subject:"Re\: \[Freeipa\-users\] Trusts with Windows Server 2003"

Re: [Freeipa-users] Trusts with Windows Server 2003

2014-07-22 Thread tizo

On Tue, Jul 22, 2014 at 1:20 PM, tizo  wrote:

>
> On Thu, Jul 17, 2014 at 6:12 PM, tizo  wrote:
>
>>
>>
>>
>> On Tue, Jul 15, 2014 at 11:59 AM, tizo  wrote:
>>
>>>
>>>
>>>
>>> On Tue, Jul 15, 2014 at 11:16 AM, Jakub Hrozek 
>>> wrote:
>>>
 On Tue, Jul 15, 2014 at 11:04:23AM -0300, tizo wrote:
 > On Tue, Jul 15, 2014 at 7:16 AM, Jakub Hrozek 
 wrote:
 >
 > > On Mon, Jul 14, 2014 at 02:02:16PM -0300, tizo wrote:
 > > > On Mon, Jul 14, 2014 at 5:57 AM, Jakub Hrozek >>> >
 > > wrote:
 > > >
 > > > > On Fri, Jul 11, 2014 at 05:22:59PM -0300, tizo wrote:
 > > > > > On Fri, Jul 11, 2014 at 4:54 PM, Dmitri Pal 
 wrote:
 > > > > >
 > > > > > >  On 07/11/2014 03:27 PM, tizo wrote:
 > > > > > >
 > > > > > >
 > > > > > >  On Fri, Jul 4, 2014 at 5:09 PM, tizo 
 wrote:
 > > > > > >
 > > > > > >>  I have seen in
 > > > > > >>
 > > > >
 > >
 http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Trusts_and_Windows_Server_2003_R2
 > > > > > >> that trusts can be configured with Windows Server 2003 R2.
 > > > > > >>
 > > > > > >>  We have a Windows Server 2003 (not R2). Before starting
 to make
 > > some
 > > > > > >> tests, does anyone know if trusts can be configured with
 this
 > > version
 > > > > of
 > > > > > >> Windows Server 2003?.
 > > > > > >>
 > > > > > >>  Thanks very much.
 > > > > > >>
 > > > > > >>
 > > > > > >  As I have not received any answer, I decided to give it a
 try. I
 > > > > follow
 > > > > > > the document step by step with our Windows 2003, and
 everything
 > > looks
 > > > > good,
 > > > > > > except when I try to login to the FreeIPA server with an AD
 user
 > > (ssh
 > > > > or
 > > > > > > tty).
 > > > > > >
 > > > > > >  Does anyone know how could I debug this problem?.
 > > > > > >
 > > > > > >
 > > > > > >  Sorry that you did not get a response. It is a hot time, a
 lot of
 > > > > people
 > > > > > > on vacation and we also got 4.0 just out of the door.
 > > > > > >
 > > > > > > Set debug_level to 10 in the sssd.conf. It will create a
 lot of
 > > output
 > > > > and
 > > > > > > this might give you a hint of what is going on. From there
 you
 > > will see
 > > > > > > whether the user is processed by SSSD or SSH is not
 configured and
 > > > > user do
 > > > > > > not hit SSSD at all (unlikely), and if user is processed
 what the
 > > > > problem
 > > > > > > is.
 > > > > > >
 > > > > > >
 > > > > > Thanks Dmitri. I set the debug_level to 10, and the file
 > > > > > sssd_my.domain.com.log is telling something about the AD user
 trying
 > > to
 > > > > > connect with SSH. I am sending it to you privately, because it
 > > contains
 > > > > > some sensitive information.
 > > > >
 > > > > Hi,
 > > > >
 > > > > I realize you were following our own documentation, which
 originated
 > > > > from this thread:
 > > > >
 https://www.redhat.com/archives/freeipa-users/2013-June/msg00119.html
 > > > >
 > > > > Maybe it would be helpful to read it, too, at least to see how
 some
 > > other
 > > > > users were setting up the trust and what their problems were.
 > > > >
 > > > > --
 > > > > Manage your subscription for the Freeipa-users mailing list:
 > > > > https://www.redhat.com/mailman/listinfo/freeipa-users
 > > > > Go To http://freeipa.org for more info on the project
 > > > >
 > > >
 > > >
 > > > Dmitri and Jakub, thanks very much for your help.
 > > >
 > > > Jakub, I took a look in the thread, but I couldn't find anything
 that
 > > could
 > > > help us with our problem.
 > > >
 > > > I am attaching the logs from sssd with the sensitive information
 removed.
 > > > Any help is really appreciated; I don't really know where should I
 > > continue
 > > > searching for the problem.
 > >
 > > Thanks, the logs don't show what the error is, but do tell us that
 the
 > > error is on the server side:
 > >
 > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
 > > [ipa_s2n_exop_send] (0x0400): Executing extended operation
 > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
 > > [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid =
 8
 > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
 > > [sdap_process_result] (0x2000): Trace: sh[0x2293ed0], connected[1],
 > > ops[0x2293680], ldap[0x2293b40]
 > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
 > > [sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED]
 > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
 > > [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result:
>>>

Re: [Freeipa-users] Trusts with Windows Server 2003

2014-07-22 Thread tizo

On Thu, Jul 17, 2014 at 6:12 PM, tizo  wrote:

>
>
>
> On Tue, Jul 15, 2014 at 11:59 AM, tizo  wrote:
>
>>
>>
>>
>> On Tue, Jul 15, 2014 at 11:16 AM, Jakub Hrozek 
>> wrote:
>>
>>> On Tue, Jul 15, 2014 at 11:04:23AM -0300, tizo wrote:
>>> > On Tue, Jul 15, 2014 at 7:16 AM, Jakub Hrozek 
>>> wrote:
>>> >
>>> > > On Mon, Jul 14, 2014 at 02:02:16PM -0300, tizo wrote:
>>> > > > On Mon, Jul 14, 2014 at 5:57 AM, Jakub Hrozek 
>>> > > wrote:
>>> > > >
>>> > > > > On Fri, Jul 11, 2014 at 05:22:59PM -0300, tizo wrote:
>>> > > > > > On Fri, Jul 11, 2014 at 4:54 PM, Dmitri Pal 
>>> wrote:
>>> > > > > >
>>> > > > > > >  On 07/11/2014 03:27 PM, tizo wrote:
>>> > > > > > >
>>> > > > > > >
>>> > > > > > >  On Fri, Jul 4, 2014 at 5:09 PM, tizo 
>>> wrote:
>>> > > > > > >
>>> > > > > > >>  I have seen in
>>> > > > > > >>
>>> > > > >
>>> > >
>>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Trusts_and_Windows_Server_2003_R2
>>> > > > > > >> that trusts can be configured with Windows Server 2003 R2.
>>> > > > > > >>
>>> > > > > > >>  We have a Windows Server 2003 (not R2). Before starting to
>>> make
>>> > > some
>>> > > > > > >> tests, does anyone know if trusts can be configured with
>>> this
>>> > > version
>>> > > > > of
>>> > > > > > >> Windows Server 2003?.
>>> > > > > > >>
>>> > > > > > >>  Thanks very much.
>>> > > > > > >>
>>> > > > > > >>
>>> > > > > > >  As I have not received any answer, I decided to give it a
>>> try. I
>>> > > > > follow
>>> > > > > > > the document step by step with our Windows 2003, and
>>> everything
>>> > > looks
>>> > > > > good,
>>> > > > > > > except when I try to login to the FreeIPA server with an AD
>>> user
>>> > > (ssh
>>> > > > > or
>>> > > > > > > tty).
>>> > > > > > >
>>> > > > > > >  Does anyone know how could I debug this problem?.
>>> > > > > > >
>>> > > > > > >
>>> > > > > > >  Sorry that you did not get a response. It is a hot time, a
>>> lot of
>>> > > > > people
>>> > > > > > > on vacation and we also got 4.0 just out of the door.
>>> > > > > > >
>>> > > > > > > Set debug_level to 10 in the sssd.conf. It will create a lot
>>> of
>>> > > output
>>> > > > > and
>>> > > > > > > this might give you a hint of what is going on. From there
>>> you
>>> > > will see
>>> > > > > > > whether the user is processed by SSSD or SSH is not
>>> configured and
>>> > > > > user do
>>> > > > > > > not hit SSSD at all (unlikely), and if user is processed
>>> what the
>>> > > > > problem
>>> > > > > > > is.
>>> > > > > > >
>>> > > > > > >
>>> > > > > > Thanks Dmitri. I set the debug_level to 10, and the file
>>> > > > > > sssd_my.domain.com.log is telling something about the AD user
>>> trying
>>> > > to
>>> > > > > > connect with SSH. I am sending it to you privately, because it
>>> > > contains
>>> > > > > > some sensitive information.
>>> > > > >
>>> > > > > Hi,
>>> > > > >
>>> > > > > I realize you were following our own documentation, which
>>> originated
>>> > > > > from this thread:
>>> > > > >
>>> https://www.redhat.com/archives/freeipa-users/2013-June/msg00119.html
>>> > > > >
>>> > > > > Maybe it would be helpful to read it, too, at least to see how
>>> some
>>> > > other
>>> > > > > users were setting up the trust and what their problems were.
>>> > > > >
>>> > > > > --
>>> > > > > Manage your subscription for the Freeipa-users mailing list:
>>> > > > > https://www.redhat.com/mailman/listinfo/freeipa-users
>>> > > > > Go To http://freeipa.org for more info on the project
>>> > > > >
>>> > > >
>>> > > >
>>> > > > Dmitri and Jakub, thanks very much for your help.
>>> > > >
>>> > > > Jakub, I took a look in the thread, but I couldn't find anything
>>> that
>>> > > could
>>> > > > help us with our problem.
>>> > > >
>>> > > > I am attaching the logs from sssd with the sensitive information
>>> removed.
>>> > > > Any help is really appreciated; I don't really know where should I
>>> > > continue
>>> > > > searching for the problem.
>>> > >
>>> > > Thanks, the logs don't show what the error is, but do tell us that
>>> the
>>> > > error is on the server side:
>>> > >
>>> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
>>> > > [ipa_s2n_exop_send] (0x0400): Executing extended operation
>>> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
>>> > > [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 8
>>> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
>>> > > [sdap_process_result] (0x2000): Trace: sh[0x2293ed0], connected[1],
>>> > > ops[0x2293680], ldap[0x2293b40]
>>> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
>>> > > [sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED]
>>> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
>>> > > [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result:
>>> Operations
>>> > > error(1), (null)
>>> > > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
>>> > > [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
>>> > >
>>> > > What IPA version ar

Re: [Freeipa-users] Trusts with Windows Server 2003

2014-07-15 Thread Jakub Hrozek

On Tue, Jul 15, 2014 at 11:04:23AM -0300, tizo wrote:
> On Tue, Jul 15, 2014 at 7:16 AM, Jakub Hrozek  wrote:
> 
> > On Mon, Jul 14, 2014 at 02:02:16PM -0300, tizo wrote:
> > > On Mon, Jul 14, 2014 at 5:57 AM, Jakub Hrozek 
> > wrote:
> > >
> > > > On Fri, Jul 11, 2014 at 05:22:59PM -0300, tizo wrote:
> > > > > On Fri, Jul 11, 2014 at 4:54 PM, Dmitri Pal  wrote:
> > > > >
> > > > > >  On 07/11/2014 03:27 PM, tizo wrote:
> > > > > >
> > > > > >
> > > > > >  On Fri, Jul 4, 2014 at 5:09 PM, tizo  wrote:
> > > > > >
> > > > > >>  I have seen in
> > > > > >>
> > > >
> > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Trusts_and_Windows_Server_2003_R2
> > > > > >> that trusts can be configured with Windows Server 2003 R2.
> > > > > >>
> > > > > >>  We have a Windows Server 2003 (not R2). Before starting to make
> > some
> > > > > >> tests, does anyone know if trusts can be configured with this
> > version
> > > > of
> > > > > >> Windows Server 2003?.
> > > > > >>
> > > > > >>  Thanks very much.
> > > > > >>
> > > > > >>
> > > > > >  As I have not received any answer, I decided to give it a try. I
> > > > follow
> > > > > > the document step by step with our Windows 2003, and everything
> > looks
> > > > good,
> > > > > > except when I try to login to the FreeIPA server with an AD user
> > (ssh
> > > > or
> > > > > > tty).
> > > > > >
> > > > > >  Does anyone know how could I debug this problem?.
> > > > > >
> > > > > >
> > > > > >  Sorry that you did not get a response. It is a hot time, a lot of
> > > > people
> > > > > > on vacation and we also got 4.0 just out of the door.
> > > > > >
> > > > > > Set debug_level to 10 in the sssd.conf. It will create a lot of
> > output
> > > > and
> > > > > > this might give you a hint of what is going on. From there you
> > will see
> > > > > > whether the user is processed by SSSD or SSH is not configured and
> > > > user do
> > > > > > not hit SSSD at all (unlikely), and if user is processed what the
> > > > problem
> > > > > > is.
> > > > > >
> > > > > >
> > > > > Thanks Dmitri. I set the debug_level to 10, and the file
> > > > > sssd_my.domain.com.log is telling something about the AD user trying
> > to
> > > > > connect with SSH. I am sending it to you privately, because it
> > contains
> > > > > some sensitive information.
> > > >
> > > > Hi,
> > > >
> > > > I realize you were following our own documentation, which originated
> > > > from this thread:
> > > > https://www.redhat.com/archives/freeipa-users/2013-June/msg00119.html
> > > >
> > > > Maybe it would be helpful to read it, too, at least to see how some
> > other
> > > > users were setting up the trust and what their problems were.
> > > >
> > > > --
> > > > Manage your subscription for the Freeipa-users mailing list:
> > > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > > Go To http://freeipa.org for more info on the project
> > > >
> > >
> > >
> > > Dmitri and Jakub, thanks very much for your help.
> > >
> > > Jakub, I took a look in the thread, but I couldn't find anything that
> > could
> > > help us with our problem.
> > >
> > > I am attaching the logs from sssd with the sensitive information removed.
> > > Any help is really appreciated; I don't really know where should I
> > continue
> > > searching for the problem.
> >
> > Thanks, the logs don't show what the error is, but do tell us that the
> > error is on the server side:
> >
> > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
> > [ipa_s2n_exop_send] (0x0400): Executing extended operation
> > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
> > [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 8
> > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
> > [sdap_process_result] (0x2000): Trace: sh[0x2293ed0], connected[1],
> > ops[0x2293680], ldap[0x2293b40]
> > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
> > [sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED]
> > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
> > [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Operations
> > error(1), (null)
> > > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
> > [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
> >
> > What IPA version are you testing with? The debugging procedure differs
> > for versions with winbind on the server side and with sssd..
> >
> 
> I am testing with an updated CentOS 6 and all the software versions of its
> repositories. In detail:
> 
>  * OS: CentOS release 6.5 (Final)
>  * IPA server: 3.0.0-37
>  * SSSD: 1.9.2-129
>  * Winbind: 4.0.0-61

OK, so there's Winbind on the server side. Can you run:
* smbcontrol winbindd debug 100
* run the test on the client, check if you see the s2n exop failing
  in the logs
* attach /var/log/samba/log.w*
* reset the winbind logging back with: smbcontrol all debug 1
  otherwise you'll run out of disk space :-)

-- 
Manage your subscription for the Freeipa-user

Re: [Freeipa-users] Trusts with Windows Server 2003

2014-07-15 Thread tizo

On Tue, Jul 15, 2014 at 7:16 AM, Jakub Hrozek  wrote:

> On Mon, Jul 14, 2014 at 02:02:16PM -0300, tizo wrote:
> > On Mon, Jul 14, 2014 at 5:57 AM, Jakub Hrozek 
> wrote:
> >
> > > On Fri, Jul 11, 2014 at 05:22:59PM -0300, tizo wrote:
> > > > On Fri, Jul 11, 2014 at 4:54 PM, Dmitri Pal  wrote:
> > > >
> > > > >  On 07/11/2014 03:27 PM, tizo wrote:
> > > > >
> > > > >
> > > > >  On Fri, Jul 4, 2014 at 5:09 PM, tizo  wrote:
> > > > >
> > > > >>  I have seen in
> > > > >>
> > >
> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Trusts_and_Windows_Server_2003_R2
> > > > >> that trusts can be configured with Windows Server 2003 R2.
> > > > >>
> > > > >>  We have a Windows Server 2003 (not R2). Before starting to make
> some
> > > > >> tests, does anyone know if trusts can be configured with this
> version
> > > of
> > > > >> Windows Server 2003?.
> > > > >>
> > > > >>  Thanks very much.
> > > > >>
> > > > >>
> > > > >  As I have not received any answer, I decided to give it a try. I
> > > follow
> > > > > the document step by step with our Windows 2003, and everything
> looks
> > > good,
> > > > > except when I try to login to the FreeIPA server with an AD user
> (ssh
> > > or
> > > > > tty).
> > > > >
> > > > >  Does anyone know how could I debug this problem?.
> > > > >
> > > > >
> > > > >  Sorry that you did not get a response. It is a hot time, a lot of
> > > people
> > > > > on vacation and we also got 4.0 just out of the door.
> > > > >
> > > > > Set debug_level to 10 in the sssd.conf. It will create a lot of
> output
> > > and
> > > > > this might give you a hint of what is going on. From there you
> will see
> > > > > whether the user is processed by SSSD or SSH is not configured and
> > > user do
> > > > > not hit SSSD at all (unlikely), and if user is processed what the
> > > problem
> > > > > is.
> > > > >
> > > > >
> > > > Thanks Dmitri. I set the debug_level to 10, and the file
> > > > sssd_my.domain.com.log is telling something about the AD user trying
> to
> > > > connect with SSH. I am sending it to you privately, because it
> contains
> > > > some sensitive information.
> > >
> > > Hi,
> > >
> > > I realize you were following our own documentation, which originated
> > > from this thread:
> > > https://www.redhat.com/archives/freeipa-users/2013-June/msg00119.html
> > >
> > > Maybe it would be helpful to read it, too, at least to see how some
> other
> > > users were setting up the trust and what their problems were.
> > >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go To http://freeipa.org for more info on the project
> > >
> >
> >
> > Dmitri and Jakub, thanks very much for your help.
> >
> > Jakub, I took a look in the thread, but I couldn't find anything that
> could
> > help us with our problem.
> >
> > I am attaching the logs from sssd with the sensitive information removed.
> > Any help is really appreciated; I don't really know where should I
> continue
> > searching for the problem.
>
> Thanks, the logs don't show what the error is, but do tell us that the
> error is on the server side:
>
> > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
> [ipa_s2n_exop_send] (0x0400): Executing extended operation
> > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
> [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 8
> > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
> [sdap_process_result] (0x2000): Trace: sh[0x2293ed0], connected[1],
> ops[0x2293680], ldap[0x2293b40]
> > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
> [sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED]
> > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
> [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Operations
> error(1), (null)
> > (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]]
> [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
>
> What IPA version are you testing with? The debugging procedure differs
> for versions with winbind on the server side and with sssd..
>

I am testing with an updated CentOS 6 and all the software versions of its
repositories. In detail:

 * OS: CentOS release 6.5 (Final)
 * IPA server: 3.0.0-37
 * SSSD: 1.9.2-129
 * Winbind: 4.0.0-61
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Trusts with Windows Server 2003

2014-07-15 Thread Jakub Hrozek

On Mon, Jul 14, 2014 at 02:02:16PM -0300, tizo wrote:
> On Mon, Jul 14, 2014 at 5:57 AM, Jakub Hrozek  wrote:
> 
> > On Fri, Jul 11, 2014 at 05:22:59PM -0300, tizo wrote:
> > > On Fri, Jul 11, 2014 at 4:54 PM, Dmitri Pal  wrote:
> > >
> > > >  On 07/11/2014 03:27 PM, tizo wrote:
> > > >
> > > >
> > > >  On Fri, Jul 4, 2014 at 5:09 PM, tizo  wrote:
> > > >
> > > >>  I have seen in
> > > >>
> > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Trusts_and_Windows_Server_2003_R2
> > > >> that trusts can be configured with Windows Server 2003 R2.
> > > >>
> > > >>  We have a Windows Server 2003 (not R2). Before starting to make some
> > > >> tests, does anyone know if trusts can be configured with this version
> > of
> > > >> Windows Server 2003?.
> > > >>
> > > >>  Thanks very much.
> > > >>
> > > >>
> > > >  As I have not received any answer, I decided to give it a try. I
> > follow
> > > > the document step by step with our Windows 2003, and everything looks
> > good,
> > > > except when I try to login to the FreeIPA server with an AD user (ssh
> > or
> > > > tty).
> > > >
> > > >  Does anyone know how could I debug this problem?.
> > > >
> > > >
> > > >  Sorry that you did not get a response. It is a hot time, a lot of
> > people
> > > > on vacation and we also got 4.0 just out of the door.
> > > >
> > > > Set debug_level to 10 in the sssd.conf. It will create a lot of output
> > and
> > > > this might give you a hint of what is going on. From there you will see
> > > > whether the user is processed by SSSD or SSH is not configured and
> > user do
> > > > not hit SSSD at all (unlikely), and if user is processed what the
> > problem
> > > > is.
> > > >
> > > >
> > > Thanks Dmitri. I set the debug_level to 10, and the file
> > > sssd_my.domain.com.log is telling something about the AD user trying to
> > > connect with SSH. I am sending it to you privately, because it contains
> > > some sensitive information.
> >
> > Hi,
> >
> > I realize you were following our own documentation, which originated
> > from this thread:
> > https://www.redhat.com/archives/freeipa-users/2013-June/msg00119.html
> >
> > Maybe it would be helpful to read it, too, at least to see how some other
> > users were setting up the trust and what their problems were.
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go To http://freeipa.org for more info on the project
> >
> 
> 
> Dmitri and Jakub, thanks very much for your help.
> 
> Jakub, I took a look in the thread, but I couldn't find anything that could
> help us with our problem.
> 
> I am attaching the logs from sssd with the sensitive information removed.
> Any help is really appreciated; I don't really know where should I continue
> searching for the problem.

Thanks, the logs don't show what the error is, but do tell us that the
error is on the server side:

> (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]] [ipa_s2n_exop_send] 
> (0x0400): Executing extended operation
> (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]] [ipa_s2n_exop_send] 
> (0x2000): ldap_extended_operation sent, msgid = 8
> (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]] [sdap_process_result] 
> (0x2000): Trace: sh[0x2293ed0], connected[1], ops[0x2293680], ldap[0x2293b40]
> (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]] [sdap_process_message] 
> (0x4000): Message type: [LDAP_RES_EXTENDED]
> (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]] [ipa_s2n_exop_done] 
> (0x0400): ldap_extended_operation result: Operations error(1), (null)
> (Fri Jul 11 17:19:27 2014) [sssd[be[lan.xxx.com.uy]]] [ipa_s2n_get_user_done] 
> (0x0040): s2n exop request failed.

What IPA version are you testing with? The debugging procedure differs
for versions with winbind on the server side and with sssd..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Trusts with Windows Server 2003

2014-07-14 Thread Jakub Hrozek

On Fri, Jul 11, 2014 at 05:22:59PM -0300, tizo wrote:
> On Fri, Jul 11, 2014 at 4:54 PM, Dmitri Pal  wrote:
> 
> >  On 07/11/2014 03:27 PM, tizo wrote:
> >
> >
> >  On Fri, Jul 4, 2014 at 5:09 PM, tizo  wrote:
> >
> >>  I have seen in
> >> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Trusts_and_Windows_Server_2003_R2
> >> that trusts can be configured with Windows Server 2003 R2.
> >>
> >>  We have a Windows Server 2003 (not R2). Before starting to make some
> >> tests, does anyone know if trusts can be configured with this version of
> >> Windows Server 2003?.
> >>
> >>  Thanks very much.
> >>
> >>
> >  As I have not received any answer, I decided to give it a try. I follow
> > the document step by step with our Windows 2003, and everything looks good,
> > except when I try to login to the FreeIPA server with an AD user (ssh or
> > tty).
> >
> >  Does anyone know how could I debug this problem?.
> >
> >
> >  Sorry that you did not get a response. It is a hot time, a lot of people
> > on vacation and we also got 4.0 just out of the door.
> >
> > Set debug_level to 10 in the sssd.conf. It will create a lot of output and
> > this might give you a hint of what is going on. From there you will see
> > whether the user is processed by SSSD or SSH is not configured and user do
> > not hit SSSD at all (unlikely), and if user is processed what the problem
> > is.
> >
> >
> Thanks Dmitri. I set the debug_level to 10, and the file
> sssd_my.domain.com.log is telling something about the AD user trying to
> connect with SSH. I am sending it to you privately, because it contains
> some sensitive information.

Hi,

I realize you were following our own documentation, which originated
from this thread:
https://www.redhat.com/archives/freeipa-users/2013-June/msg00119.html

Maybe it would be helpful to read it, too, at least to see how some other
users were setting up the trust and what their problems were.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Trusts with Windows Server 2003

2014-07-11 Thread tizo

On Fri, Jul 11, 2014 at 4:54 PM, Dmitri Pal  wrote:

>  On 07/11/2014 03:27 PM, tizo wrote:
>
>
>  On Fri, Jul 4, 2014 at 5:09 PM, tizo  wrote:
>
>>  I have seen in
>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Trusts_and_Windows_Server_2003_R2
>> that trusts can be configured with Windows Server 2003 R2.
>>
>>  We have a Windows Server 2003 (not R2). Before starting to make some
>> tests, does anyone know if trusts can be configured with this version of
>> Windows Server 2003?.
>>
>>  Thanks very much.
>>
>>
>  As I have not received any answer, I decided to give it a try. I follow
> the document step by step with our Windows 2003, and everything looks good,
> except when I try to login to the FreeIPA server with an AD user (ssh or
> tty).
>
>  Does anyone know how could I debug this problem?.
>
>
>  Sorry that you did not get a response. It is a hot time, a lot of people
> on vacation and we also got 4.0 just out of the door.
>
> Set debug_level to 10 in the sssd.conf. It will create a lot of output and
> this might give you a hint of what is going on. From there you will see
> whether the user is processed by SSSD or SSH is not configured and user do
> not hit SSSD at all (unlikely), and if user is processed what the problem
> is.
>
>
Thanks Dmitri. I set the debug_level to 10, and the file
sssd_my.domain.com.log is telling something about the AD user trying to
connect with SSH. I am sending it to you privately, because it contains
some sensitive information.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Trusts with Windows Server 2003

2014-07-11 Thread Dmitri Pal


On 07/11/2014 03:27 PM, tizo wrote:


On Fri, Jul 4, 2014 at 5:09 PM, tizo > wrote:


I have seen in

http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Trusts_and_Windows_Server_2003_R2
that trusts can be configured with Windows Server 2003 R2.

We have a Windows Server 2003 (not R2). Before starting to make
some tests, does anyone know if trusts can be configured with this
version of Windows Server 2003?.

Thanks very much.


As I have not received any answer, I decided to give it a try. I 
follow the document step by step with our Windows 2003, and everything 
looks good, except when I try to login to the FreeIPA server with an 
AD user (ssh or tty).


Does anyone know how could I debug this problem?.


Sorry that you did not get a response. It is a hot time, a lot of people 
on vacation and we also got 4.0 just out of the door.


Set debug_level to 10 in the sssd.conf. It will create a lot of output 
and this might give you a hint of what is going on. From there you will 
see whether the user is processed by SSSD or SSH is not configured and 
user do not hit SSSD at all (unlikely), and if user is processed what 
the problem is.


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Trusts with Windows Server 2003

2014-07-11 Thread tizo

On Fri, Jul 4, 2014 at 5:09 PM, tizo  wrote:

> I have seen in
> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Trusts_and_Windows_Server_2003_R2
> that trusts can be configured with Windows Server 2003 R2.
>
> We have a Windows Server 2003 (not R2). Before starting to make some
> tests, does anyone know if trusts can be configured with this version of
> Windows Server 2003?.
>
> Thanks very much.
>
>
As I have not received any answer, I decided to give it a try. I follow the
document step by step with our Windows 2003, and everything looks good,
except when I try to login to the FreeIPA server with an AD user (ssh or
tty).

Does anyone know how could I debug this problem?.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Trusts with Windows Server 2003

Re: [Freeipa-users] Trusts with Windows Server 2003

Re: [Freeipa-users] Trusts with Windows Server 2003

Re: [Freeipa-users] Trusts with Windows Server 2003

Re: [Freeipa-users] Trusts with Windows Server 2003

Re: [Freeipa-users] Trusts with Windows Server 2003

Re: [Freeipa-users] Trusts with Windows Server 2003

Re: [Freeipa-users] Trusts with Windows Server 2003

Re: [Freeipa-users] Trusts with Windows Server 2003

9 matches

Site Navigation

Mail list logo

Footer information