Re: [Freeipa-users] domain trust linux to AD server not finding user profiles
On Tue, Oct 07, 2014 at 08:01:48PM -0400, Dmitri Pal wrote:
On 10/07/2014 05:03 PM, Licause, Al (CSC AMS BCS - UNIX/Linux Network
Support) wrote:
I've been following the steps outlined in section 7.3.5 of the manual
entitled
Integrating OpenShift Enterprise
with Identity Management (IdM)
in Red Hat Enterprise Linux
OpenShift Enterprise 2.1
IdM in Red Hat Enterprise Linux 7
Windows Server 2012 - Active Directory Integration
I now have our RHEL V7 running IdM, setup as an IdM Server in a domain,
Realm and subnet
different from our existing AD server running Windows 2008 R2 with a
populated user database
that can be queried using ldapsearch and can authorize users.
I have successfully created a domain trust between the RHEL V7 Server
(linux.ipa.cxo.cpqcorp.net 10.20.0.59/24) and the AD Server
(win2008.osn.cxo.cpqcorp.net 16.112.240.55).
To simplify the configuration I have no firewall running and so have
stopped both iptables
and firewalld.
All steps in section 7.3.5 have been followed. But when I run the first
test for a user
on the AD system, the system is unable to find anything:
[root@linux ~]# getent group 'OSN\Domain Users'
[root@linux ~]#
[root@linux ~]#
[root@linux ~]# getent passwd 'OSN\ldap25'
[root@linux ~]#
The users and related information are not fetched until you authenticate as
this user.
The ability to fetch users and groups that are not yet authenticated is
tracked by the ticket https://fedorahosted.org/sssd/ticket/2159 and will be
addressed in the next version of SSSD.
How frequently do you really need to lookup unauthenticated AD users and AD
groups on linux systems? What is the use case?
This is correct, but the simple lookups shown above should still work
even for unauthenticated users. What is missing is the full
group-membership of an unauthenticated user and the full list of members
for a group.
Coming back to the issue above, it would be nice if you can increase the
debug level of SSSD running on the host where you call the getent
commands and send the SSSD logs after running the commands. Feel free to
send them to me directly if you think that the logs are too big or might
contain information too sensitive for a public mailing-list.
bye,
Sumit
The ticket above is for the cases when there is an application that needs to
fetch the user so that admin of the application can assign privileges to
this user. But this is a pretty corner case.
I find this in the krb5kdc.log file:
Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.20.0.59: NEEDED_PREAUTH:
host/linux.ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.net for
krbtgt/ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.net, Additional
pre-authentication required
Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.20.0.59: ISSUE: authtime 1412713681, etypes
{rep=18 tkt=18 ses=18}, host/linux.ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.net
for krbtgt/ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.net
Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): TGS_REQ (6
etypes {18 17 16 23 25 26}) 10.20.0.59: ISSUE: authtime 1412713681, etypes
{rep=18 tkt=18 ses=18}, host/linux.ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.net
for ldap/linux.ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.net
Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): closing
down fd 11
I'm not quite sure what else I'm missing or have not understood in order
to query the
AD server from the linux IdM server...but it would appear that something
is not correctly
defined in the krb5.conf file found below:
[root@linux ~]# cat /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = IPA.CXO.CPQCORP.NET
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
IPA.CXO.CPQCORP.NET = {
kdc = linux.ipa.cxo.cpqcorp.net:88
master_kdc = linux.ipa.cxo.cpqcorp.net:88
admin_server = linux.ipa.cxo.cpqcorp.net:749
default_domain = ipa.cxo.cpqcorp.net
pkinit_anchors = FILE:/etc/ipa/ca.crt
auth_to_local =
RULE:[1:$1@$0](^.*@OSN.CXO.CPQCORP.NET$)s/@OSN.CXO.CPQCORP.NET/@osn.cxo.cpqcorp.net/
auth_to_local = DEFAULT
}
OSN.CXO.CPQCORP.NET = {
kdc = win2008.osn.cxo.cpqcorp.net
master_kdc = win2008.osn.cxo.cpqcorp.net
admin_sever = win2008.osn.cxo.cpqcorp.net
}
[domain_realm]
.ipa.cxo.cpqcorp.net = IPA.CXO.CPQCORP.NET
ipa.cxo.cpqcorp.net = IPA.CXO.CPQCORP.NET
.osn.cxo.cpqcorp.net = OSN.CXO.CPQCORP.NET
osn.cxo.cpqcorp.net = OSN.CXO.CPQCORP.NET
[dbmodules]
IPA.CXO.CPQCORP.NET = {
db_library = ipadb.so
}
Any help greatly appreciated.
Al
Re: [Freeipa-users] domain trust linux to AD server not finding user profiles
El mar, 07-10-2014 a las 20:01 -0400, Dmitri Pal escribió: The users and related information are not fetched until you authenticate as this user. The ability to fetch users and groups that are not yet authenticated is tracked by the ticket https://fedorahosted.org/sssd/ticket/2159 and will be addressed in the next version of SSSD. How frequently do you really need to lookup unauthenticated AD users and AD groups on linux systems? What is the use case? The ticket above is for the cases when there is an application that needs to fetch the user so that admin of the application can assign privileges to this user. But this is a pretty corner case. It is a pretty common request when you configure a proxy server with authentication. You get the user's ticket but the user is not logged in on the system, so normal group membership via sssd won't work. Best regards -- Loris Santamaria linux user #70506 xmpp:lo...@lgs.com.ve Links Global Services, C.A.http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:1...@lgs.com.ve If I'd asked my customers what they wanted, they'd have said a faster horse - Henry Ford -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] domain trust linux to AD server not finding user profiles
I've been following the steps outlined in section 7.3.5 of the manual entitled
Integrating OpenShift Enterprise
with Identity Management (IdM)
in Red Hat Enterprise Linux
OpenShift Enterprise 2.1
IdM in Red Hat Enterprise Linux 7
Windows Server 2012 - Active Directory Integration
I now have our RHEL V7 running IdM, setup as an IdM Server in a domain, Realm
and subnet
different from our existing AD server running Windows 2008 R2 with a populated
user database
that can be queried using ldapsearch and can authorize users.
I have successfully created a domain trust between the RHEL V7 Server
(linux.ipa.cxo.cpqcorp.net 10.20.0.59/24) and the AD Server
(win2008.osn.cxo.cpqcorp.net 16.112.240.55).
To simplify the configuration I have no firewall running and so have stopped
both iptables
and firewalld.
All steps in section 7.3.5 have been followed. But when I run the first test
for a user
on the AD system, the system is unable to find anything:
[root@linux ~]# getent group 'OSN\Domain Users'
[root@linux ~]#
[root@linux ~]#
[root@linux ~]# getent passwd 'OSN\ldap25'
[root@linux ~]#
I find this in the krb5kdc.log file:
Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.20.0.59: NEEDED_PREAUTH:
host/linux.ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.net for
krbtgt/ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.net, Additional pre-authentication
required
Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.20.0.59: ISSUE: authtime 1412713681, etypes
{rep=18 tkt=18 ses=18}, host/linux.ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.net for
krbtgt/ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.net
Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): TGS_REQ (6
etypes {18 17 16 23 25 26}) 10.20.0.59: ISSUE: authtime 1412713681, etypes
{rep=18 tkt=18 ses=18}, host/linux.ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.net for
ldap/linux.ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.net
Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): closing down fd
11
I'm not quite sure what else I'm missing or have not understood in order to
query the
AD server from the linux IdM server...but it would appear that something is not
correctly
defined in the krb5.conf file found below:
[root@linux ~]# cat /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = IPA.CXO.CPQCORP.NET
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
IPA.CXO.CPQCORP.NET = {
kdc = linux.ipa.cxo.cpqcorp.net:88
master_kdc = linux.ipa.cxo.cpqcorp.net:88
admin_server = linux.ipa.cxo.cpqcorp.net:749
default_domain = ipa.cxo.cpqcorp.net
pkinit_anchors = FILE:/etc/ipa/ca.crt
auth_to_local =
RULE:[1:$1@$0](^.*@OSN.CXO.CPQCORP.NET$)s/@OSN.CXO.CPQCORP.NET/@osn.cxo.cpqcorp.net/
auth_to_local = DEFAULT
}
OSN.CXO.CPQCORP.NET = {
kdc = win2008.osn.cxo.cpqcorp.net
master_kdc = win2008.osn.cxo.cpqcorp.net
admin_sever = win2008.osn.cxo.cpqcorp.net
}
[domain_realm]
.ipa.cxo.cpqcorp.net = IPA.CXO.CPQCORP.NET
ipa.cxo.cpqcorp.net = IPA.CXO.CPQCORP.NET
.osn.cxo.cpqcorp.net = OSN.CXO.CPQCORP.NET
osn.cxo.cpqcorp.net = OSN.CXO.CPQCORP.NET
[dbmodules]
IPA.CXO.CPQCORP.NET = {
db_library = ipadb.so
}
Any help greatly appreciated.
Al
Al Licause
CSC Americas BCS Technical Specialist
HP Customer Support Center
Hours 5am-2pm Pacific time USA
Manager: mark.bai...@hp.com
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] domain trust linux to AD server not finding user profiles
On 10/07/2014 05:03 PM, Licause, Al (CSC AMS BCS - UNIX/Linux Network
Support) wrote:
I've been following the steps outlined in section 7.3.5 of the manual
entitled
Integrating OpenShift Enterprise
with Identity Management (IdM)
in Red Hat Enterprise Linux
OpenShift Enterprise 2.1
IdM in Red Hat Enterprise Linux 7
Windows Server 2012 - Active Directory Integration
I now have our RHEL V7 running IdM, setup as an IdM Server in a
domain, Realm and subnet
different from our existing AD server running Windows 2008 R2 with a
populated user database
that can be queried using ldapsearch and can authorize users.
I have successfully created a domain trust between the RHEL V7 Server
(linux.ipa.cxo.cpqcorp.net 10.20.0.59/24) and the AD Server
(win2008.osn.cxo.cpqcorp.net 16.112.240.55).
To simplify the configuration I have no firewall running and so have
stopped both iptables
and firewalld.
All steps in section 7.3.5 have been followed. But when I run the
first test for a user
on the AD system, the system is unable to find anything:
[root@linux ~]# getent group 'OSN\Domain Users'
[root@linux ~]#
[root@linux ~]#
[root@linux ~]# getent passwd 'OSN\ldap25'
[root@linux ~]#
The users and related information are not fetched until you authenticate
as this user.
The ability to fetch users and groups that are not yet authenticated is
tracked by the ticket https://fedorahosted.org/sssd/ticket/2159 and will
be addressed in the next version of SSSD.
How frequently do you really need to lookup unauthenticated AD users and
AD groups on linux systems? What is the use case?
The ticket above is for the cases when there is an application that
needs to fetch the user so that admin of the application can assign
privileges to this user. But this is a pretty corner case.
I find this in the krb5kdc.log file:
Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): AS_REQ
(6 etypes {18 17 16 23 25 26}) 10.20.0.59: NEEDED_PREAUTH:
host/linux.ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.net for
krbtgt/ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.net, Additional
pre-authentication required
Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info): AS_REQ
(6 etypes {18 17 16 23 25 26}) 10.20.0.59: ISSUE: authtime 1412713681,
etypes {rep=18 tkt=18 ses=18},
host/linux.ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.net for
krbtgt/ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.net
Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info):
TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.20.0.59: ISSUE: authtime
1412713681, etypes {rep=18 tkt=18 ses=18},
host/linux.ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.net for
ldap/linux.ipa.cxo.cpqcorp@ipa.cxo.cpqcorp.net
Oct 07 16:28:01 linux.ipa.cxo.cpqcorp.net krb5kdc[12908](info):
closing down fd 11
I'm not quite sure what else I'm missing or have not understood in
order to query the
AD server from the linux IdM server...but it would appear that
something is not correctly
defined in the krb5.conf file found below:
[root@linux ~]# cat /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = IPA.CXO.CPQCORP.NET
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
IPA.CXO.CPQCORP.NET = {
kdc = linux.ipa.cxo.cpqcorp.net:88
master_kdc = linux.ipa.cxo.cpqcorp.net:88
admin_server = linux.ipa.cxo.cpqcorp.net:749
default_domain = ipa.cxo.cpqcorp.net
pkinit_anchors = FILE:/etc/ipa/ca.crt
auth_to_local =
RULE:[1:$1@$0](^.*@OSN.CXO.CPQCORP.NET$)s/@OSN.CXO.CPQCORP.NET/@osn.cxo.cpqcorp.net/
auth_to_local = DEFAULT
}
OSN.CXO.CPQCORP.NET = {
kdc = win2008.osn.cxo.cpqcorp.net
master_kdc = win2008.osn.cxo.cpqcorp.net
admin_sever = win2008.osn.cxo.cpqcorp.net
}
[domain_realm]
.ipa.cxo.cpqcorp.net = IPA.CXO.CPQCORP.NET
ipa.cxo.cpqcorp.net = IPA.CXO.CPQCORP.NET
.osn.cxo.cpqcorp.net = OSN.CXO.CPQCORP.NET
osn.cxo.cpqcorp.net = OSN.CXO.CPQCORP.NET
[dbmodules]
IPA.CXO.CPQCORP.NET = {
db_library = ipadb.so
}
Any help greatly appreciated.
Al
*Al Licause*
*CSC Americas BCS Technical Specialist*
*HP Customer Support Center*
*Hours 5am-2pm Pacific time USA*
*Manager: mark.bai...@hp.com*
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
