On Mon, Jun 29, 2015 at 03:11:57PM +0200, Sumit Bose wrote: > On Mon, Jun 29, 2015 at 11:24:00AM +0200, Giorgio Biacchi wrote: > > On 06/29/2015 10:30 AM, Sumit Bose wrote: > > > On Mon, Jun 29, 2015 at 10:04:04AM +0200, Giorgio Biacchi wrote: > > >> On 06/26/2015 08:06 PM, Sumit Bose wrote: > > >>> On Fri, Jun 26, 2015 at 04:34:05PM +0200, Giorgio Biacchi wrote: > > >>>> > > >>>> > > >>>> On 06/26/2015 02:38 PM, Sumit Bose wrote: > > >>>>> On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote: > > >>>>>> On 06/25/2015 05:44 PM, Sumit Bose wrote: > > >>>>>>> On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: > > >>>>>>>> On 06/25/2015 02:10 PM, Sumit Bose wrote: > > >>>>>>>>> On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: > > >>>>>>>>>> On 06/25/2015 12:56 PM, Sumit Bose wrote: > > >>>>>>>>>>> On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: > > >>>>>>>>>>>> On 06/24/2015 06:45 PM, Sumit Bose wrote: > > >>>>>>>>>>>>> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi > > >>>>>>>>>>>>> wrote: > > >>>>>>>>>>>>>> Hi everybody, > > >>>>>>>>>>>>>> I established a bidirectional trust between an IPA server > > >>>>>>>>>>>>>> (version 4.1.0 on > > >>>>>>>>>>>>>> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), > > >>>>>>>>>>>>>> mydomain.local. > > >>>>>>>>>>>>>> Everything is working fine, and I'm able to authenticate and > > >>>>>>>>>>>>>> logon on a linux > > >>>>>>>>>>>>>> host joined to IPA server using AD credentials > > >>>>>>>>>>>>>> ([email protected]). > > >>>>>>>>>>>>>> But active directory is configured with two more UPN > > >>>>>>>>>>>>>> suffixes (otherdomain.com > > >>>>>>>>>>>>>> and sub.otherdomain.com), and I cannot logon with > > >>>>>>>>>>>>>> credentials using alternative > > >>>>>>>>>>>>>> UPN (example: [email protected]). > > >>>>>>>>>>>>>> > > >>>>>>>>>>>>>> How can I make this possible? Another trust (ipa trust-add) > > >>>>>>>>>>>>>> with the same AD? > > >>>>>>>>>>>>>> Manual configuration of krb5 and/or sssd? > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> Have you tried to login to an IPA client or the server? > > >>>>>>>>>>>>> Please try with > > >>>>>>>>>>>>> an IPA server first. If this does not work it would be nice > > >>>>>>>>>>>>> if you can > > >>>>>>>>>>>>> send the SSSD log files from the IPA server which are > > >>>>>>>>>>>>> generated during > > >>>>>>>>>>>>> the logon attempt. Please call 'sss_cache -E' before to > > >>>>>>>>>>>>> invalidate all > > >>>>>>>>>>>>> cached entries so that the logs will contain all needed calls > > >>>>>>>>>>>>> to AD. > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> Using UPN suffixes were added to the AD provider some time > > >>>>>>>>>>>>> ago and the > > >>>>>>>>>>>>> code is available in the IPA provider as well, but I guess no > > >>>>>>>>>>>>> one has > > >>>>>>>>>>>>> actually tried this before. > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> bye, > > >>>>>>>>>>>>> Sumit > > >>>>>>>>>>>> > > >>>>>>>>>>>> First of all let me say that i feel like I'm missing some > > >>>>>>>>>>>> config somewhere.. > > >>>>>>>>>>>> Changes tried in krb5.conf to support UPN suffixes didn't > > >>>>>>>>>>>> helped. > > >>>>>>>>>>>> I can only access the server vi ssh so I've attached the logs > > >>>>>>>>>>>> for a successful > > >>>>>>>>>>>> login for [email protected] and an unsuccessful login for > > >>>>>>>>>>>> [email protected] done via ssh. > > >>>>>>>>>>>> > > >>>>>>>>>>>> Bye and thanks for your help > > >>>>>>>>>>>> > > >>>>>>>>>>> > > >>>>>>>>>>> It looks like the request is not properly propagated to > > >>>>>>>>>>> sub-domains (the > > >>>>>>>>>>> trusted AD domain) but only send to the IPA domain. > > >>>>>>>>>>> > > >>>>>>>>>>> Would it be possible for you to run a test build of SSSD which > > >>>>>>>>>>> might fix > > >>>>>>>>>>> this? If yes, which version of SSSD are you currently using? > > >>>>>>>>>>> Then I can > > >>>>>>>>>>> prepare a test build with the patch on top of this version. > > >>>>>>>>>>> > > >>>>>>>>>>> bye, > > >>>>>>>>>>> Sumit > > >>>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>>> Hi, > > >>>>>>>>>> I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and > > >>>>>>>>>> I'm available for > > >>>>>>>>>> any test. > > >>>>>>>>>> > > >>>>>>>>>> Here's the packages version for sssd: > > >>>>>>>>>> > > >>>>>>>>>> sssd-common-1.12.2-58.el7_1.6.x86_64 > > >>>>>>>>>> sssd-krb5-1.12.2-58.el7_1.6.x86_64 > > >>>>>>>>>> python-sssdconfig-1.12.2-58.el7_1.6.noarch > > >>>>>>>>>> sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 > > >>>>>>>>>> sssd-ipa-1.12.2-58.el7_1.6.x86_64 > > >>>>>>>>>> sssd-1.12.2-58.el7_1.6.x86_64 > > >>>>>>>>>> sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 > > >>>>>>>>>> sssd-ad-1.12.2-58.el7_1.6.x86_64 > > >>>>>>>>>> sssd-ldap-1.12.2-58.el7_1.6.x86_64 > > >>>>>>>>>> sssd-common-pac-1.12.2-58.el7_1.6.x86_64 > > >>>>>>>>>> sssd-proxy-1.12.2-58.el7_1.6.x86_64 > > >>>>>>>>>> sssd-client-1.12.2-58.el7_1.6.x86_64 > > >>>>>>>>> > > >>>>>>>>> Please try the packages at > > >>>>>>>>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10210844 . > > >>>>>>>>> > > >>>>>>>>> bye, > > >>>>>>>>> Sumit > > >>>>>>>> > > >>>>>>>> Hi, > > >>>>>>>> I've installed the new RPMs, now if I run on the server: > > >>>>>>>> > > >>>>>>>> id [email protected] > > >>>>>>>> id [email protected] > > >>>>>>>> id [email protected] > > >>>>>>>> > > >>>>>>>> all the users are found but I'm still unable to log in via ssh > > >>>>>>>> with the accounts > > >>>>>>>> @otherdomain.com and @sub.otherdomain.com. > > >>>>>>>> > > >>>>>>>> In attachment the logs for unsuccessful login for user > > >>>>>>>> [email protected]. > > >>>>>>> > > >>>>>>> Bother, I forgot to add the fix to the pam responder as well, > > >>>>>>> please try > > >>>>>>> new packages from > > >>>>>>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10212212 . > > >>>>>>> > > >>>>>>> bye, > > >>>>>>> Sumit > > >>>>>>> > > >>>>>> > > >>>>>> Hi, > > >>>>>> I've updated all the packages but still no login. > > >>>>>> > > >>>>>> Logs follows. > > >>>>> > > >>>>> I found another issue in the logs which should be fixed by the build > > >>>>> from http://koji.fedoraproject.org/koji/taskinfo?taskID=10217756 . > > >>>>> > > >>>>> Please send the sssd_pam log file as well it might contain more > > >>>>> details > > >>>>> about what goes wrong during authentication. > > >>>>> > > >>>>> bye, > > >>>>> Sumit > > >>>>> > > >>>> > > >>>> Hi, > > >>>> packages update, sssd and kerberos services restarted, cache flushed > > >>>> but still > > >>>> no login on the IPA server. > > >>>> > > >>>> As before, logs attached. I've also included the logs generated by the > > >>>> restart > > >>>> of sssd service because there were no logs in sssd_pam.log when trying > > >>>> to > > >>>> authenticate. > > >>>> > > >>>> Debug level is set to 6 in the sections: > > >>>> > > >>>> [domain/ipa.mydomain.local] > > >>>> [sssd] > > >>>> [nss] > > >>>> [pam] > > >>>> > > >>>> of /etc/sssd/sssd.conf, please tell me if this is enough or if I have > > >>>> to > > >>>> increase it. > > >>>> > > >>> > > >>> so far it is sufficient. I have another build for you to try at > > >>> http://koji.fedoraproject.org/koji/taskinfo?taskID=10219343 > > >>> > > >>> Thank you for your patience. > > >> > > >> Thanks for your help!! > > >> > > >> Still no successful login.. Logs attached > > > > > > Please increase the debug level at least for the domain log to 9 and > > > attach the krb5_child log as well. > > > > > > > Debug level increased and logs attached.. > > > > I'm sending this email again because I forgot to reply to the list... > > Unfortunately the IPA KDC cannot redirect the Kerberos request to the > AD realm because of https://fedorahosted.org/freeipa/ticket/3559. I'll > try to figure out if this can be bypassed by tuning sssd.conf and > krb5.conf.
(Without seeing the logs, just throwing in an idea) Would it help to try out the subdomain_inherit option to point principal to something that doesn't exist for a subdomain and let sssd guess the principal based on the realm name? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
