Re: [Freeipa-users] Cross domain trust

Steve Dainard Thu, 06 Feb 2014 07:29:58 -0800

So I've completed the setup, and can see the trust on the Windows side.

I've joined a client to the IPA realm, and can login with a IPA user. When
I try to login (console, ssh, su -) as a domain user I get:


--------CLIENT SIDE--------

[root@rhel6-client ~]# su - sdainard@miovision
su: user sdainard@miovision does not exist
[root@rhel6-client ~]# su - [email protected]
su: user [email protected] does not exist
[root@rhel6-client ~]# su - [email protected]
su: user [email protected] does not exist


[root@rhel6-client ~]# ssh sdainard@miovision@localhost
sdainard@miovision@localhost's password:
Permission denied, please try again.


/var/log/secure:
Feb  6 10:13:06 rhel6 sshd[2435]: pam_unix(sshd:auth): check pass; user
unknown
Feb  6 10:13:06 rhel6 sshd[2435]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
Feb  6 10:13:09 rhel6 sshd[2435]: pam_succeed_if(sshd:auth): error
retrieving information about user sdainard@miovision
Feb  6 10:13:10 rhel6 sshd[2435]: Failed password for invalid user
sdainard@miovision from ::1 port 47391 ssh2
Feb  6 10:13:20 rhel6 sshd[2436]: Connection closed by ::1
Feb  6 10:13:25 rhel6 sshd[2709]: Invalid user sdainard@miovision from ::1
Feb  6 10:13:25 rhel6 sshd[2710]: input_userauth_request: invalid user
sdainard@miovision
Feb  6 10:13:36 rhel6 sshd[2709]: pam_unix(sshd:auth): check pass; user
unknown
Feb  6 10:13:36 rhel6 sshd[2709]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
Feb  6 10:13:38 rhel6 sshd[2709]: pam_succeed_if(sshd:auth): error
retrieving information about user sdainard@miovision
Feb  6 10:13:40 rhel6 sshd[2709]: Failed password for invalid user
sdainard@miovision from ::1 port 47417 ssh2

No logs for sssd;
# pwd
/var/log/sssd
[root@snapshot-test sssd]# ll
total 0
-rw-------. 1 root root 0 Feb  5 17:38 krb5_child.log
-rw-------. 1 root root 0 Feb  5 17:38 ldap_child.log
-rw-------. 1 root root 0 Feb  5 17:37 sssd.log
-rw-------. 1 root root 0 Feb  5 17:38 sssd_miolinux.corp.log
-rw-------. 1 root root 0 Feb  5 17:38 sssd_nss.log
-rw-------. 1 root root 0 Feb  5 17:38 sssd_pac.log
-rw-------. 1 root root 0 Feb  5 17:38 sssd_pam.log
-rw-------. 1 root root 0 Feb  5 17:38 sssd_ssh.log

/etc/sssd/sssd.conf:
[domain/miolinux.corp]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = miolinux.corp
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = rhel6-client.miolinux.corp
chpass_provider = ipa
ipa_server = _srv_, ipa1.miolinux.corp
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = miolinux.corp
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]



/etc/ipa/default.conf
#File modified by ipa-client-install

[global]
basedn = dc=miolinux,dc=corp
realm = MIOLINUX.CORP
domain = miolinux.corp
server = ipa1.miolinux.corp
xmlrpc_uri = https://ipa1.miolinux.corp/ipa/xml
enable_ra = True


------------ IPA SERVER SIDE --------------
/var/log/dirsrv/slapd-MIOLINUX-CORP/access
* no new entries *

/var/log/dirsrv/slapd-MIOLINUX-CORP/errors
* no new entries *

/var/log/krb5kdc.log when I attempt to su - sdainard@miovision

Feb 06 10:08:25 ipa1.miolinux.corp krb5kdc[7689](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: NEEDED_PREAUTH:
host/[email protected] for
krbtgt/[email protected], Additional pre-authentication required
Feb 06 10:08:25 ipa1.miolinux.corp krb5kdc[7688](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699305, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
krbtgt/[email protected]
Feb 06 10:08:26 ipa1.miolinux.corp krb5kdc[7689](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699305, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
ldap/[email protected]
Feb 06 10:08:26 ipa1.miolinux.corp krb5kdc[7687](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: NEEDED_PREAUTH:
host/[email protected] for
krbtgt/[email protected], Additional pre-authentication required
Feb 06 10:08:26 ipa1.miolinux.corp krb5kdc[7690](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699306, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
krbtgt/[email protected]
Feb 06 10:08:27 ipa1.miolinux.corp krb5kdc[7688](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699306, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
ldap/[email protected]
Feb 06 10:08:27 ipa1.miolinux.corp krb5kdc[7687](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: NEEDED_PREAUTH:
host/[email protected] for
krbtgt/[email protected], Additional pre-authentication required
Feb 06 10:08:27 ipa1.miolinux.corp krb5kdc[7688](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699307, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
krbtgt/[email protected]
Feb 06 10:08:27 ipa1.miolinux.corp krb5kdc[7690](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699307, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
ldap/[email protected]
Feb 06 10:08:28 ipa1.miolinux.corp krb5kdc[7688](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: NEEDED_PREAUTH:
host/[email protected] for
krbtgt/[email protected], Additional pre-authentication required
Feb 06 10:08:28 ipa1.miolinux.corp krb5kdc[7687](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699308, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
krbtgt/[email protected]
Feb 06 10:08:28 ipa1.miolinux.corp krb5kdc[7689](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699308, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
ldap/[email protected]


/var/logkrb5kdc.log when I attempt ssh:

Feb 06 10:13:21 ipa1.miolinux.corp krb5kdc[7690](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: NEEDED_PREAUTH:
host/[email protected] for
krbtgt/[email protected], Additional pre-authentication required
Feb 06 10:13:21 ipa1.miolinux.corp krb5kdc[7689](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699601, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
krbtgt/[email protected]
Feb 06 10:13:22 ipa1.miolinux.corp krb5kdc[7687](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699601, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
ldap/[email protected]
Feb 06 10:13:22 ipa1.miolinux.corp krb5kdc[7688](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: NEEDED_PREAUTH:
host/[email protected] for
krbtgt/[email protected], Additional pre-authentication required
Feb 06 10:13:22 ipa1.miolinux.corp krb5kdc[7689](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699602, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
krbtgt/[email protected]
Feb 06 10:13:23 ipa1.miolinux.corp krb5kdc[7690](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699602, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
ldap/[email protected]
Feb 06 10:13:23 ipa1.miolinux.corp krb5kdc[7688](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: NEEDED_PREAUTH:
host/[email protected] for
krbtgt/[email protected], Additional pre-authentication required
Feb 06 10:13:23 ipa1.miolinux.corp krb5kdc[7687](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699603, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
krbtgt/[email protected]
Feb 06 10:13:24 ipa1.miolinux.corp krb5kdc[7688](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699603, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
ldap/[email protected]
Feb 06 10:13:24 ipa1.miolinux.corp krb5kdc[7688](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: NEEDED_PREAUTH:
host/[email protected] for
krbtgt/[email protected], Additional pre-authentication required
Feb 06 10:13:24 ipa1.miolinux.corp krb5kdc[7689](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699604, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
krbtgt/[email protected]
Feb 06 10:13:25 ipa1.miolinux.corp krb5kdc[7687](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699604, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
ldap/[email protected]
Feb 06 10:13:25 ipa1.miolinux.corp krb5kdc[7687](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: UNKNOWN_SERVER: authtime 0,
 [email protected] for host/[email protected], Server not found
in Kerberos database
Feb 06 10:13:25 ipa1.miolinux.corp krb5kdc[7687](info): closing down fd 10
Feb 06 10:13:25 ipa1.miolinux.corp krb5kdc[7689](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: UNKNOWN_SERVER: authtime 0,
 [email protected] for host/[email protected], Server not found
in Kerberos database
Feb 06 10:13:25 ipa1.miolinux.corp krb5kdc[7689](info): closing down fd 10
Feb 06 10:13:26 ipa1.miolinux.corp krb5kdc[7690](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: UNKNOWN_SERVER: authtime 0,
 [email protected] for host/[email protected], Server not found
in Kerberos database
Feb 06 10:13:26 ipa1.miolinux.corp krb5kdc[7690](info): closing down fd 10
Feb 06 10:13:30 ipa1.miolinux.corp krb5kdc[7690](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: NEEDED_PREAUTH:
host/[email protected] for
krbtgt/[email protected], Additional pre-authentication required
Feb 06 10:13:30 ipa1.miolinux.corp krb5kdc[7688](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699610, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
krbtgt/[email protected]
Feb 06 10:13:30 ipa1.miolinux.corp krb5kdc[7687](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699610, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
ldap/[email protected]
Feb 06 10:13:31 ipa1.miolinux.corp krb5kdc[7687](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: NEEDED_PREAUTH:
host/[email protected] for
krbtgt/[email protected], Additional pre-authentication required
Feb 06 10:13:31 ipa1.miolinux.corp krb5kdc[7689](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699611, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
krbtgt/[email protected]
Feb 06 10:13:31 ipa1.miolinux.corp krb5kdc[7687](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699611, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
ldap/[email protected]
Feb 06 10:13:32 ipa1.miolinux.corp krb5kdc[7690](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: NEEDED_PREAUTH:
host/[email protected] for
krbtgt/[email protected], Additional pre-authentication required
Feb 06 10:13:32 ipa1.miolinux.corp krb5kdc[7688](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699612, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
krbtgt/[email protected]
Feb 06 10:13:32 ipa1.miolinux.corp krb5kdc[7689](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699612, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
ldap/[email protected]
Feb 06 10:13:32 ipa1.miolinux.corp krb5kdc[7690](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: NEEDED_PREAUTH:
host/[email protected] for
krbtgt/[email protected], Additional pre-authentication required
Feb 06 10:13:32 ipa1.miolinux.corp krb5kdc[7690](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699612, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
krbtgt/[email protected]
Feb 06 10:13:33 ipa1.miolinux.corp krb5kdc[7690](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699612, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
ldap/[email protected]
Feb 06 10:13:33 ipa1.miolinux.corp krb5kdc[7690](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: NEEDED_PREAUTH:
host/[email protected] for
krbtgt/[email protected], Additional pre-authentication required
Feb 06 10:13:33 ipa1.miolinux.corp krb5kdc[7687](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699613, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
krbtgt/[email protected]
Feb 06 10:13:34 ipa1.miolinux.corp krb5kdc[7688](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699613, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
ldap/[email protected]
Feb 06 10:13:34 ipa1.miolinux.corp krb5kdc[7688](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: NEEDED_PREAUTH:
host/[email protected] for
krbtgt/[email protected], Additional pre-authentication required
Feb 06 10:13:34 ipa1.miolinux.corp krb5kdc[7687](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699614, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
krbtgt/[email protected]
Feb 06 10:13:34 ipa1.miolinux.corp krb5kdc[7689](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699614, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
ldap/[email protected]
Feb 06 10:13:34 ipa1.miolinux.corp krb5kdc[7689](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: NEEDED_PREAUTH:
host/[email protected] for
krbtgt/[email protected], Additional pre-authentication required
Feb 06 10:13:34 ipa1.miolinux.corp krb5kdc[7690](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699614, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
krbtgt/[email protected]
Feb 06 10:13:35 ipa1.miolinux.corp krb5kdc[7688](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699614, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
ldap/[email protected]
Feb 06 10:13:35 ipa1.miolinux.corp krb5kdc[7688](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: NEEDED_PREAUTH:
host/[email protected] for
krbtgt/[email protected], Additional pre-authentication required
Feb 06 10:13:35 ipa1.miolinux.corp krb5kdc[7688](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699615, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
krbtgt/[email protected]
Feb 06 10:13:36 ipa1.miolinux.corp krb5kdc[7689](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699615, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
ldap/[email protected]
Feb 06 10:13:36 ipa1.miolinux.corp krb5kdc[7689](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: NEEDED_PREAUTH:
host/[email protected] for
krbtgt/[email protected], Additional pre-authentication required
Feb 06 10:13:36 ipa1.miolinux.corp krb5kdc[7687](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699616, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
krbtgt/[email protected]
Feb 06 10:13:36 ipa1.miolinux.corp krb5kdc[7688](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699616, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
ldap/[email protected]
Feb 06 10:13:36 ipa1.miolinux.corp krb5kdc[7687](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: NEEDED_PREAUTH:
host/[email protected] for
krbtgt/[email protected], Additional pre-authentication required
Feb 06 10:13:36 ipa1.miolinux.corp krb5kdc[7690](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699616, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
krbtgt/[email protected]
Feb 06 10:13:37 ipa1.miolinux.corp krb5kdc[7687](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699616, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
ldap/[email protected]
Feb 06 10:13:37 ipa1.miolinux.corp krb5kdc[7690](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: NEEDED_PREAUTH:
host/[email protected] for
krbtgt/[email protected], Additional pre-authentication required
Feb 06 10:13:37 ipa1.miolinux.corp krb5kdc[7689](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699617, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
krbtgt/[email protected]
Feb 06 10:13:38 ipa1.miolinux.corp krb5kdc[7690](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699617, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
ldap/[email protected]
Feb 06 10:13:38 ipa1.miolinux.corp krb5kdc[7689](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: NEEDED_PREAUTH:
host/[email protected] for
krbtgt/[email protected], Additional pre-authentication required
Feb 06 10:13:38 ipa1.miolinux.corp krb5kdc[7688](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699618, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
krbtgt/[email protected]
Feb 06 10:13:38 ipa1.miolinux.corp krb5kdc[7687](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.0.6.239: ISSUE: authtime 1391699618, etypes {rep=18
tkt=18 ses=18}, host/[email protected] for
ldap/[email protected]


*Steve Dainard *
IT Infrastructure Manager
Miovision <http://miovision.com/> | *Rethink Traffic*
519-513-2407 ex.250
877-646-8476 (toll-free)

*Blog <http://miovision.com/blog>  |  **LinkedIn
<https://www.linkedin.com/company/miovision-technologies>  |  Twitter
<https://twitter.com/miovision>  |  Facebook
<https://www.facebook.com/miovision>*
------------------------------
 Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON,
Canada | N2C 1L3
This e-mail may contain information that is privileged or confidential. If
you are not the intended recipient, please delete the e-mail and any
attachments and notify us immediately.


On Wed, Feb 5, 2014 at 5:30 PM, Steve Dainard <[email protected]>wrote:

> I didn't have the firewall on my IPA server down while forming the trust.
> All seems to be working now.
>
> Thanks for your help.
>
> Steve
>
>
>>
>>
>> --
>> / Alexander Bokovoy
>>
>
>

_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Cross domain trust

Reply via email to