subject:"Re\: \[Freeipa\-users\] ipa\-client login as AD user in trusted domain"

Re: [Freeipa-users] ipa-client login as AD user in trusted domain

2016-08-10 Thread Guy Knights

Hmm, ok. In that case, I guess I need to rethink my setup. Thanks again for
all your help!

Kind regards,
Guy

On 10 August 2016 at 14:46, Justin Stephenson  wrote:

> On 08/10/2016 05:19 PM, Guy Knights wrote:
>
> Ok, I increased the debug level as you recommended and it's given me a lot
> of useful info. Before I go any further trying to troubleshoot that mass of
> info on this mailing list though, I would like to double check something I
> came across. In the debug output I noticed this line:
>
> "No ccache file for user [b...@ad.bbg.net] found."
>
> I would not dwell much on this error message, I see the same error from
> the krb5_auth_prepare_ccache_name function when I successfully logged in as
> an AD user on my IPA client(I suspect the ccache gets created shortly
> after). Higher debug logs means there will be a lot of log messages that
> look like errors but may not be.
>
> I then searched this error and found this thread in which the OP seems to
> have basically the same setup as me:
>
> https://lists.fedorahosted.org/pipermail/sssd-users/2013-
> January/000379.html
>
> I started playing with kinit on the ubuntu machine that I'm trying to log
> into, and got this error:
>
> "kinit: Cannot find KDC for realm "AD.BBG.NET" while getting initial
> credentials"
>
> After reading through some of the replies on the above thread, I saw a
> post that basically says that while the initial user info lookup is via
> FreeIPA, to actually authenticate a user the ipa client machine must
> connect directly to the AD controller. If this is true, it basically means
> the setup I was planning to use (FreeIPA in the cloud replicating/proxying
> local AD user accounts) is not going to work as I'd hoped. Could you
> confirm if this behaviour is in fact correct?
>
> Yes, the IPA client at some points needs to communicate directly with AD
> for kerberos communication - you should see this in
> /var/log/sssd/krb5_child.log
>
> This is explained better than I could here:
>
> The anatomy of a trusted identity lookup
>
> https://jhrozek.wordpress.com/2015/08/19/performance-tuning-
> sssd-for-large-ipa-ad-trust-deployments/
>
>
> Kind regards,
> Justin Stephenson
>
> Thanks,
> Guy
>
> On 9 August 2016 at 18:47, Justin Stephenson  wrote:
>
>> Hello,
>>
>> You may need to increase the debug level to 9 and look in the
>> sssd_.log for failures after the failed login attempt - i would
>> look in between log messages 'Got request for bobt...' and 'Backend
>> returned' messages
>>
>> https://fedorahosted.org/sssd/wiki/Troubleshooting
>>
>> You can also send the debug logs here for review.
>>
>> Make sure logins and lookups are working on the IPA server first before
>> troubleshooting the IPA client.
>>
>> Kind regards,
>>
>> Justin Stephenson
>> On 08/09/2016 07:32 PM, Guy Knights wrote:
>>
>> I've set up a freeipa server on a centos 7 machine and have successfully
>> configured a 2-way trust between it and our active directory domain
>> controller. I've also installed ipa-client on an ubuntu 14.04 machine and
>> have run ipa-client-install, which has apparently successfully joined the
>> FreeIPA domain.
>>
>> So far, I can successfully do the following:
>>
>> 1. Log into the FreeIPA machine with an AD user account.
>> 2. Log into the Ubuntu machine with a FreeIPA account.
>> 3. Run 'getent passwd ' on the Ubuntu machine and have
>> it return the associated FreeIPA user account details (eg.
>> "jackt:*:113105:113105:Jack Test:/home/ipa.bbg.net/jackt:/
>> bin/bash")
>> 4. Run 'getent passwd ' on the Ubuntu machine and have it
>> return the associated AD user account details (eg. "
>> b...@ad.bbg.net:*:1946801107:1946801107::/home/ad.bbg.net/bobt:/bin/bash
>> ")
>>
>> What I can't do is log into the Ubuntu machine with the AD user. I'm
>> using the following SSH command from the command line on my mac:
>>
>> ssh -o User=b...@ad.bbg.net vm1.bbg.com
>>
>> It asks me for the password, I enter it and it says permissions denied,
>> please try again. I set the debug level in SSSD on the ubuntu client to 5
>> and this is what shows up in the log during the login attempt:
>>
>> (Tue Aug  9 16:25:56 2016) [sssd[be[ipa.bbg.net]]] [be_get_account_info]
>> (0x0100): Got request for [4097][1][name=bobt]
>> (Tue Aug  9 16:25:56 2016) [sssd[be[ipa.bbg.net]]] [acctinfo_callback]
>> (0x0100): Request processed. Returned 3,95,Account info lookup failed
>> (Tue Aug  9 16:25:57 2016) [sssd[be[ipa.bbg.net]]] [acctinfo_callback]
>> (0x0100): Request processed. Returned 0,0,Success
>> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [be_get_account_info]
>> (0x0100): Got request for [3][1][name=bobt]
>> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [acctinfo_callback]
>> (0x0100): Request processed. Returned 3,95,Account info lookup failed
>> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [be_pam_handler]
>> (0x0100): Got request with the following data
>> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
>> (0x010

Re: [Freeipa-users] ipa-client login as AD user in trusted domain

2016-08-10 Thread Justin Stephenson


On 08/10/2016 05:19 PM, Guy Knights wrote:
Ok, I increased the debug level as you recommended and it's given me a 
lot of useful info. Before I go any further trying to troubleshoot 
that mass of info on this mailing list though, I would like to double 
check something I came across. In the debug output I noticed this line:


"No ccache file for user [b...@ad.bbg.net ] 
found."


I would not dwell much on this error message, I see the same error from 
the krb5_auth_prepare_ccache_name function when I successfully logged in 
as an AD user on my IPA client(I suspect the ccache gets created shortly 
after). Higher debug logs means there will be a lot of log messages that 
look like errors but may not be.


I then searched this error and found this thread in which the OP seems 
to have basically the same setup as me:


https://lists.fedorahosted.org/pipermail/sssd-users/2013-January/000379.html

I started playing with kinit on the ubuntu machine that I'm trying to 
log into, and got this error:


"kinit: Cannot find KDC for realm "AD.BBG.NET " 
while getting initial credentials"


After reading through some of the replies on the above thread, I saw a 
post that basically says that while the initial user info lookup is 
via FreeIPA, to actually authenticate a user the ipa client machine 
must connect directly to the AD controller. If this is true, it 
basically means the setup I was planning to use (FreeIPA in the cloud 
replicating/proxying local AD user accounts) is not going to work as 
I'd hoped. Could you confirm if this behaviour is in fact correct?


Yes, the IPA client at some points needs to communicate directly with AD 
for kerberos communication - you should see this in 
/var/log/sssd/krb5_child.log


This is explained better than I could here:


   The anatomy of a trusted identity lookup

   
https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/


Kind regards,
Justin Stephenson

Thanks,
Guy

On 9 August 2016 at 18:47, Justin Stephenson > wrote:


Hello,

You may need to increase the debug level to 9 and look in the
sssd_.log for failures after the failed login attempt -
i would look in between log messages 'Got request for bobt...' and
'Backend returned' messages

https://fedorahosted.org/sssd/wiki/Troubleshooting


You can also send the debug logs here for review.

Make sure logins and lookups are working on the IPA server first
before troubleshooting the IPA client.

Kind regards,

Justin Stephenson

On 08/09/2016 07:32 PM, Guy Knights wrote:

I've set up a freeipa server on a centos 7 machine and have
successfully configured a 2-way trust between it and our active
directory domain controller. I've also installed ipa-client on an
ubuntu 14.04 machine and have run ipa-client-install, which has
apparently successfully joined the FreeIPA domain.

So far, I can successfully do the following:

1. Log into the FreeIPA machine with an AD user account.
2. Log into the Ubuntu machine with a FreeIPA account.
3. Run 'getent passwd ' on the Ubuntu machine
and have it return the associated FreeIPA user account details
(eg. "jackt:*:113105:113105:Jack
Test:/home/ipa.bbg.net/jackt:/bin/bash
")
4. Run 'getent passwd ' on the Ubuntu machine and
have it return the associated AD user account details (eg.
"b...@ad.bbg.net:*:1946801107:1946801107::/home/

ad.bbg.net/bobt:/bin/bash
")

What I can't do is log into the Ubuntu machine with the AD user.
I'm using the following SSH command from the command line on my mac:

ssh -o User=b...@ad.bbg.net  vm1.bbg.com


It asks me for the password, I enter it and it says permissions
denied, please try again. I set the debug level in SSSD on the
ubuntu client to 5 and this is what shows up in the log during
the login attempt:

(Tue Aug  9 16:25:56 2016) [sssd[be[ipa.bbg.net
]]] [be_get_account_info] (0x0100): Got
request for [4097][1][name=bobt]
(Tue Aug  9 16:25:56 2016) [sssd[be[ipa.bbg.net
]]] [acctinfo_callback] (0x0100): Request
processed. Returned 3,95,Account info lookup failed
(Tue Aug  9 16:25:57 2016) [sssd[be[ipa.bbg.net
]]] [acctinfo_callback] (0x0100): Request
processed. Returned 0,0,Success
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
]]] [be_get_account_info] (0x0100): Got
request for [3][1][name=bobt]
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net
]]] [acctinfo_callback] (0x0100): Request
processed. Re

Re: [Freeipa-users] ipa-client login as AD user in trusted domain

2016-08-10 Thread Guy Knights

Ok, I increased the debug level as you recommended and it's given me a lot
of useful info. Before I go any further trying to troubleshoot that mass of
info on this mailing list though, I would like to double check something I
came across. In the debug output I noticed this line:

"No ccache file for user [b...@ad.bbg.net] found."

I then searched this error and found this thread in which the OP seems to
have basically the same setup as me:

https://lists.fedorahosted.org/pipermail/sssd-users/2013-January/000379.html

I started playing with kinit on the ubuntu machine that I'm trying to log
into, and got this error:

"kinit: Cannot find KDC for realm "AD.BBG.NET" while getting initial
credentials"

After reading through some of the replies on the above thread, I saw a post
that basically says that while the initial user info lookup is via FreeIPA,
to actually authenticate a user the ipa client machine must connect
directly to the AD controller. If this is true, it basically means the
setup I was planning to use (FreeIPA in the cloud replicating/proxying
local AD user accounts) is not going to work as I'd hoped. Could you
confirm if this behaviour is in fact correct?
Thanks,
Guy

On 9 August 2016 at 18:47, Justin Stephenson  wrote:

> Hello,
>
> You may need to increase the debug level to 9 and look in the
> sssd_.log for failures after the failed login attempt - i would
> look in between log messages 'Got request for bobt...' and 'Backend
> returned' messages
>
> https://fedorahosted.org/sssd/wiki/Troubleshooting
>
> You can also send the debug logs here for review.
>
> Make sure logins and lookups are working on the IPA server first before
> troubleshooting the IPA client.
>
> Kind regards,
>
> Justin Stephenson
> On 08/09/2016 07:32 PM, Guy Knights wrote:
>
> I've set up a freeipa server on a centos 7 machine and have successfully
> configured a 2-way trust between it and our active directory domain
> controller. I've also installed ipa-client on an ubuntu 14.04 machine and
> have run ipa-client-install, which has apparently successfully joined the
> FreeIPA domain.
>
> So far, I can successfully do the following:
>
> 1. Log into the FreeIPA machine with an AD user account.
> 2. Log into the Ubuntu machine with a FreeIPA account.
> 3. Run 'getent passwd ' on the Ubuntu machine and have
> it return the associated FreeIPA user account details (eg.
> "jackt:*:113105:113105:Jack Test:/home/ipa.bbg.net/jackt:/bin/bash
> ")
> 4. Run 'getent passwd ' on the Ubuntu machine and have it
> return the associated AD user account details (eg. "
> b...@ad.bbg.net:*:1946801107:1946801107::/home/ad.bbg.net/bobt:/bin/bash")
>
> What I can't do is log into the Ubuntu machine with the AD user. I'm using
> the following SSH command from the command line on my mac:
>
> ssh -o User=b...@ad.bbg.net vm1.bbg.com
>
> It asks me for the password, I enter it and it says permissions denied,
> please try again. I set the debug level in SSSD on the ubuntu client to 5
> and this is what shows up in the log during the login attempt:
>
> (Tue Aug  9 16:25:56 2016) [sssd[be[ipa.bbg.net]]] [be_get_account_info]
> (0x0100): Got request for [4097][1][name=bobt]
> (Tue Aug  9 16:25:56 2016) [sssd[be[ipa.bbg.net]]] [acctinfo_callback]
> (0x0100): Request processed. Returned 3,95,Account info lookup failed
> (Tue Aug  9 16:25:57 2016) [sssd[be[ipa.bbg.net]]] [acctinfo_callback]
> (0x0100): Request processed. Returned 0,0,Success
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [be_get_account_info]
> (0x0100): Got request for [3][1][name=bobt]
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [acctinfo_callback]
> (0x0100): Request processed. Returned 3,95,Account info lookup failed
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [be_pam_handler]
> (0x0100): Got request with the following data
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
> (0x0100): command: PAM_AUTHENTICATE
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
> (0x0100): domain: ad.bbg.net
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
> (0x0100): user: b...@ad.bbg.net
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
> (0x0100): service: sshd
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
> (0x0100): tty: ssh
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
> (0x0100): ruser:
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
> (0x0100): rhost: 192.168.100.157
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
> (0x0100): authtok type: 1
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
> (0x0100): newauthtok type: 0
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
> (0x0100): priv: 1
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data]
> (0x0100): cli_pid: 16230
> (Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [krb5_auth_send]
>

Re: [Freeipa-users] ipa-client login as AD user in trusted domain

2016-08-09 Thread Justin Stephenson


Hello,

You may need to increase the debug level to 9 and look in the 
sssd_.log for failures after the failed login attempt - i 
would look in between log messages 'Got request for bobt...' and 
'Backend returned' messages


https://fedorahosted.org/sssd/wiki/Troubleshooting

You can also send the debug logs here for review.

Make sure logins and lookups are working on the IPA server first before 
troubleshooting the IPA client.


Kind regards,

Justin Stephenson

On 08/09/2016 07:32 PM, Guy Knights wrote:
I've set up a freeipa server on a centos 7 machine and have 
successfully configured a 2-way trust between it and our active 
directory domain controller. I've also installed ipa-client on an 
ubuntu 14.04 machine and have run ipa-client-install, which has 
apparently successfully joined the FreeIPA domain.


So far, I can successfully do the following:

1. Log into the FreeIPA machine with an AD user account.
2. Log into the Ubuntu machine with a FreeIPA account.
3. Run 'getent passwd ' on the Ubuntu machine and 
have it return the associated FreeIPA user account details (eg. 
"jackt:*:113105:113105:Jack 
Test:/home/ipa.bbg.net/jackt:/bin/bash 
")
4. Run 'getent passwd ' on the Ubuntu machine and have it 
return the associated AD user account details (eg. 
"b...@ad.bbg.net:*:1946801107:1946801107::/home/ad.bbg.net/bobt:/bin/bash 
")


What I can't do is log into the Ubuntu machine with the AD user. I'm 
using the following SSH command from the command line on my mac:


ssh -o User=b...@ad.bbg.net  vm1.bbg.com 



It asks me for the password, I enter it and it says permissions 
denied, please try again. I set the debug level in SSSD on the ubuntu 
client to 5 and this is what shows up in the log during the login attempt:


(Tue Aug  9 16:25:56 2016) [sssd[be[ipa.bbg.net 
]]] [be_get_account_info] (0x0100): Got request 
for [4097][1][name=bobt]
(Tue Aug  9 16:25:56 2016) [sssd[be[ipa.bbg.net 
]]] [acctinfo_callback] (0x0100): Request 
processed. Returned 3,95,Account info lookup failed
(Tue Aug  9 16:25:57 2016) [sssd[be[ipa.bbg.net 
]]] [acctinfo_callback] (0x0100): Request 
processed. Returned 0,0,Success
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
]]] [be_get_account_info] (0x0100): Got request 
for [3][1][name=bobt]
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
]]] [acctinfo_callback] (0x0100): Request 
processed. Returned 3,95,Account info lookup failed
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
]]] [be_pam_handler] (0x0100): Got request with 
the following data
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
]]] [pam_print_data] (0x0100): command: 
PAM_AUTHENTICATE
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
]]] [pam_print_data] (0x0100): domain: ad.bbg.net 

(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
]]] [pam_print_data] (0x0100): user: 
b...@ad.bbg.net 
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
]]] [pam_print_data] (0x0100): service: sshd
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
]]] [pam_print_data] (0x0100): tty: ssh
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
]]] [pam_print_data] (0x0100): ruser:
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
]]] [pam_print_data] (0x0100): rhost: 192.168.100.157
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
]]] [pam_print_data] (0x0100): authtok type: 1
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
]]] [pam_print_data] (0x0100): newauthtok type: 0
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
]]] [pam_print_data] (0x0100): priv: 1
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
]]] [pam_print_data] (0x0100): cli_pid: 16230
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
]]] [krb5_auth_send] (0x0100): No ccache file for 
user [b...@ad.bbg.net ] found.
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
]]] [fo_resolve_service_send] (0x0100): Trying to 
resolve service 'IPA'
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
]]] [be_resolve_server_process] (0x0200): Found 
address for server dc.ipa.bbg.net : 
[192.168.100.14] TTL 3600
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
]]] [be_pam_handler_callback] (0x0100): Backend 
returned: (0, 4, ) [Success]
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
]]] [be_pam_handler_callback] (0x0100): Sending 
result [4][ad.bbg.net ]
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
]]]

Re: [Freeipa-users] ipa-client login as AD user in trusted domain

Re: [Freeipa-users] ipa-client login as AD user in trusted domain

Re: [Freeipa-users] ipa-client login as AD user in trusted domain

Re: [Freeipa-users] ipa-client login as AD user in trusted domain

4 matches

Site Navigation

Mail list logo

Footer information