On Thu, Feb 6, 2014 at 12:42 PM, Alexander Bokovoy <[email protected]>wrote:
> On Thu, 06 Feb 2014, Steve Dainard wrote:
>
>> In newer versions (FreeIPA 3.3+, SSSD 1.11+) this is done on IPA master
>>> automatically by setting ipa_master_mode = True
>>>
>>> On RHEL 6.x one needs to add the parameters manually.
>>>
>>> 2. /etc/krb5.conf has to contain auth_to_local rules that map AD
>>> principals to lower-cased versions because some applications (SSH)
>>> are very picky about user/principal name mapping. This has to be done
>>> on both IPA masters and IPA clients.
>>>
>>>
>> This was done on the IPA server, but the RHEL 6.5 client doesn't have this
>> file.
>>
>> On the IPA server:
>>
>> [realms]
>> MIOLINUX.CORP = {
>> kdc = ipa1.miolinux.corp:88
>> master_kdc = ipa1.miolinux.corp:88
>> admin_server = ipa1.miolinux.corp:749
>> default_domain = miolinux.corp
>> pkinit_anchors = FILE:/etc/ipa/ca.crt
>> auth_to_local = RULE:[1:$1@$0](^.*@MIOVISION$)s/@MIOVISION/@miovision/
>> auth_to_local = DEFAULT
>>
>> [root@ipa1 ~]# kinit [email protected]
>> Password for [email protected]:
>> kinit: KDC reply did not match expectations while getting initial
>> credentials
>>
> MIT Kerberos is case-sensitive for the realm, so it should always be
> kinit [email protected]
>
> make also sure that your rule above has proper realm. If your realm is
> MIOVISION.CORP, then auth_to_local rule is
>
> auth_to_local = RULE:[1:$1@$0](^.*@MIOVISION.CORP$)s/@MIOVISION.CORP/@
> miovision.corp/
>
OK that makes sense. I wasn't sure if it was NETBIOS or not. Changed.
>
> In MIT Kerberos 1.13 we'll have an interface that will allow SSSD to
> automatically generate (and supply) these rules. Prior to that we have
> to have explicit configuration on all clients and servers.
Excellent, do you work with whomever is maintaining the Ubuntu PPA on this
as well? One of our dev teams is exclusively on Ubuntu 12.04 and I've had
some serious issues with the joining clients from distro.
>
>
> A CentOS 6.5 client has this file. The docs didn't mention the manual
>> client config, I just assumed the IPA server would proxy the request.
>> After
>> adding, no change.
>>
> A request to IPA server needs to come from a client and a client needs
> to know about that. We changed SSSD 1.11+ to discover IPA capabilities
> and self-configure but for older clients (1.9..1.10) you need to perform
> it through explicit config.
>
>
> With these changes SSSD on IPA client will recognize AD users and
>>> request IPA master to perform name/SID/etc resolution, and also will
>>> make an attempt to parse special part of the Kerberos ticket
>>> generated by AD DC (MS-PAC) that contains signed cached copy of group
>>> ownership for AD users.
>>>
>>> SSSD needs restart after each config change.
>>>
>>> You can do checks step by step to see whether things are working:
>>>
>>> 1. Ensure that SSSD on IPA master resolves AD user properly:
>>>
>>> getent passwd [email protected]
>>>
>>> Should return non-empty entry.
>>>
>>>
>> Returns no values.
>>
>> [root@ipa1 ~]# getent passwd [email protected]
>> [root@ipa1 ~]#
>>
> Can you add debug_level=9 to [domain/...] section in
> /etc/sssd/sssd.conf, restart sssd and try again?
>
> In /var/log/sssd/sssd_<domain>.log there will be a lot of debug
> information that I'd like to see (send it privately).
>
> If sssd properly tries to talk to winbindd to resolve id, I'd like to
> see winbind logs then:
>
> # smbcontrol all debug 100
> # getent passwd [email protected]
> # smbcontrol all debug 1
>
> and send me logs from /var/log/samba.
>
>
>
Done, sending logs outside of list.
There are some communications errors. I dropped the firewall on the IPA
server to test the last couple runs at 'getent passwd
[email protected]'.
>
>>
>>
>>
>>
>>> 2. Ensure that SSSD on IPA client resolves AD user properly:
>>>
>>> getent passwd [email protected]
>>>
>>> Should return non-empty entry.
>>>
>>>
>> [root@snapshot-test ~]# getent passwd [email protected]
>> [root@snapshot-test ~]#
>>
>> Once we solve it for IPA master, we can continue with this part.
>
>
>
>>
>>
>>
>>> 3. Ensure that Kerberos infrastructure works:
>>>
>>> kinit [email protected]
>>> kvno -S host ipa.client.domain
>>>
>>>
>> [root@ipa1 ~]# kinit [email protected]
>> Password for [email protected]:
>> kinit: KDC reply did not match expectations while getting initial
>> credentials
>>
> Expected (realm is case-sensitive).
>
>
>
>> [root@ipa1 ~]# kinit [email protected]
>> Password for [email protected]:
>>
>> [root@ipa1 ~]# kvno cifs/[email protected]
>> cifs/[email protected]: kvno = 41
>>
>> [root@ipa1 ~]# kvno -S host ipa1.miolinux.corp
>> host/[email protected]: kvno = 2
>>
>> [root@ipa1 ~]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: [email protected]
>>
>> Valid starting Expires Service principal
>> 02/06/14 11:54:55 02/06/14 21:54:57 krbtgt/MIOVISION.CORP@
>> MIOVISION.CORP
>> renew until 02/07/14 11:54:55
>> 02/06/14 11:55:38 02/06/14 21:54:57 cifs/dc1.miovision.corp@
>> MIOVISION.CORP
>> renew until 02/07/14 11:54:55
>> 02/06/14 11:56:50 02/06/14 21:54:57 krbtgt/[email protected]
>> renew until 02/07/14 11:54:55
>> 02/06/14 11:57:05 02/06/14 21:54:57 host/ipa1.miolinux.corp@
>> MIOLINUX.CORP
>> renew until 02/07/14 11:54:55
>>
> Kerberos infrastructure works fine.
>
>
> --
> / Alexander Bokovoy
>
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
