Re: [Freeipa-users] UPN suffixes in AD trust

2015-07-09 Thread Giorgio Biacchi
On 06/29/2015 03:11 PM, Sumit Bose wrote:
 On Mon, Jun 29, 2015 at 11:24:00AM +0200, Giorgio Biacchi wrote:
 On 06/29/2015 10:30 AM, Sumit Bose wrote:
 On Mon, Jun 29, 2015 at 10:04:04AM +0200, Giorgio Biacchi wrote:
 On 06/26/2015 08:06 PM, Sumit Bose wrote:
 On Fri, Jun 26, 2015 at 04:34:05PM +0200, Giorgio Biacchi wrote:


 On 06/26/2015 02:38 PM, Sumit Bose wrote:
 On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote:
 On 06/25/2015 05:44 PM, Sumit Bose wrote:
 On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote:
 On 06/25/2015 02:10 PM, Sumit Bose wrote:
 On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote:
 On 06/25/2015 12:56 PM, Sumit Bose wrote:
 On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote:
 On 06/24/2015 06:45 PM, Sumit Bose wrote:
 On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote:
 Hi everybody,
 I established a bidirectional trust between an IPA server 
 (version 4.1.0 on
 CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), 
 mydomain.local.
 Everything is working fine, and I'm able to authenticate and 
 logon on a linux
 host joined to IPA server using AD credentials 
 (username@mydomain.local).
 But active directory is configured with two more UPN suffixes 
 (otherdomain.com
 and sub.otherdomain.com), and I cannot logon with credentials 
 using alternative
 UPN (example: john@otherdomain.com).

 How can I make this possible? Another trust (ipa trust-add) 
 with the same AD?
 Manual configuration of krb5 and/or sssd?

 Have you tried to login to an IPA client or the server? Please 
 try with
 an IPA server first. If this does not work it would be nice if 
 you can
 send the SSSD log files from the IPA server which are generated 
 during
 the logon attempt. Please call 'sss_cache -E' before to 
 invalidate all
 cached entries so that the logs will contain all needed calls 
 to AD.

 Using UPN suffixes were added to the AD provider some time ago 
 and the
 code is available in the IPA provider as well, but I guess no 
 one has
 actually tried this before.

 bye,
 Sumit

 First of all let me say that i feel like I'm missing some config 
 somewhere..
 Changes tried in krb5.conf to support UPN suffixes didn't helped.
 I can only access the server vi ssh so I've attached the logs 
 for a successful
 login for account1@mydomain.local and an unsuccessful login for
 accou...@otherdomain.com done via ssh.

 Bye and thanks for your help


 It looks like the request is not properly propagated to 
 sub-domains (the
 trusted AD domain) but only send to the IPA domain.

 Would it be possible for you to run a test build of SSSD which 
 might fix
 this? If yes, which version of SSSD are you currently using? Then 
 I can
 prepare a test build with the patch on top of this version.

 bye,
 Sumit


 Hi,
 I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm 
 available for
 any test.

 Here's the packages version for sssd:

 sssd-common-1.12.2-58.el7_1.6.x86_64
 sssd-krb5-1.12.2-58.el7_1.6.x86_64
 python-sssdconfig-1.12.2-58.el7_1.6.noarch
 sssd-krb5-common-1.12.2-58.el7_1.6.x86_64
 sssd-ipa-1.12.2-58.el7_1.6.x86_64
 sssd-1.12.2-58.el7_1.6.x86_64
 sssd-libwbclient-1.12.2-58.el7_1.6.x86_64
 sssd-ad-1.12.2-58.el7_1.6.x86_64
 sssd-ldap-1.12.2-58.el7_1.6.x86_64
 sssd-common-pac-1.12.2-58.el7_1.6.x86_64
 sssd-proxy-1.12.2-58.el7_1.6.x86_64
 sssd-client-1.12.2-58.el7_1.6.x86_64

 Please try the packages at
 http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 .

 bye,
 Sumit

 Hi,
 I've installed the new RPMs, now if I run on the server:

 id account1@mydomain.local
 id accou...@otherdomain.com
 id accou...@sub.otherdomain.com

 all the users are found but I'm still unable to log in via ssh with 
 the accounts
 @otherdomain.com and @sub.otherdomain.com.

 In attachment the logs for unsuccessful login for user 
 accou...@otherdomain.com.

 Bother, I forgot to add the fix to the pam responder as well, please 
 try
 new packages from
 http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 .

 bye,
 Sumit


 Hi,
 I've updated all the packages but still no login.

 Logs follows.

 I found another issue in the logs which should be fixed by the build
 from http://koji.fedoraproject.org/koji/taskinfo?taskID=10217756 .

 Please send the sssd_pam log file as well it might contain more details
 about what goes wrong during authentication.

 bye,
 Sumit


 Hi,
 packages update, sssd and kerberos services restarted, cache flushed but 
 still
 no login on the IPA server.

 As before, logs attached. I've also included the logs generated by the 
 restart
 of sssd service because there were no logs in sssd_pam.log when trying to
 authenticate.

 Debug level is set to 6 in the sections:

 [domain/ipa.mydomain.local]
 [sssd]
 [nss]
 [pam]

 of /etc/sssd/sssd.conf, please tell me if this is enough or if I have to
 increase it.


 so far it is sufficient. I have another build for you to try at
 

Re: [Freeipa-users] UPN suffixes in AD trust

2015-07-09 Thread Sumit Bose
On Thu, Jul 09, 2015 at 12:36:53PM +0200, Giorgio Biacchi wrote:
 On 06/29/2015 03:11 PM, Sumit Bose wrote:
  On Mon, Jun 29, 2015 at 11:24:00AM +0200, Giorgio Biacchi wrote:
  On 06/29/2015 10:30 AM, Sumit Bose wrote:
  On Mon, Jun 29, 2015 at 10:04:04AM +0200, Giorgio Biacchi wrote:
  On 06/26/2015 08:06 PM, Sumit Bose wrote:
  On Fri, Jun 26, 2015 at 04:34:05PM +0200, Giorgio Biacchi wrote:
 
 
  On 06/26/2015 02:38 PM, Sumit Bose wrote:
  On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote:
  On 06/25/2015 05:44 PM, Sumit Bose wrote:
  On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote:
  On 06/25/2015 02:10 PM, Sumit Bose wrote:
  On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote:
  On 06/25/2015 12:56 PM, Sumit Bose wrote:
  On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote:
  On 06/24/2015 06:45 PM, Sumit Bose wrote:
  On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi 
  wrote:
  Hi everybody,
  I established a bidirectional trust between an IPA server 
  (version 4.1.0 on
  CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), 
  mydomain.local.
  Everything is working fine, and I'm able to authenticate and 
  logon on a linux
  host joined to IPA server using AD credentials 
  (username@mydomain.local).
  But active directory is configured with two more UPN 
  suffixes (otherdomain.com
  and sub.otherdomain.com), and I cannot logon with 
  credentials using alternative
  UPN (example: john@otherdomain.com).
 
  How can I make this possible? Another trust (ipa trust-add) 
  with the same AD?
  Manual configuration of krb5 and/or sssd?
 
  Have you tried to login to an IPA client or the server? 
  Please try with
  an IPA server first. If this does not work it would be nice 
  if you can
  send the SSSD log files from the IPA server which are 
  generated during
  the logon attempt. Please call 'sss_cache -E' before to 
  invalidate all
  cached entries so that the logs will contain all needed calls 
  to AD.
 
  Using UPN suffixes were added to the AD provider some time 
  ago and the
  code is available in the IPA provider as well, but I guess no 
  one has
  actually tried this before.
 
  bye,
  Sumit
 
  First of all let me say that i feel like I'm missing some 
  config somewhere..
  Changes tried in krb5.conf to support UPN suffixes didn't 
  helped.
  I can only access the server vi ssh so I've attached the logs 
  for a successful
  login for account1@mydomain.local and an unsuccessful login for
  accou...@otherdomain.com done via ssh.
 
  Bye and thanks for your help
 
 
  It looks like the request is not properly propagated to 
  sub-domains (the
  trusted AD domain) but only send to the IPA domain.
 
  Would it be possible for you to run a test build of SSSD which 
  might fix
  this? If yes, which version of SSSD are you currently using? 
  Then I can
  prepare a test build with the patch on top of this version.
 
  bye,
  Sumit
 
 
  Hi,
  I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and 
  I'm available for
  any test.
 
  Here's the packages version for sssd:
 
  sssd-common-1.12.2-58.el7_1.6.x86_64
  sssd-krb5-1.12.2-58.el7_1.6.x86_64
  python-sssdconfig-1.12.2-58.el7_1.6.noarch
  sssd-krb5-common-1.12.2-58.el7_1.6.x86_64
  sssd-ipa-1.12.2-58.el7_1.6.x86_64
  sssd-1.12.2-58.el7_1.6.x86_64
  sssd-libwbclient-1.12.2-58.el7_1.6.x86_64
  sssd-ad-1.12.2-58.el7_1.6.x86_64
  sssd-ldap-1.12.2-58.el7_1.6.x86_64
  sssd-common-pac-1.12.2-58.el7_1.6.x86_64
  sssd-proxy-1.12.2-58.el7_1.6.x86_64
  sssd-client-1.12.2-58.el7_1.6.x86_64
 
  Please try the packages at
  http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 .
 
  bye,
  Sumit
 
  Hi,
  I've installed the new RPMs, now if I run on the server:
 
  id account1@mydomain.local
  id accou...@otherdomain.com
  id accou...@sub.otherdomain.com
 
  all the users are found but I'm still unable to log in via ssh 
  with the accounts
  @otherdomain.com and @sub.otherdomain.com.
 
  In attachment the logs for unsuccessful login for user 
  accou...@otherdomain.com.
 
  Bother, I forgot to add the fix to the pam responder as well, 
  please try
  new packages from
  http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 .
 
  bye,
  Sumit
 
 
  Hi,
  I've updated all the packages but still no login.
 
  Logs follows.
 
  I found another issue in the logs which should be fixed by the build
  from http://koji.fedoraproject.org/koji/taskinfo?taskID=10217756 .
 
  Please send the sssd_pam log file as well it might contain more 
  details
  about what goes wrong during authentication.
 
  bye,
  Sumit
 
 
  Hi,
  packages update, sssd and kerberos services restarted, cache flushed 
  but still
  no login on the IPA server.
 
  As before, logs attached. I've also included the logs generated by the 
  restart
  of sssd service because there were no logs in sssd_pam.log when trying 
  to
  authenticate.
 
  Debug level is set to 6 in the sections:
 
  

Re: [Freeipa-users] UPN suffixes in AD trust

2015-06-29 Thread Sumit Bose
On Mon, Jun 29, 2015 at 11:24:00AM +0200, Giorgio Biacchi wrote:
 On 06/29/2015 10:30 AM, Sumit Bose wrote:
  On Mon, Jun 29, 2015 at 10:04:04AM +0200, Giorgio Biacchi wrote:
  On 06/26/2015 08:06 PM, Sumit Bose wrote:
  On Fri, Jun 26, 2015 at 04:34:05PM +0200, Giorgio Biacchi wrote:
 
 
  On 06/26/2015 02:38 PM, Sumit Bose wrote:
  On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote:
  On 06/25/2015 05:44 PM, Sumit Bose wrote:
  On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote:
  On 06/25/2015 02:10 PM, Sumit Bose wrote:
  On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote:
  On 06/25/2015 12:56 PM, Sumit Bose wrote:
  On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote:
  On 06/24/2015 06:45 PM, Sumit Bose wrote:
  On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote:
  Hi everybody,
  I established a bidirectional trust between an IPA server 
  (version 4.1.0 on
  CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), 
  mydomain.local.
  Everything is working fine, and I'm able to authenticate and 
  logon on a linux
  host joined to IPA server using AD credentials 
  (username@mydomain.local).
  But active directory is configured with two more UPN suffixes 
  (otherdomain.com
  and sub.otherdomain.com), and I cannot logon with credentials 
  using alternative
  UPN (example: john@otherdomain.com).
 
  How can I make this possible? Another trust (ipa trust-add) 
  with the same AD?
  Manual configuration of krb5 and/or sssd?
 
  Have you tried to login to an IPA client or the server? Please 
  try with
  an IPA server first. If this does not work it would be nice if 
  you can
  send the SSSD log files from the IPA server which are generated 
  during
  the logon attempt. Please call 'sss_cache -E' before to 
  invalidate all
  cached entries so that the logs will contain all needed calls 
  to AD.
 
  Using UPN suffixes were added to the AD provider some time ago 
  and the
  code is available in the IPA provider as well, but I guess no 
  one has
  actually tried this before.
 
  bye,
  Sumit
 
  First of all let me say that i feel like I'm missing some config 
  somewhere..
  Changes tried in krb5.conf to support UPN suffixes didn't helped.
  I can only access the server vi ssh so I've attached the logs 
  for a successful
  login for account1@mydomain.local and an unsuccessful login for
  accou...@otherdomain.com done via ssh.
 
  Bye and thanks for your help
 
 
  It looks like the request is not properly propagated to 
  sub-domains (the
  trusted AD domain) but only send to the IPA domain.
 
  Would it be possible for you to run a test build of SSSD which 
  might fix
  this? If yes, which version of SSSD are you currently using? Then 
  I can
  prepare a test build with the patch on top of this version.
 
  bye,
  Sumit
 
 
  Hi,
  I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm 
  available for
  any test.
 
  Here's the packages version for sssd:
 
  sssd-common-1.12.2-58.el7_1.6.x86_64
  sssd-krb5-1.12.2-58.el7_1.6.x86_64
  python-sssdconfig-1.12.2-58.el7_1.6.noarch
  sssd-krb5-common-1.12.2-58.el7_1.6.x86_64
  sssd-ipa-1.12.2-58.el7_1.6.x86_64
  sssd-1.12.2-58.el7_1.6.x86_64
  sssd-libwbclient-1.12.2-58.el7_1.6.x86_64
  sssd-ad-1.12.2-58.el7_1.6.x86_64
  sssd-ldap-1.12.2-58.el7_1.6.x86_64
  sssd-common-pac-1.12.2-58.el7_1.6.x86_64
  sssd-proxy-1.12.2-58.el7_1.6.x86_64
  sssd-client-1.12.2-58.el7_1.6.x86_64
 
  Please try the packages at
  http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 .
 
  bye,
  Sumit
 
  Hi,
  I've installed the new RPMs, now if I run on the server:
 
  id account1@mydomain.local
  id accou...@otherdomain.com
  id accou...@sub.otherdomain.com
 
  all the users are found but I'm still unable to log in via ssh with 
  the accounts
  @otherdomain.com and @sub.otherdomain.com.
 
  In attachment the logs for unsuccessful login for user 
  accou...@otherdomain.com.
 
  Bother, I forgot to add the fix to the pam responder as well, please 
  try
  new packages from
  http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 .
 
  bye,
  Sumit
 
 
  Hi,
  I've updated all the packages but still no login.
 
  Logs follows.
 
  I found another issue in the logs which should be fixed by the build
  from http://koji.fedoraproject.org/koji/taskinfo?taskID=10217756 .
 
  Please send the sssd_pam log file as well it might contain more details
  about what goes wrong during authentication.
 
  bye,
  Sumit
 
 
  Hi,
  packages update, sssd and kerberos services restarted, cache flushed but 
  still
  no login on the IPA server.
 
  As before, logs attached. I've also included the logs generated by the 
  restart
  of sssd service because there were no logs in sssd_pam.log when trying to
  authenticate.
 
  Debug level is set to 6 in the sections:
 
  [domain/ipa.mydomain.local]
  [sssd]
  [nss]
  [pam]
 
  of /etc/sssd/sssd.conf, please tell me if this is enough or if I have to
  

Re: [Freeipa-users] UPN suffixes in AD trust

2015-06-29 Thread Jakub Hrozek
On Mon, Jun 29, 2015 at 03:11:57PM +0200, Sumit Bose wrote:
 On Mon, Jun 29, 2015 at 11:24:00AM +0200, Giorgio Biacchi wrote:
  On 06/29/2015 10:30 AM, Sumit Bose wrote:
   On Mon, Jun 29, 2015 at 10:04:04AM +0200, Giorgio Biacchi wrote:
   On 06/26/2015 08:06 PM, Sumit Bose wrote:
   On Fri, Jun 26, 2015 at 04:34:05PM +0200, Giorgio Biacchi wrote:
  
  
   On 06/26/2015 02:38 PM, Sumit Bose wrote:
   On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote:
   On 06/25/2015 05:44 PM, Sumit Bose wrote:
   On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote:
   On 06/25/2015 02:10 PM, Sumit Bose wrote:
   On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote:
   On 06/25/2015 12:56 PM, Sumit Bose wrote:
   On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote:
   On 06/24/2015 06:45 PM, Sumit Bose wrote:
   On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi 
   wrote:
   Hi everybody,
   I established a bidirectional trust between an IPA server 
   (version 4.1.0 on
   CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), 
   mydomain.local.
   Everything is working fine, and I'm able to authenticate and 
   logon on a linux
   host joined to IPA server using AD credentials 
   (username@mydomain.local).
   But active directory is configured with two more UPN 
   suffixes (otherdomain.com
   and sub.otherdomain.com), and I cannot logon with 
   credentials using alternative
   UPN (example: john@otherdomain.com).
  
   How can I make this possible? Another trust (ipa trust-add) 
   with the same AD?
   Manual configuration of krb5 and/or sssd?
  
   Have you tried to login to an IPA client or the server? 
   Please try with
   an IPA server first. If this does not work it would be nice 
   if you can
   send the SSSD log files from the IPA server which are 
   generated during
   the logon attempt. Please call 'sss_cache -E' before to 
   invalidate all
   cached entries so that the logs will contain all needed calls 
   to AD.
  
   Using UPN suffixes were added to the AD provider some time 
   ago and the
   code is available in the IPA provider as well, but I guess no 
   one has
   actually tried this before.
  
   bye,
   Sumit
  
   First of all let me say that i feel like I'm missing some 
   config somewhere..
   Changes tried in krb5.conf to support UPN suffixes didn't 
   helped.
   I can only access the server vi ssh so I've attached the logs 
   for a successful
   login for account1@mydomain.local and an unsuccessful login for
   accou...@otherdomain.com done via ssh.
  
   Bye and thanks for your help
  
  
   It looks like the request is not properly propagated to 
   sub-domains (the
   trusted AD domain) but only send to the IPA domain.
  
   Would it be possible for you to run a test build of SSSD which 
   might fix
   this? If yes, which version of SSSD are you currently using? 
   Then I can
   prepare a test build with the patch on top of this version.
  
   bye,
   Sumit
  
  
   Hi,
   I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and 
   I'm available for
   any test.
  
   Here's the packages version for sssd:
  
   sssd-common-1.12.2-58.el7_1.6.x86_64
   sssd-krb5-1.12.2-58.el7_1.6.x86_64
   python-sssdconfig-1.12.2-58.el7_1.6.noarch
   sssd-krb5-common-1.12.2-58.el7_1.6.x86_64
   sssd-ipa-1.12.2-58.el7_1.6.x86_64
   sssd-1.12.2-58.el7_1.6.x86_64
   sssd-libwbclient-1.12.2-58.el7_1.6.x86_64
   sssd-ad-1.12.2-58.el7_1.6.x86_64
   sssd-ldap-1.12.2-58.el7_1.6.x86_64
   sssd-common-pac-1.12.2-58.el7_1.6.x86_64
   sssd-proxy-1.12.2-58.el7_1.6.x86_64
   sssd-client-1.12.2-58.el7_1.6.x86_64
  
   Please try the packages at
   http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 .
  
   bye,
   Sumit
  
   Hi,
   I've installed the new RPMs, now if I run on the server:
  
   id account1@mydomain.local
   id accou...@otherdomain.com
   id accou...@sub.otherdomain.com
  
   all the users are found but I'm still unable to log in via ssh 
   with the accounts
   @otherdomain.com and @sub.otherdomain.com.
  
   In attachment the logs for unsuccessful login for user 
   accou...@otherdomain.com.
  
   Bother, I forgot to add the fix to the pam responder as well, 
   please try
   new packages from
   http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 .
  
   bye,
   Sumit
  
  
   Hi,
   I've updated all the packages but still no login.
  
   Logs follows.
  
   I found another issue in the logs which should be fixed by the build
   from http://koji.fedoraproject.org/koji/taskinfo?taskID=10217756 .
  
   Please send the sssd_pam log file as well it might contain more 
   details
   about what goes wrong during authentication.
  
   bye,
   Sumit
  
  
   Hi,
   packages update, sssd and kerberos services restarted, cache flushed 
   but still
   no login on the IPA server.
  
   As before, logs attached. I've also included the logs generated by the 
   restart
   of sssd service because there were no logs in 

Re: [Freeipa-users] UPN suffixes in AD trust

2015-06-29 Thread Sumit Bose
On Mon, Jun 29, 2015 at 03:49:37PM +0200, Jakub Hrozek wrote:
 On Mon, Jun 29, 2015 at 03:11:57PM +0200, Sumit Bose wrote:
  On Mon, Jun 29, 2015 at 11:24:00AM +0200, Giorgio Biacchi wrote:
   On 06/29/2015 10:30 AM, Sumit Bose wrote:
On Mon, Jun 29, 2015 at 10:04:04AM +0200, Giorgio Biacchi wrote:
On 06/26/2015 08:06 PM, Sumit Bose wrote:
On Fri, Jun 26, 2015 at 04:34:05PM +0200, Giorgio Biacchi wrote:
   
   
On 06/26/2015 02:38 PM, Sumit Bose wrote:
On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote:
On 06/25/2015 05:44 PM, Sumit Bose wrote:
On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote:
On 06/25/2015 02:10 PM, Sumit Bose wrote:
On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote:
On 06/25/2015 12:56 PM, Sumit Bose wrote:
On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi 
wrote:
On 06/24/2015 06:45 PM, Sumit Bose wrote:
On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi 
wrote:
Hi everybody,
I established a bidirectional trust between an IPA server 
(version 4.1.0 on
CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 
r2), mydomain.local.
Everything is working fine, and I'm able to authenticate 
and logon on a linux
host joined to IPA server using AD credentials 
(username@mydomain.local).
But active directory is configured with two more UPN 
suffixes (otherdomain.com
and sub.otherdomain.com), and I cannot logon with 
credentials using alternative
UPN (example: john@otherdomain.com).
   
How can I make this possible? Another trust (ipa 
trust-add) with the same AD?
Manual configuration of krb5 and/or sssd?
   
Have you tried to login to an IPA client or the server? 
Please try with
an IPA server first. If this does not work it would be nice 
if you can
send the SSSD log files from the IPA server which are 
generated during
the logon attempt. Please call 'sss_cache -E' before to 
invalidate all
cached entries so that the logs will contain all needed 
calls to AD.
   
Using UPN suffixes were added to the AD provider some time 
ago and the
code is available in the IPA provider as well, but I guess 
no one has
actually tried this before.
   
bye,
Sumit
   
First of all let me say that i feel like I'm missing some 
config somewhere..
Changes tried in krb5.conf to support UPN suffixes didn't 
helped.
I can only access the server vi ssh so I've attached the 
logs for a successful
login for account1@mydomain.local and an unsuccessful login 
for
accou...@otherdomain.com done via ssh.
   
Bye and thanks for your help
   
   
It looks like the request is not properly propagated to 
sub-domains (the
trusted AD domain) but only send to the IPA domain.
   
Would it be possible for you to run a test build of SSSD 
which might fix
this? If yes, which version of SSSD are you currently using? 
Then I can
prepare a test build with the patch on top of this version.
   
bye,
Sumit
   
   
Hi,
I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and 
I'm available for
any test.
   
Here's the packages version for sssd:
   
sssd-common-1.12.2-58.el7_1.6.x86_64
sssd-krb5-1.12.2-58.el7_1.6.x86_64
python-sssdconfig-1.12.2-58.el7_1.6.noarch
sssd-krb5-common-1.12.2-58.el7_1.6.x86_64
sssd-ipa-1.12.2-58.el7_1.6.x86_64
sssd-1.12.2-58.el7_1.6.x86_64
sssd-libwbclient-1.12.2-58.el7_1.6.x86_64
sssd-ad-1.12.2-58.el7_1.6.x86_64
sssd-ldap-1.12.2-58.el7_1.6.x86_64
sssd-common-pac-1.12.2-58.el7_1.6.x86_64
sssd-proxy-1.12.2-58.el7_1.6.x86_64
sssd-client-1.12.2-58.el7_1.6.x86_64
   
Please try the packages at
http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 .
   
bye,
Sumit
   
Hi,
I've installed the new RPMs, now if I run on the server:
   
id account1@mydomain.local
id accou...@otherdomain.com
id accou...@sub.otherdomain.com
   
all the users are found but I'm still unable to log in via ssh 
with the accounts
@otherdomain.com and @sub.otherdomain.com.
   
In attachment the logs for unsuccessful login for user 
accou...@otherdomain.com.
   
Bother, I forgot to add the fix to the pam responder as well, 
please try
new packages from
http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 .
   
bye,
Sumit
   
   
Hi,
I've updated all the packages but still no login.
   
Logs follows.
   
I found another issue in the logs which should be fixed by the build
from http://koji.fedoraproject.org/koji/taskinfo?taskID=10217756 .
   
Please send the sssd_pam log file as well it might contain more 
details
about what goes wrong during authentication.
   
bye,
Sumit
   
   
Hi,
packages update, sssd and 

Re: [Freeipa-users] UPN suffixes in AD trust

2015-06-26 Thread Giorgio Biacchi


On 06/26/2015 02:38 PM, Sumit Bose wrote:
 On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote:
 On 06/25/2015 05:44 PM, Sumit Bose wrote:
 On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote:
 On 06/25/2015 02:10 PM, Sumit Bose wrote:
 On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote:
 On 06/25/2015 12:56 PM, Sumit Bose wrote:
 On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote:
 On 06/24/2015 06:45 PM, Sumit Bose wrote:
 On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote:
 Hi everybody,
 I established a bidirectional trust between an IPA server (version 
 4.1.0 on
 CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), 
 mydomain.local.
 Everything is working fine, and I'm able to authenticate and logon 
 on a linux
 host joined to IPA server using AD credentials 
 (username@mydomain.local).
 But active directory is configured with two more UPN suffixes 
 (otherdomain.com
 and sub.otherdomain.com), and I cannot logon with credentials using 
 alternative
 UPN (example: john@otherdomain.com).

 How can I make this possible? Another trust (ipa trust-add) with the 
 same AD?
 Manual configuration of krb5 and/or sssd?

 Have you tried to login to an IPA client or the server? Please try 
 with
 an IPA server first. If this does not work it would be nice if you can
 send the SSSD log files from the IPA server which are generated during
 the logon attempt. Please call 'sss_cache -E' before to invalidate all
 cached entries so that the logs will contain all needed calls to AD.

 Using UPN suffixes were added to the AD provider some time ago and the
 code is available in the IPA provider as well, but I guess no one has
 actually tried this before.

 bye,
 Sumit

 First of all let me say that i feel like I'm missing some config 
 somewhere..
 Changes tried in krb5.conf to support UPN suffixes didn't helped.
 I can only access the server vi ssh so I've attached the logs for a 
 successful
 login for account1@mydomain.local and an unsuccessful login for
 accou...@otherdomain.com done via ssh.

 Bye and thanks for your help


 It looks like the request is not properly propagated to sub-domains (the
 trusted AD domain) but only send to the IPA domain.

 Would it be possible for you to run a test build of SSSD which might fix
 this? If yes, which version of SSSD are you currently using? Then I can
 prepare a test build with the patch on top of this version.

 bye,
 Sumit


 Hi,
 I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm 
 available for
 any test.

 Here's the packages version for sssd:

 sssd-common-1.12.2-58.el7_1.6.x86_64
 sssd-krb5-1.12.2-58.el7_1.6.x86_64
 python-sssdconfig-1.12.2-58.el7_1.6.noarch
 sssd-krb5-common-1.12.2-58.el7_1.6.x86_64
 sssd-ipa-1.12.2-58.el7_1.6.x86_64
 sssd-1.12.2-58.el7_1.6.x86_64
 sssd-libwbclient-1.12.2-58.el7_1.6.x86_64
 sssd-ad-1.12.2-58.el7_1.6.x86_64
 sssd-ldap-1.12.2-58.el7_1.6.x86_64
 sssd-common-pac-1.12.2-58.el7_1.6.x86_64
 sssd-proxy-1.12.2-58.el7_1.6.x86_64
 sssd-client-1.12.2-58.el7_1.6.x86_64

 Please try the packages at
 http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 .

 bye,
 Sumit

 Hi,
 I've installed the new RPMs, now if I run on the server:

 id account1@mydomain.local
 id accou...@otherdomain.com
 id accou...@sub.otherdomain.com

 all the users are found but I'm still unable to log in via ssh with the 
 accounts
 @otherdomain.com and @sub.otherdomain.com.

 In attachment the logs for unsuccessful login for user 
 accou...@otherdomain.com.

 Bother, I forgot to add the fix to the pam responder as well, please try
 new packages from
 http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 .

 bye,
 Sumit


 Hi,
 I've updated all the packages but still no login.

 Logs follows.
 
 I found another issue in the logs which should be fixed by the build
 from http://koji.fedoraproject.org/koji/taskinfo?taskID=10217756 .
 
 Please send the sssd_pam log file as well it might contain more details
 about what goes wrong during authentication.
 
 bye,
 Sumit
 

Hi,
packages update, sssd and kerberos services restarted, cache flushed but still
no login on the IPA server.

As before, logs attached. I've also included the logs generated by the restart
of sssd service because there were no logs in sssd_pam.log when trying to
authenticate.

Debug level is set to 6 in the sections:

[domain/ipa.mydomain.local]
[sssd]
[nss]
[pam]

of /etc/sssd/sssd.conf, please tell me if this is enough or if I have to
increase it.

Thanks
-- 
gb

PGP Key: http://pgp.mit.edu/
Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34
(Fri Jun 26 16:22:30 2015) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): 
name 'root' matched without domain, user is root
(Fri Jun 26 16:22:30 2015) [sssd[pam]] [sss_ncache_set_str] (0x0400): Adding 
[NCE/GROUP/ipa.mydomain.local/root] to negative cache permanently
(Fri Jun 26 16:22:30 2015) [sssd[pam]] [responder_set_fd_limit] (0x0100): 

Re: [Freeipa-users] UPN suffixes in AD trust

2015-06-26 Thread Sumit Bose
On Fri, Jun 26, 2015 at 04:34:05PM +0200, Giorgio Biacchi wrote:
 
 
 On 06/26/2015 02:38 PM, Sumit Bose wrote:
  On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote:
  On 06/25/2015 05:44 PM, Sumit Bose wrote:
  On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote:
  On 06/25/2015 02:10 PM, Sumit Bose wrote:
  On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote:
  On 06/25/2015 12:56 PM, Sumit Bose wrote:
  On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote:
  On 06/24/2015 06:45 PM, Sumit Bose wrote:
  On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote:
  Hi everybody,
  I established a bidirectional trust between an IPA server (version 
  4.1.0 on
  CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), 
  mydomain.local.
  Everything is working fine, and I'm able to authenticate and logon 
  on a linux
  host joined to IPA server using AD credentials 
  (username@mydomain.local).
  But active directory is configured with two more UPN suffixes 
  (otherdomain.com
  and sub.otherdomain.com), and I cannot logon with credentials 
  using alternative
  UPN (example: john@otherdomain.com).
 
  How can I make this possible? Another trust (ipa trust-add) with 
  the same AD?
  Manual configuration of krb5 and/or sssd?
 
  Have you tried to login to an IPA client or the server? Please try 
  with
  an IPA server first. If this does not work it would be nice if you 
  can
  send the SSSD log files from the IPA server which are generated 
  during
  the logon attempt. Please call 'sss_cache -E' before to invalidate 
  all
  cached entries so that the logs will contain all needed calls to AD.
 
  Using UPN suffixes were added to the AD provider some time ago and 
  the
  code is available in the IPA provider as well, but I guess no one 
  has
  actually tried this before.
 
  bye,
  Sumit
 
  First of all let me say that i feel like I'm missing some config 
  somewhere..
  Changes tried in krb5.conf to support UPN suffixes didn't helped.
  I can only access the server vi ssh so I've attached the logs for a 
  successful
  login for account1@mydomain.local and an unsuccessful login for
  accou...@otherdomain.com done via ssh.
 
  Bye and thanks for your help
 
 
  It looks like the request is not properly propagated to sub-domains 
  (the
  trusted AD domain) but only send to the IPA domain.
 
  Would it be possible for you to run a test build of SSSD which might 
  fix
  this? If yes, which version of SSSD are you currently using? Then I 
  can
  prepare a test build with the patch on top of this version.
 
  bye,
  Sumit
 
 
  Hi,
  I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm 
  available for
  any test.
 
  Here's the packages version for sssd:
 
  sssd-common-1.12.2-58.el7_1.6.x86_64
  sssd-krb5-1.12.2-58.el7_1.6.x86_64
  python-sssdconfig-1.12.2-58.el7_1.6.noarch
  sssd-krb5-common-1.12.2-58.el7_1.6.x86_64
  sssd-ipa-1.12.2-58.el7_1.6.x86_64
  sssd-1.12.2-58.el7_1.6.x86_64
  sssd-libwbclient-1.12.2-58.el7_1.6.x86_64
  sssd-ad-1.12.2-58.el7_1.6.x86_64
  sssd-ldap-1.12.2-58.el7_1.6.x86_64
  sssd-common-pac-1.12.2-58.el7_1.6.x86_64
  sssd-proxy-1.12.2-58.el7_1.6.x86_64
  sssd-client-1.12.2-58.el7_1.6.x86_64
 
  Please try the packages at
  http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 .
 
  bye,
  Sumit
 
  Hi,
  I've installed the new RPMs, now if I run on the server:
 
  id account1@mydomain.local
  id accou...@otherdomain.com
  id accou...@sub.otherdomain.com
 
  all the users are found but I'm still unable to log in via ssh with the 
  accounts
  @otherdomain.com and @sub.otherdomain.com.
 
  In attachment the logs for unsuccessful login for user 
  accou...@otherdomain.com.
 
  Bother, I forgot to add the fix to the pam responder as well, please try
  new packages from
  http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 .
 
  bye,
  Sumit
 
 
  Hi,
  I've updated all the packages but still no login.
 
  Logs follows.
  
  I found another issue in the logs which should be fixed by the build
  from http://koji.fedoraproject.org/koji/taskinfo?taskID=10217756 .
  
  Please send the sssd_pam log file as well it might contain more details
  about what goes wrong during authentication.
  
  bye,
  Sumit
  
 
 Hi,
 packages update, sssd and kerberos services restarted, cache flushed but still
 no login on the IPA server.
 
 As before, logs attached. I've also included the logs generated by the restart
 of sssd service because there were no logs in sssd_pam.log when trying to
 authenticate.
 
 Debug level is set to 6 in the sections:
 
 [domain/ipa.mydomain.local]
 [sssd]
 [nss]
 [pam]
 
 of /etc/sssd/sssd.conf, please tell me if this is enough or if I have to
 increase it.
 

so far it is sufficient. I have another build for you to try at
http://koji.fedoraproject.org/koji/taskinfo?taskID=10219343

Thank you for your patience.

bye,
Sumit

-- 
Manage your subscription for the Freeipa-users mailing 

Re: [Freeipa-users] UPN suffixes in AD trust

2015-06-26 Thread Sumit Bose
On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote:
 On 06/25/2015 05:44 PM, Sumit Bose wrote:
  On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote:
  On 06/25/2015 02:10 PM, Sumit Bose wrote:
  On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote:
  On 06/25/2015 12:56 PM, Sumit Bose wrote:
  On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote:
  On 06/24/2015 06:45 PM, Sumit Bose wrote:
  On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote:
  Hi everybody,
  I established a bidirectional trust between an IPA server (version 
  4.1.0 on
  CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), 
  mydomain.local.
  Everything is working fine, and I'm able to authenticate and logon 
  on a linux
  host joined to IPA server using AD credentials 
  (username@mydomain.local).
  But active directory is configured with two more UPN suffixes 
  (otherdomain.com
  and sub.otherdomain.com), and I cannot logon with credentials using 
  alternative
  UPN (example: john@otherdomain.com).
 
  How can I make this possible? Another trust (ipa trust-add) with the 
  same AD?
  Manual configuration of krb5 and/or sssd?
 
  Have you tried to login to an IPA client or the server? Please try 
  with
  an IPA server first. If this does not work it would be nice if you can
  send the SSSD log files from the IPA server which are generated during
  the logon attempt. Please call 'sss_cache -E' before to invalidate all
  cached entries so that the logs will contain all needed calls to AD.
 
  Using UPN suffixes were added to the AD provider some time ago and the
  code is available in the IPA provider as well, but I guess no one has
  actually tried this before.
 
  bye,
  Sumit
 
  First of all let me say that i feel like I'm missing some config 
  somewhere..
  Changes tried in krb5.conf to support UPN suffixes didn't helped.
  I can only access the server vi ssh so I've attached the logs for a 
  successful
  login for account1@mydomain.local and an unsuccessful login for
  accou...@otherdomain.com done via ssh.
 
  Bye and thanks for your help
 
 
  It looks like the request is not properly propagated to sub-domains (the
  trusted AD domain) but only send to the IPA domain.
 
  Would it be possible for you to run a test build of SSSD which might fix
  this? If yes, which version of SSSD are you currently using? Then I can
  prepare a test build with the patch on top of this version.
 
  bye,
  Sumit
 
 
  Hi,
  I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm 
  available for
  any test.
 
  Here's the packages version for sssd:
 
  sssd-common-1.12.2-58.el7_1.6.x86_64
  sssd-krb5-1.12.2-58.el7_1.6.x86_64
  python-sssdconfig-1.12.2-58.el7_1.6.noarch
  sssd-krb5-common-1.12.2-58.el7_1.6.x86_64
  sssd-ipa-1.12.2-58.el7_1.6.x86_64
  sssd-1.12.2-58.el7_1.6.x86_64
  sssd-libwbclient-1.12.2-58.el7_1.6.x86_64
  sssd-ad-1.12.2-58.el7_1.6.x86_64
  sssd-ldap-1.12.2-58.el7_1.6.x86_64
  sssd-common-pac-1.12.2-58.el7_1.6.x86_64
  sssd-proxy-1.12.2-58.el7_1.6.x86_64
  sssd-client-1.12.2-58.el7_1.6.x86_64
 
  Please try the packages at
  http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 .
 
  bye,
  Sumit
 
  Hi,
  I've installed the new RPMs, now if I run on the server:
 
  id account1@mydomain.local
  id accou...@otherdomain.com
  id accou...@sub.otherdomain.com
 
  all the users are found but I'm still unable to log in via ssh with the 
  accounts
  @otherdomain.com and @sub.otherdomain.com.
 
  In attachment the logs for unsuccessful login for user 
  accou...@otherdomain.com.
  
  Bother, I forgot to add the fix to the pam responder as well, please try
  new packages from
  http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 .
  
  bye,
  Sumit
  
 
 Hi,
 I've updated all the packages but still no login.
 
 Logs follows.

I found another issue in the logs which should be fixed by the build
from http://koji.fedoraproject.org/koji/taskinfo?taskID=10217756 .

Please send the sssd_pam log file as well it might contain more details
about what goes wrong during authentication.

bye,
Sumit

 
 Thanks again
 -- 
 gb
 
 PGP Key: http://pgp.mit.edu/
 Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] UPN suffixes in AD trust

2015-06-25 Thread Sumit Bose
On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote:
 On 06/25/2015 12:56 PM, Sumit Bose wrote:
  On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote:
  On 06/24/2015 06:45 PM, Sumit Bose wrote:
  On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote:
  Hi everybody,
  I established a bidirectional trust between an IPA server (version 4.1.0 
  on
  CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), 
  mydomain.local.
  Everything is working fine, and I'm able to authenticate and logon on a 
  linux
  host joined to IPA server using AD credentials (username@mydomain.local).
  But active directory is configured with two more UPN suffixes 
  (otherdomain.com
  and sub.otherdomain.com), and I cannot logon with credentials using 
  alternative
  UPN (example: john@otherdomain.com).
 
  How can I make this possible? Another trust (ipa trust-add) with the 
  same AD?
  Manual configuration of krb5 and/or sssd?
 
  Have you tried to login to an IPA client or the server? Please try with
  an IPA server first. If this does not work it would be nice if you can
  send the SSSD log files from the IPA server which are generated during
  the logon attempt. Please call 'sss_cache -E' before to invalidate all
  cached entries so that the logs will contain all needed calls to AD.
 
  Using UPN suffixes were added to the AD provider some time ago and the
  code is available in the IPA provider as well, but I guess no one has
  actually tried this before.
 
  bye,
  Sumit
 
  First of all let me say that i feel like I'm missing some config 
  somewhere..
  Changes tried in krb5.conf to support UPN suffixes didn't helped.
  I can only access the server vi ssh so I've attached the logs for a 
  successful
  login for account1@mydomain.local and an unsuccessful login for
  accou...@otherdomain.com done via ssh.
 
  Bye and thanks for your help
 
  
  It looks like the request is not properly propagated to sub-domains (the
  trusted AD domain) but only send to the IPA domain.
  
  Would it be possible for you to run a test build of SSSD which might fix
  this? If yes, which version of SSSD are you currently using? Then I can
  prepare a test build with the patch on top of this version.
  
  bye,
  Sumit
  
 
 Hi,
 I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm available 
 for
 any test.
 
 Here's the packages version for sssd:
 
 sssd-common-1.12.2-58.el7_1.6.x86_64
 sssd-krb5-1.12.2-58.el7_1.6.x86_64
 python-sssdconfig-1.12.2-58.el7_1.6.noarch
 sssd-krb5-common-1.12.2-58.el7_1.6.x86_64
 sssd-ipa-1.12.2-58.el7_1.6.x86_64
 sssd-1.12.2-58.el7_1.6.x86_64
 sssd-libwbclient-1.12.2-58.el7_1.6.x86_64
 sssd-ad-1.12.2-58.el7_1.6.x86_64
 sssd-ldap-1.12.2-58.el7_1.6.x86_64
 sssd-common-pac-1.12.2-58.el7_1.6.x86_64
 sssd-proxy-1.12.2-58.el7_1.6.x86_64
 sssd-client-1.12.2-58.el7_1.6.x86_64

Please try the packages at
http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 .

bye,
Sumit

 
 Thanks again
 -- 
 gb
 
 PGP Key: http://pgp.mit.edu/
 Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] UPN suffixes in AD trust

2015-06-25 Thread Giorgio Biacchi
On 06/25/2015 12:56 PM, Sumit Bose wrote:
 On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote:
 On 06/24/2015 06:45 PM, Sumit Bose wrote:
 On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote:
 Hi everybody,
 I established a bidirectional trust between an IPA server (version 4.1.0 on
 CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), 
 mydomain.local.
 Everything is working fine, and I'm able to authenticate and logon on a 
 linux
 host joined to IPA server using AD credentials (username@mydomain.local).
 But active directory is configured with two more UPN suffixes 
 (otherdomain.com
 and sub.otherdomain.com), and I cannot logon with credentials using 
 alternative
 UPN (example: john@otherdomain.com).

 How can I make this possible? Another trust (ipa trust-add) with the same 
 AD?
 Manual configuration of krb5 and/or sssd?

 Have you tried to login to an IPA client or the server? Please try with
 an IPA server first. If this does not work it would be nice if you can
 send the SSSD log files from the IPA server which are generated during
 the logon attempt. Please call 'sss_cache -E' before to invalidate all
 cached entries so that the logs will contain all needed calls to AD.

 Using UPN suffixes were added to the AD provider some time ago and the
 code is available in the IPA provider as well, but I guess no one has
 actually tried this before.

 bye,
 Sumit

 First of all let me say that i feel like I'm missing some config somewhere..
 Changes tried in krb5.conf to support UPN suffixes didn't helped.
 I can only access the server vi ssh so I've attached the logs for a 
 successful
 login for account1@mydomain.local and an unsuccessful login for
 accou...@otherdomain.com done via ssh.

 Bye and thanks for your help

 
 It looks like the request is not properly propagated to sub-domains (the
 trusted AD domain) but only send to the IPA domain.
 
 Would it be possible for you to run a test build of SSSD which might fix
 this? If yes, which version of SSSD are you currently using? Then I can
 prepare a test build with the patch on top of this version.
 
 bye,
 Sumit
 

Hi,
I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm available for
any test.

Here's the packages version for sssd:

sssd-common-1.12.2-58.el7_1.6.x86_64
sssd-krb5-1.12.2-58.el7_1.6.x86_64
python-sssdconfig-1.12.2-58.el7_1.6.noarch
sssd-krb5-common-1.12.2-58.el7_1.6.x86_64
sssd-ipa-1.12.2-58.el7_1.6.x86_64
sssd-1.12.2-58.el7_1.6.x86_64
sssd-libwbclient-1.12.2-58.el7_1.6.x86_64
sssd-ad-1.12.2-58.el7_1.6.x86_64
sssd-ldap-1.12.2-58.el7_1.6.x86_64
sssd-common-pac-1.12.2-58.el7_1.6.x86_64
sssd-proxy-1.12.2-58.el7_1.6.x86_64
sssd-client-1.12.2-58.el7_1.6.x86_64

Thanks again
-- 
gb

PGP Key: http://pgp.mit.edu/
Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] UPN suffixes in AD trust

2015-06-25 Thread Giorgio Biacchi
On 06/25/2015 02:10 PM, Sumit Bose wrote:
 On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote:
 On 06/25/2015 12:56 PM, Sumit Bose wrote:
 On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote:
 On 06/24/2015 06:45 PM, Sumit Bose wrote:
 On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote:
 Hi everybody,
 I established a bidirectional trust between an IPA server (version 4.1.0 
 on
 CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), 
 mydomain.local.
 Everything is working fine, and I'm able to authenticate and logon on a 
 linux
 host joined to IPA server using AD credentials (username@mydomain.local).
 But active directory is configured with two more UPN suffixes 
 (otherdomain.com
 and sub.otherdomain.com), and I cannot logon with credentials using 
 alternative
 UPN (example: john@otherdomain.com).

 How can I make this possible? Another trust (ipa trust-add) with the 
 same AD?
 Manual configuration of krb5 and/or sssd?

 Have you tried to login to an IPA client or the server? Please try with
 an IPA server first. If this does not work it would be nice if you can
 send the SSSD log files from the IPA server which are generated during
 the logon attempt. Please call 'sss_cache -E' before to invalidate all
 cached entries so that the logs will contain all needed calls to AD.

 Using UPN suffixes were added to the AD provider some time ago and the
 code is available in the IPA provider as well, but I guess no one has
 actually tried this before.

 bye,
 Sumit

 First of all let me say that i feel like I'm missing some config 
 somewhere..
 Changes tried in krb5.conf to support UPN suffixes didn't helped.
 I can only access the server vi ssh so I've attached the logs for a 
 successful
 login for account1@mydomain.local and an unsuccessful login for
 accou...@otherdomain.com done via ssh.

 Bye and thanks for your help


 It looks like the request is not properly propagated to sub-domains (the
 trusted AD domain) but only send to the IPA domain.

 Would it be possible for you to run a test build of SSSD which might fix
 this? If yes, which version of SSSD are you currently using? Then I can
 prepare a test build with the patch on top of this version.

 bye,
 Sumit


 Hi,
 I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm available 
 for
 any test.

 Here's the packages version for sssd:

 sssd-common-1.12.2-58.el7_1.6.x86_64
 sssd-krb5-1.12.2-58.el7_1.6.x86_64
 python-sssdconfig-1.12.2-58.el7_1.6.noarch
 sssd-krb5-common-1.12.2-58.el7_1.6.x86_64
 sssd-ipa-1.12.2-58.el7_1.6.x86_64
 sssd-1.12.2-58.el7_1.6.x86_64
 sssd-libwbclient-1.12.2-58.el7_1.6.x86_64
 sssd-ad-1.12.2-58.el7_1.6.x86_64
 sssd-ldap-1.12.2-58.el7_1.6.x86_64
 sssd-common-pac-1.12.2-58.el7_1.6.x86_64
 sssd-proxy-1.12.2-58.el7_1.6.x86_64
 sssd-client-1.12.2-58.el7_1.6.x86_64
 
 Please try the packages at
 http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 .
 
 bye,
 Sumit

Hi,
I've installed the new RPMs, now if I run on the server:

id account1@mydomain.local
id accou...@otherdomain.com
id accou...@sub.otherdomain.com

all the users are found but I'm still unable to log in via ssh with the accounts
@otherdomain.com and @sub.otherdomain.com.

In attachment the logs for unsuccessful login for user accou...@otherdomain.com.

Bye
-- 
gb

PGP Key: http://pgp.mit.edu/
Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34
(Thu Jun 25 16:18:54 2015) [sssd[nss]] [nss_clear_memcache] (0x0400): Clearing 
memory caches.
(Thu Jun 25 16:18:54 2015) [sssd[nss]] [nss_orphan_netgroups] (0x0400): 
Removing netgroups from memory cache.
(Thu Jun 25 16:18:58 2015) [sssd[nss]] [accept_fd_handler] (0x0400): Client 
connected!
(Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received 
client version [1].
(Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered 
version [1].
(Thu Jun 25 16:18:58 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running 
command [17] with input [accou...@otherdomain.com].
(Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing 
request for [0x7fd3aa0776b0:domains@ipa.mydomain.local]
(Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): 
Sending get domains request for [ipa.mydomain.local][otherdomain.com]
(Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): 
Entering request [0x7fd3aa0776b0:domains@ipa.mydomain.local]
(Thu Jun 25 16:18:58 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): 
Requesting info for [accou...@otherdomain.com@ipa.mydomain.local]
(Thu Jun 25 16:18:58 2015) [sssd[nss]] [sysdb_search_user_by_upn] (0x0400): No 
entry with upn [accou...@otherdomain.com] found.
(Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing 
request for [0x7fd3aa075e40:1:accou...@otherdomain.com:U@ipa.mydomain.local]
(Thu Jun 25 16:18:58 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): 
Creating request for 

Re: [Freeipa-users] UPN suffixes in AD trust

2015-06-25 Thread Sumit Bose
On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote:
 On 06/25/2015 02:10 PM, Sumit Bose wrote:
  On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote:
  On 06/25/2015 12:56 PM, Sumit Bose wrote:
  On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote:
  On 06/24/2015 06:45 PM, Sumit Bose wrote:
  On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote:
  Hi everybody,
  I established a bidirectional trust between an IPA server (version 
  4.1.0 on
  CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), 
  mydomain.local.
  Everything is working fine, and I'm able to authenticate and logon on 
  a linux
  host joined to IPA server using AD credentials 
  (username@mydomain.local).
  But active directory is configured with two more UPN suffixes 
  (otherdomain.com
  and sub.otherdomain.com), and I cannot logon with credentials using 
  alternative
  UPN (example: john@otherdomain.com).
 
  How can I make this possible? Another trust (ipa trust-add) with the 
  same AD?
  Manual configuration of krb5 and/or sssd?
 
  Have you tried to login to an IPA client or the server? Please try with
  an IPA server first. If this does not work it would be nice if you can
  send the SSSD log files from the IPA server which are generated during
  the logon attempt. Please call 'sss_cache -E' before to invalidate all
  cached entries so that the logs will contain all needed calls to AD.
 
  Using UPN suffixes were added to the AD provider some time ago and the
  code is available in the IPA provider as well, but I guess no one has
  actually tried this before.
 
  bye,
  Sumit
 
  First of all let me say that i feel like I'm missing some config 
  somewhere..
  Changes tried in krb5.conf to support UPN suffixes didn't helped.
  I can only access the server vi ssh so I've attached the logs for a 
  successful
  login for account1@mydomain.local and an unsuccessful login for
  accou...@otherdomain.com done via ssh.
 
  Bye and thanks for your help
 
 
  It looks like the request is not properly propagated to sub-domains (the
  trusted AD domain) but only send to the IPA domain.
 
  Would it be possible for you to run a test build of SSSD which might fix
  this? If yes, which version of SSSD are you currently using? Then I can
  prepare a test build with the patch on top of this version.
 
  bye,
  Sumit
 
 
  Hi,
  I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm 
  available for
  any test.
 
  Here's the packages version for sssd:
 
  sssd-common-1.12.2-58.el7_1.6.x86_64
  sssd-krb5-1.12.2-58.el7_1.6.x86_64
  python-sssdconfig-1.12.2-58.el7_1.6.noarch
  sssd-krb5-common-1.12.2-58.el7_1.6.x86_64
  sssd-ipa-1.12.2-58.el7_1.6.x86_64
  sssd-1.12.2-58.el7_1.6.x86_64
  sssd-libwbclient-1.12.2-58.el7_1.6.x86_64
  sssd-ad-1.12.2-58.el7_1.6.x86_64
  sssd-ldap-1.12.2-58.el7_1.6.x86_64
  sssd-common-pac-1.12.2-58.el7_1.6.x86_64
  sssd-proxy-1.12.2-58.el7_1.6.x86_64
  sssd-client-1.12.2-58.el7_1.6.x86_64
  
  Please try the packages at
  http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 .
  
  bye,
  Sumit
 
 Hi,
 I've installed the new RPMs, now if I run on the server:
 
 id account1@mydomain.local
 id accou...@otherdomain.com
 id accou...@sub.otherdomain.com
 
 all the users are found but I'm still unable to log in via ssh with the 
 accounts
 @otherdomain.com and @sub.otherdomain.com.
 
 In attachment the logs for unsuccessful login for user 
 accou...@otherdomain.com.

Bother, I forgot to add the fix to the pam responder as well, please try
new packages from
http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 .

bye,
Sumit

 
 Bye
 -- 
 gb
 
 PGP Key: http://pgp.mit.edu/
 Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] UPN suffixes in AD trust

2015-06-25 Thread Giorgio Biacchi
On 06/25/2015 05:44 PM, Sumit Bose wrote:
 On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote:
 On 06/25/2015 02:10 PM, Sumit Bose wrote:
 On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote:
 On 06/25/2015 12:56 PM, Sumit Bose wrote:
 On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote:
 On 06/24/2015 06:45 PM, Sumit Bose wrote:
 On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote:
 Hi everybody,
 I established a bidirectional trust between an IPA server (version 
 4.1.0 on
 CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), 
 mydomain.local.
 Everything is working fine, and I'm able to authenticate and logon on 
 a linux
 host joined to IPA server using AD credentials 
 (username@mydomain.local).
 But active directory is configured with two more UPN suffixes 
 (otherdomain.com
 and sub.otherdomain.com), and I cannot logon with credentials using 
 alternative
 UPN (example: john@otherdomain.com).

 How can I make this possible? Another trust (ipa trust-add) with the 
 same AD?
 Manual configuration of krb5 and/or sssd?

 Have you tried to login to an IPA client or the server? Please try with
 an IPA server first. If this does not work it would be nice if you can
 send the SSSD log files from the IPA server which are generated during
 the logon attempt. Please call 'sss_cache -E' before to invalidate all
 cached entries so that the logs will contain all needed calls to AD.

 Using UPN suffixes were added to the AD provider some time ago and the
 code is available in the IPA provider as well, but I guess no one has
 actually tried this before.

 bye,
 Sumit

 First of all let me say that i feel like I'm missing some config 
 somewhere..
 Changes tried in krb5.conf to support UPN suffixes didn't helped.
 I can only access the server vi ssh so I've attached the logs for a 
 successful
 login for account1@mydomain.local and an unsuccessful login for
 accou...@otherdomain.com done via ssh.

 Bye and thanks for your help


 It looks like the request is not properly propagated to sub-domains (the
 trusted AD domain) but only send to the IPA domain.

 Would it be possible for you to run a test build of SSSD which might fix
 this? If yes, which version of SSSD are you currently using? Then I can
 prepare a test build with the patch on top of this version.

 bye,
 Sumit


 Hi,
 I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm 
 available for
 any test.

 Here's the packages version for sssd:

 sssd-common-1.12.2-58.el7_1.6.x86_64
 sssd-krb5-1.12.2-58.el7_1.6.x86_64
 python-sssdconfig-1.12.2-58.el7_1.6.noarch
 sssd-krb5-common-1.12.2-58.el7_1.6.x86_64
 sssd-ipa-1.12.2-58.el7_1.6.x86_64
 sssd-1.12.2-58.el7_1.6.x86_64
 sssd-libwbclient-1.12.2-58.el7_1.6.x86_64
 sssd-ad-1.12.2-58.el7_1.6.x86_64
 sssd-ldap-1.12.2-58.el7_1.6.x86_64
 sssd-common-pac-1.12.2-58.el7_1.6.x86_64
 sssd-proxy-1.12.2-58.el7_1.6.x86_64
 sssd-client-1.12.2-58.el7_1.6.x86_64

 Please try the packages at
 http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 .

 bye,
 Sumit

 Hi,
 I've installed the new RPMs, now if I run on the server:

 id account1@mydomain.local
 id accou...@otherdomain.com
 id accou...@sub.otherdomain.com

 all the users are found but I'm still unable to log in via ssh with the 
 accounts
 @otherdomain.com and @sub.otherdomain.com.

 In attachment the logs for unsuccessful login for user 
 accou...@otherdomain.com.
 
 Bother, I forgot to add the fix to the pam responder as well, please try
 new packages from
 http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 .
 
 bye,
 Sumit
 

Hi,
I've updated all the packages but still no login.

Logs follows.

Thanks again
-- 
gb

PGP Key: http://pgp.mit.edu/
Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34
(Thu Jun 25 18:49:44 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No 
matching domain found for [accou...@otherdomain.com], fail!
(Thu Jun 25 18:49:44 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): 
Deleting request: [0x7f2fd335e6b0:domains@ipa.mydomain.local]
(Thu Jun 25 18:49:44 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running 
command [17] with input [accou...@otherdomain.com].
(Thu Jun 25 18:49:44 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing 
request for [0x7f2fd335e6b0:domains@ipa.mydomain.local]
(Thu Jun 25 18:49:44 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): 
Sending get domains request for [ipa.mydomain.local][otherdomain.com]
(Thu Jun 25 18:49:44 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): 
Entering request [0x7f2fd335e6b0:domains@ipa.mydomain.local]
(Thu Jun 25 18:49:44 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User 
[accou...@otherdomain.com] does not exist in [ipa.mydomain.local]! (negative 
cache)
(Thu Jun 25 18:49:44 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No 
matching domain found for [accou...@otherdomain.com], fail!
(Thu Jun 25 18:49:44 2015) [sssd[nss]] 

Re: [Freeipa-users] UPN suffixes in AD trust

2015-06-24 Thread Sumit Bose
On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote:
 Hi everybody,
 I established a bidirectional trust between an IPA server (version 4.1.0 on
 CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), mydomain.local.
 Everything is working fine, and I'm able to authenticate and logon on a linux
 host joined to IPA server using AD credentials (username@mydomain.local).
 But active directory is configured with two more UPN suffixes (otherdomain.com
 and sub.otherdomain.com), and I cannot logon with credentials using 
 alternative
 UPN (example: john@otherdomain.com).
 
 How can I make this possible? Another trust (ipa trust-add) with the same AD?
 Manual configuration of krb5 and/or sssd?

Have you tried to login to an IPA client or the server? Please try with
an IPA server first. If this does not work it would be nice if you can
send the SSSD log files from the IPA server which are generated during
the logon attempt. Please call 'sss_cache -E' before to invalidate all
cached entries so that the logs will contain all needed calls to AD.

Using UPN suffixes were added to the AD provider some time ago and the
code is available in the IPA provider as well, but I guess no one has
actually tried this before.

bye,
Sumit

 
 Thanks in advance
 
 -- 
 gb
 
 PGP Key: http://pgp.mit.edu/
 Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34
 
 -- 
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project