Evening, I have been trying to get IPA server working using AD users and I think I need some assistance as I have run into the wall. Below is some background information. The active directory domain is called example.local and the IPA domain is called example.loc. My plan is to map domain users on AD to ad_users on IPA servers. I am using CentOS Linux release 7.0.1406 (Core) with below RPM
[root@ipa3-yyz-int ~]# rpm -qa | grep ipa ipa-client-3.3.3-28.el7.centos.1.x86_64 iniparser-3.1-5.el7.x86_64 ipa-server-trust-ad-3.3.3-28.el7.centos.1.x86_64 sssd-ipa-1.11.2-68.el7_0.5.x86_64 ipa-python-3.3.3-28.el7.centos.1.x86_64 ipa-server-3.3.3-28.el7.centos.1.x86_64 libipa_hbac-1.11.2-68.el7_0.5.x86_64 python-iniparse-0.4-9.el7.noarch libipa_hbac-python-1.11.2-68.el7_0.5.x86_64 ipa-admintools-3.3.3-28.el7.centos.1.x86_64 I have two groups [root@ipa3-yyz-int ~]# ipa group-show --all ad_users dn: cn=ad_users,cn=groups,cn=accounts,dc=example,dc=loc Group name: ad_users Description: ad_domain users GID: 1963800005 Member users: williamm_user, wmuriithi_user Member of HBAC rule: dev-systems-rules ipantsecurityidentifier: S-1-5-21-3033893191-3803153583-4018222701-1005 ipauniqueid: eec320c2-650b-11e4-bc2c-000c29c42447 objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject, posixgroup, ipantgroupattrs [root@ipa3-yyz-int ~]# ipa group-show --all ad_users_external dn: cn=ad_users_external,cn=groups,cn=accounts,dc=example,dc=loc Group name: ad_users_external Description: ad_domain users external map External member: S-1-5-21-205922407-570005376-4065188459-513 ipauniqueid: d3b2759e-650b-11e4-8518-000c29c42447 objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject, ipaexternalgroup I am certain the problem has something to do with trust as I have created a local account on FreeIPA (wmuriithi_user) and it works as expected. However active directory users in the same posix group fails and have not been able to nail where my mistake. How would one go about debugging this issue? I have looked at logs and the looks as below. cat /var/log/secure Nov 10 12:12:05 datagroup-dev sshd[30150]: Invalid user [email protected] from 10.10.10.15 Nov 10 12:12:05 datagroup-dev sshd[30151]: input_userauth_request: invalid user [email protected] Nov 10 12:12:09 datagroup-dev sshd[30150]: pam_unix(sshd:auth): check pass; user unknown Nov 10 12:12:09 datagroup-dev sshd[30150]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.15 Nov 10 12:12:09 datagroup-dev sshd[30150]: pam_succeed_if(sshd:auth): error retrieving information about user [email protected] Nov 10 12:12:11 datagroup-dev sshd[30150]: Failed password for invalid user [email protected] from 10.10.10.15 port 52792 ssh2 Nov 10 12:12:17 datagroup-dev sshd[30151]: Connection closed by 10.10.10.15 cat /var/log/sssd/sssd_ssh.log (Mon Nov 10 12:34:01 2014) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): name '[email protected]' matched expression for domain 'EXAMPLE.local', user is wmuriithi (Mon Nov 10 12:34:01 2014) [sssd[ssh]] [ssh_user_pubkeys_search_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158221, Account info lookup failed (Mon Nov 10 12:34:01 2014) [sssd[ssh]] [ssh_user_pubkeys_search_next] (0x0040): No attributes for user [wmuriithi] found. (Mon Nov 10 12:34:01 2014) [sssd[ssh]] [client_recv] (0x0200): Client disconnected! (Mon Nov 10 15:16:44 2014) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received client version [0]. (Mon Nov 10 15:16:44 2014) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered version [0]. (Mon Nov 10 15:16:44 2014) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): name '[email protected]' matched expression for domain 'EXAMPLE.local', user is wmuriithi (Mon Nov 10 15:16:44 2014) [sssd[ssh]] [ssh_user_pubkeys_search_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158221, Account info lookup failed less /var/log/sssd/sssd_example.loc.log (Mon Nov 10 15:58:21 2014) [sssd[be[example.loc]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'ipa3-yyz-int.example.loc' as 'working' (Mon Nov 10 15:58:21 2014) [sssd[be[example.loc]]] [set_server_common_status] (0x0100): Marking server 'ipa3-yyz-int.example.loc' as 'working' (Mon Nov 10 16:01:44 2014) [sssd[be[example.loc]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=wmuriithi] (Mon Nov 10 16:01:44 2014) [sssd[be[example.loc]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. (Mon Nov 10 16:01:44 2014) [sssd[be[example.loc]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,1432158221,Account info lookup failed (Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=wmuriithi] (Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. (Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,1432158221,Account info lookup failed (Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=wmuriithi] (Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. (Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,1432158221,Account info lookup failed (Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=wmuriithi] (Mon Nov 10 16:01:57 2014) [sssd[be[example.loc]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. Does this mean I have to recreate the trust relationship? I didn't get any error when I set up the trust last week and uncertain recreating the trust would help. Would highly appreciate any pointers on what would be best way forward. William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
