Hi all, I hoped I may glean some brilliance from the group. I have a Freeipa Server sitting atop a Fedora 21 server. The initial plan was to replicate users+passwords with Windows 2012R2 server but following some of the information in the other posts and docs we've moved to a trust. The trust has been setup using the documentation and in short it's worked without issue. I'm able to get principles from the Windows realm ( marvel.comics.com). So what I'm attempting and failing to do is authenticating my IPA users to the Windows 8 desktops. Ideally I don't want any users in AD, it's simply there to deliver a GPO and in the next year it will be phased out and we'll be replacing Windows 8 with linux desktops.
So marvel.comics.com = windows dc.comics.com = freeipa # rpm -qi freeipa-server Name : freeipa-server Version : 4.1.4 Release : 1.fc21 Architecture: x86_64 Install Date: Tue 25 Aug 2015 08:17:56 PM UTC Group : System Environment/Base Size : 4521059 License : GPLv3+ Signature : RSA/SHA256, Thu 26 Mar 2015 10:58:02 PM UTC, Key ID 89ad4e8795a43f54 Source RPM : freeipa-4.1.4-1.fc21.src.rpm Build Date : Thu 26 Mar 2015 03:16:19 PM UTC Build Host : buildhw-07.phx2.fedoraproject.org [root@freeipaServer slapd-DEV-MOSAIC451-COM]# uname -a Linux freeipaServer.dc.comics.com 4.1.6-100.fc21.x86_64 #1 SMP Mon Aug 17 22:20:37 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux [root@freeipaServer slapd-DEV-MOSAIC451-COM]# cat /etc/redhat-release Fedora release 21 (Twenty One) To cut to the chase here's me logging into a Windows 8 desktop system. I try to login 3 different ways; this system is a member of the marvel domain. Time is extremely close, close enough that I feel really good about ruling it out. Any light you all could shed on this would be outstanding. Thank you all for your time on this, I really appreciate all the time and effort this team puts into reading these posts. Username: dc/greenlantern Password: ************ [root@freeipaServer slapd-DC-COMICS-COM]# tail -f * | egrep --color -i greenlantern [30/Sep/2015:17:55:33 +0000] conn=1172 op=46 SRCH base="dc=dc,dc=comics,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern@dc )(krbPrincipalName=greenlantern@dc)))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" Username: greenlanter@dc Password: ************ [30/Sep/2015:17:59:48 +0000] conn=1172 op=86 SRCH base="dc=dc,dc=comics,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern@dc )(krbPrincipalName=greenlantern@dc)))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" Username: [email protected] Password: ************ [30/Sep/2015:17:59:35 +0000] conn=1172 op=84 SRCH base="dc=dc,dc=comics,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern\[email protected] @DC.COMICS.COM <http://dc.comics.com/> )(krbPrincipalName=greenlantern\[email protected]@DC.COMICS.COM <http://dc.comics.com/>)))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" >From what I can tell, everything looks good to wbinfo; we see the domain and he see's us. In the AD trust I can go under the trust and validate the trust with no issues. [root@freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --online-status BUILTIN : online DC : online MARVEL : online [root@freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --domain-info marvel.comics.com Name : MARVEL Alt_Name : marvel.comics.com SID : S-1-5-21-3495301974-2766379234-3984916731 Active Directory : Yes Native : Yes Primary : No [root@freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo -n 'MARVEL.COMICS.COM\Domain Admins' S-1-5-21-3495301974-2766379234-3984916731-512 SID_DOM_GROUP (2) [root@freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --domain-info marvel.comics.com Name : MARVEL Alt_Name : marvel.comics.com SID : S-1-5-21-3495301974-2766379234-3984916731 Active Directory : Yes Native : Yes Primary : No
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
