipaServer slapd-DEV-MOSAIC451-COM]# uname -a
Linux freeipaServer.dc.comics.com 4.1.6-100.fc21.x86_64 #1 SMP Mon Aug 17
22:20:37 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[root@freeipaServer slapd-DEV-MOSAIC451-COM]# cat /etc/redhat-release
Fedora release 21 (Twenty One)

To cut to the chase here's me logging into a Windows 8 desktop system.  I
try to login 3 different ways; this system is a member of the marvel
domain.  Time is extremely close, close enough that I feel really good
about ruling it out.  Any light you all could shed on this would be
outstanding.  Thank you all for your time on this, I really appreciate all
the time and effort this team puts into reading these posts.

Username: dc/greenlantern
Password: 

[root@freeipaServer slapd-DC-COMICS-COM]# tail -f * | egrep --color -i
greenlantern
[30/Sep/2015:17:55:33 +] conn=1172 op=46 SRCH
base="dc=dc,dc=comics,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern@dc
)(krbPrincipalName=greenlantern@dc)))" attrs="krbPrincipalName
krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
objectClass"

Username: greenlanter@dc
Password: 


[30/Sep/2015:17:59:48 +] conn=1172 op=86 SRCH
base="dc=dc,dc=comics,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern@dc
)(krbPrincipalName=greenlantern@dc)))" attrs="krbPrincipalName
krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
objectClass"


Username: greenlan...@dc.comics.com
Password: 

[30/Sep/2015:17:59:35 +] conn=1172 op=84 SRCH
base="dc=dc,dc=comics,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern\5...@dc.comics.com
@DC.COMICS.COM 
)(krbPrincipalName=greenlantern\5...@dc.comics.com@DC.COMICS.COM
)))" attrs="krbPrincipalName krbCanonicalName
ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
ipaUserAuthType ipatokenRadiusConfigLink objectClass"


>From what I can tell, everything looks good to wbinfo; we see the domain
and he see's us.  In the AD trust I can go under the trust and validate the
trust with no issues.
[root@freeipaServer slapd-MARVEL-COMICS-COM]#  wbinfo --online-status
BUILTIN : online
DC : online
MARVEL : online
[ro

Re: [Freeipa-users] Trust Issues W/ Logins on Windows Desktops

2015-10-01 Thread Arnold, Paul C CTR USARMY PEO STRI (US)

In a similar vein, is anyone aware of a (safe) automated work-around that can 
periodically map users into localized Windows accounts? I am conceptualizing 
some sort of powershell script involving a query to 389DS, but automating any 
form of account management that way sounds moderately terrifying, and may be 
out of the scope of this mailing list.

Regards,
--
Paul C. Arnold
IT Systems Engineer
Cole Engineering Services, Inc.


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Petr Spacek [pspa...@redhat.com]
Sent: Thursday, October 01, 2015 03:15 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Trust Issues W/ Logins on Windows Desktops

This email was sent from a non-Department of Defense email account, and 
contained active links. All links are disabled, and require you to copy and 
paste the address to a Web browser. Please verify the identity of the sender, 
and confirm authenticity of all links contained within the message.

Unfortunately you will not be able to log into Windows workstations using IPA
users because FreeIPA is (at the moment) missing Global Catalog component
which prevents Windows from working with IPA users.

It should work the other way around, but there is nothing you can do at the
moment to make it working with IPA users in Windows. Global Catalog is several
months away in the best case.

Sorry.

--
Petr^2 Spacek


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Trust Issues W/ Logins on Windows Desktops

2015-10-01 Thread Petr Spacek

On 30.9.2015 20:36, Matt Wells wrote:
> Hi all, I hoped I may glean some brilliance from the group.
> I have a Freeipa Server sitting atop a Fedora 21 server.  The initial plan
> was to replicate users+passwords with Windows 2012R2 server but following
> some of the information in the other posts and docs we've moved to a
> trust.  The trust has been setup using the documentation and in short it's
> worked without issue.  I'm able to get principles from the Windows realm (
> marvel.comics.com).  So what I'm attempting and failing to do is
> authenticating my IPA users to the Windows 8 desktops.  Ideally I don't
> want any users in AD, it's simply there to deliver a GPO and in the next
> year it will be phased out and we'll be replacing Windows 8 with linux
> desktops.
> 
> So
> marvel.comics.com = windows
> dc.comics.com = freeipa
> 
> # rpm -qi freeipa-server
> Name: freeipa-server
> Version : 4.1.4
> Release : 1.fc21
> Architecture: x86_64
> Install Date: Tue 25 Aug 2015 08:17:56 PM UTC
> Group   : System Environment/Base
> Size: 4521059
> License : GPLv3+
> Signature   : RSA/SHA256, Thu 26 Mar 2015 10:58:02 PM UTC, Key ID
> 89ad4e8795a43f54
> Source RPM  : freeipa-4.1.4-1.fc21.src.rpm
> Build Date  : Thu 26 Mar 2015 03:16:19 PM UTC
> Build Host  : buildhw-07.phx2.fedoraproject.org
> [root@freeipaServer slapd-DEV-MOSAIC451-COM]# uname -a
> Linux freeipaServer.dc.comics.com 4.1.6-100.fc21.x86_64 #1 SMP Mon Aug 17
> 22:20:37 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
> [root@freeipaServer slapd-DEV-MOSAIC451-COM]# cat /etc/redhat-release
> Fedora release 21 (Twenty One)
> 
> To cut to the chase here's me logging into a Windows 8 desktop system.  I
> try to login 3 different ways; this system is a member of the marvel
> domain.  Time is extremely close, close enough that I feel really good
> about ruling it out.  Any light you all could shed on this would be
> outstanding.  Thank you all for your time on this, I really appreciate all
> the time and effort this team puts into reading these posts.
> 
> Username: dc/greenlantern
> Password: 
> 
> [root@freeipaServer slapd-DC-COMICS-COM]# tail -f * | egrep --color -i
> greenlantern
> [30/Sep/2015:17:55:33 +] conn=1172 op=46 SRCH
> base="dc=dc,dc=comics,dc=com" scope=2
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern@dc
> )(krbPrincipalName=greenlantern@dc)))" attrs="krbPrincipalName
> krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
> krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
> krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
> passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
> objectClass"
> 
> Username: greenlanter@dc
> Password: 
> 
> 
> [30/Sep/2015:17:59:48 +] conn=1172 op=86 SRCH
> base="dc=dc,dc=comics,dc=com" scope=2
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern@dc
> )(krbPrincipalName=greenlantern@dc)))" attrs="krbPrincipalName
> krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
> krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
> krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
> passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
> objectClass"
> 
> 
> Username: greenlan...@dc.comics.com
> Password: 
> 
> [30/Sep/2015:17:59:35 +] conn=1172 op=84 SRCH
> base="dc=dc,dc=comics,dc=com" scope=2
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern\5...@dc.comics.com
> @DC.COMICS.COM 
> )(krbPrincipalName=greenlantern\5...@dc.comics.com@DC.COMICS.COM
> )))" attrs="krbPrincipalName krbCanonicalName
> ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference
> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
> 
> 
>>From what I can tell, everything looks good to wbinfo; we see the domain
> and he see's us.  In the AD trust I can go under the trust a

[Freeipa-users] Trust Issues W/ Logins on Windows Desktops

2015-09-30 Thread Matt Wells

Hi all, I hoped I may glean some brilliance from the group.
I have a Freeipa Server sitting atop a Fedora 21 server.  The initial plan
was to replicate users+passwords with Windows 2012R2 server but following
some of the information in the other posts and docs we've moved to a
trust.  The trust has been setup using the documentation and in short it's
worked without issue.  I'm able to get principles from the Windows realm (
marvel.comics.com).  So what I'm attempting and failing to do is
authenticating my IPA users to the Windows 8 desktops.  Ideally I don't
want any users in AD, it's simply there to deliver a GPO and in the next
year it will be phased out and we'll be replacing Windows 8 with linux
desktops.

So
marvel.comics.com = windows
dc.comics.com = freeipa

# rpm -qi freeipa-server
Name: freeipa-server
Version : 4.1.4
Release : 1.fc21
Architecture: x86_64
Install Date: Tue 25 Aug 2015 08:17:56 PM UTC
Group   : System Environment/Base
Size: 4521059
License : GPLv3+
Signature   : RSA/SHA256, Thu 26 Mar 2015 10:58:02 PM UTC, Key ID
89ad4e8795a43f54
Source RPM  : freeipa-4.1.4-1.fc21.src.rpm
Build Date  : Thu 26 Mar 2015 03:16:19 PM UTC
Build Host  : buildhw-07.phx2.fedoraproject.org
[root@freeipaServer slapd-DEV-MOSAIC451-COM]# uname -a
Linux freeipaServer.dc.comics.com 4.1.6-100.fc21.x86_64 #1 SMP Mon Aug 17
22:20:37 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[root@freeipaServer slapd-DEV-MOSAIC451-COM]# cat /etc/redhat-release
Fedora release 21 (Twenty One)

To cut to the chase here's me logging into a Windows 8 desktop system.  I
try to login 3 different ways; this system is a member of the marvel
domain.  Time is extremely close, close enough that I feel really good
about ruling it out.  Any light you all could shed on this would be
outstanding.  Thank you all for your time on this, I really appreciate all
the time and effort this team puts into reading these posts.

Username: dc/greenlantern
Password: 

[root@freeipaServer slapd-DC-COMICS-COM]# tail -f * | egrep --color -i
greenlantern
[30/Sep/2015:17:55:33 +] conn=1172 op=46 SRCH
base="dc=dc,dc=comics,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern@dc
)(krbPrincipalName=greenlantern@dc)))" attrs="krbPrincipalName
krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
objectClass"

Username: greenlanter@dc
Password: 


[30/Sep/2015:17:59:48 +] conn=1172 op=86 SRCH
base="dc=dc,dc=comics,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern@dc
)(krbPrincipalName=greenlantern@dc)))" attrs="krbPrincipalName
krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
objectClass"


Username: greenlan...@dc.comics.com
Password: 

[30/Sep/2015:17:59:35 +] conn=1172 op=84 SRCH
base="dc=dc,dc=comics,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern\5...@dc.comics.com
@DC.COMICS.COM 
)(krbPrincipalName=greenlantern\5...@dc.comics.com@DC.COMICS.COM
)))" attrs="krbPrincipalName krbCanonicalName
ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
ipaUserAuthType ipatokenRadiusConfigLink objectClass"


>From what I can tell, everything looks good to wbinfo; we see the domain
and he see's us.  In the AD trust I can go under the trust and validate the
trust with no issues.
[root@freeipaServer slapd-MARVEL-COMICS-COM]#  wbinfo --online-status
BUILTIN : online
DC : online
MARVEL : online
[root@freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --domain-info
marvel.comics.c

Re: [Freeipa-users] Trust Issues W/ Logins on Windows Desktops

Re: [Freeipa-users] Trust Issues W/ Logins on Windows Desktops

Re: [Freeipa-users] Trust Issues W/ Logins on Windows Desktops

Re: [Freeipa-users] Trust Issues W/ Logins on Windows Desktops

Re: [Freeipa-users] Trust Issues W/ Logins on Windows Desktops

Re: [Freeipa-users] Trust Issues W/ Logins on Windows Desktops

Re: [Freeipa-users] Trust Issues W/ Logins on Windows Desktops

[Freeipa-users] Trust Issues W/ Logins on Windows Desktops

8 matches

Site Navigation

Mail list logo

Footer information