On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote: > On 06/25/2015 05:44 PM, Sumit Bose wrote: > > On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: > >> On 06/25/2015 02:10 PM, Sumit Bose wrote: > >>> On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: > >>>> On 06/25/2015 12:56 PM, Sumit Bose wrote: > >>>>> On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: > >>>>>> On 06/24/2015 06:45 PM, Sumit Bose wrote: > >>>>>>> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: > >>>>>>>> Hi everybody, > >>>>>>>> I established a bidirectional trust between an IPA server (version > >>>>>>>> 4.1.0 on > >>>>>>>> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), > >>>>>>>> mydomain.local. > >>>>>>>> Everything is working fine, and I'm able to authenticate and logon > >>>>>>>> on a linux > >>>>>>>> host joined to IPA server using AD credentials > >>>>>>>> ([email protected]). > >>>>>>>> But active directory is configured with two more UPN suffixes > >>>>>>>> (otherdomain.com > >>>>>>>> and sub.otherdomain.com), and I cannot logon with credentials using > >>>>>>>> alternative > >>>>>>>> UPN (example: [email protected]). > >>>>>>>> > >>>>>>>> How can I make this possible? Another trust (ipa trust-add) with the > >>>>>>>> same AD? > >>>>>>>> Manual configuration of krb5 and/or sssd? > >>>>>>> > >>>>>>> Have you tried to login to an IPA client or the server? Please try > >>>>>>> with > >>>>>>> an IPA server first. If this does not work it would be nice if you can > >>>>>>> send the SSSD log files from the IPA server which are generated during > >>>>>>> the logon attempt. Please call 'sss_cache -E' before to invalidate all > >>>>>>> cached entries so that the logs will contain all needed calls to AD. > >>>>>>> > >>>>>>> Using UPN suffixes were added to the AD provider some time ago and the > >>>>>>> code is available in the IPA provider as well, but I guess no one has > >>>>>>> actually tried this before. > >>>>>>> > >>>>>>> bye, > >>>>>>> Sumit > >>>>>> > >>>>>> First of all let me say that i feel like I'm missing some config > >>>>>> somewhere.. > >>>>>> Changes tried in krb5.conf to support UPN suffixes didn't helped. > >>>>>> I can only access the server vi ssh so I've attached the logs for a > >>>>>> successful > >>>>>> login for [email protected] and an unsuccessful login for > >>>>>> [email protected] done via ssh. > >>>>>> > >>>>>> Bye and thanks for your help > >>>>>> > >>>>> > >>>>> It looks like the request is not properly propagated to sub-domains (the > >>>>> trusted AD domain) but only send to the IPA domain. > >>>>> > >>>>> Would it be possible for you to run a test build of SSSD which might fix > >>>>> this? If yes, which version of SSSD are you currently using? Then I can > >>>>> prepare a test build with the patch on top of this version. > >>>>> > >>>>> bye, > >>>>> Sumit > >>>>> > >>>> > >>>> Hi, > >>>> I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm > >>>> available for > >>>> any test. > >>>> > >>>> Here's the packages version for sssd: > >>>> > >>>> sssd-common-1.12.2-58.el7_1.6.x86_64 > >>>> sssd-krb5-1.12.2-58.el7_1.6.x86_64 > >>>> python-sssdconfig-1.12.2-58.el7_1.6.noarch > >>>> sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 > >>>> sssd-ipa-1.12.2-58.el7_1.6.x86_64 > >>>> sssd-1.12.2-58.el7_1.6.x86_64 > >>>> sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 > >>>> sssd-ad-1.12.2-58.el7_1.6.x86_64 > >>>> sssd-ldap-1.12.2-58.el7_1.6.x86_64 > >>>> sssd-common-pac-1.12.2-58.el7_1.6.x86_64 > >>>> sssd-proxy-1.12.2-58.el7_1.6.x86_64 > >>>> sssd-client-1.12.2-58.el7_1.6.x86_64 > >>> > >>> Please try the packages at > >>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 . > >>> > >>> bye, > >>> Sumit > >> > >> Hi, > >> I've installed the new RPMs, now if I run on the server: > >> > >> id [email protected] > >> id [email protected] > >> id [email protected] > >> > >> all the users are found but I'm still unable to log in via ssh with the > >> accounts > >> @otherdomain.com and @sub.otherdomain.com. > >> > >> In attachment the logs for unsuccessful login for user > >> [email protected]. > > > > Bother, I forgot to add the fix to the pam responder as well, please try > > new packages from > > http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 . > > > > bye, > > Sumit > > > > Hi, > I've updated all the packages but still no login. > > Logs follows.
I found another issue in the logs which should be fixed by the build from http://koji.fedoraproject.org/koji/taskinfo?taskID=10217756 . Please send the sssd_pam log file as well it might contain more details about what goes wrong during authentication. bye, Sumit > > Thanks again > -- > gb > > PGP Key: http://pgp.mit.edu/ > Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
