This was very helpful, Thank You! Thank You,
Jacob D. Evans Cloud Consultant 717.417.8324 ----- Original Message ----- From: "Alexander Bokovoy" <[email protected]> To: "Jake" <[email protected]> Cc: [email protected] Sent: Thursday, August 4, 2016 1:46:51 AM Subject: Re: [Freeipa-users] Login Troubles with Centos7 and external users (4.2.0-15.0.1.el7.centos.17) On Wed, 03 Aug 2016, Jake wrote: >Hello All, >I'm new to FreeIPA and am having some issues with my endpoints. > >First attempts to login as [email protected] always fail with: >Logs on client: >sshd[3771]: Invalid user [email protected] from 192.168.1.123 >sshd[3771]: input_userauth_request: invalid user [email protected] >[preauth] > >[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for >[0x1001][1][name=username] >[sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): >ldap_extended_operation result: No such object(32), (null). >[sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request >failed. >[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. >Returned 0,0,Success (Success) >[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for >[0x1003][1][name=NOUSER] >[sssd[be[ipa.example.com]]] [sysdb_get_real_name] (0x0040): >sysdb_search_object_by_uuid did not return a single result. >[sssd[be[ipa.example.com]]] [groups_by_user_done] (0x0040): Failed to >canonicalize name, using [NOUSER]. >[sssd[be[ipa.example.com]]] [ipa_id_get_account_info_orig_done] (0x0080): >Object not found, ending request >[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. >Returned 3,0,Account info lookup failed >[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for >[0x1001][1][idnumber=1644425765] >[sssd[be[ipa.example.com]]] [sdap_get_users_done] (0x0040): Failed to retrieve >users >[sssd[be[ipa.example.com]]] [ipa_id_get_account_info_orig_done] (0x0080): >Object not found, ending request >[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. >Returned 3,0,Account info lookup failed >[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for >[0x1001][1][idnumber=1644425765] >[sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): >ldap_extended_operation result: No such object(32), (null). >[sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request >failed. >[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. >Returned 0,0,Success (Success) >[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for >[0x1001][1][idnumber=1644425765] >[sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): >ldap_extended_operation result: No such object(32), (null). >[sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request >failed. >[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. >Returned 0,0,Success (Success) >[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for >[0x1001][1][idnumber=1644425765] >[sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): >ldap_extended_operation result: No such object(32), (null). >[sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request >failed. >[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. >Returned 0,0,Success (Success) > >running the command 'getent password [email protected]' on the ipa >server works fine > >Logs from server: >[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for >[0x1001][1][name=username] >[sssd[be[ipa.example.com]]] [ipa_srv_ad_acct_lookup_done] (0x0080): Sudomain >lookup failed, will try to reset sudomain.. >[sssd[be[ipa.example.com]]] [child_sig_handler] (0x0100): child [26269] >finished successfully. >[sssd[be[ipa.example.com]]] [set_srv_data_status] (0x0100): Marking SRV lookup >of service 'legacy.example.org' as 'neutral' >[sssd[be[ipa.example.com]]] [fo_set_port_status] (0x0100): Marking port 0 of >server '(no name)' as 'neutral' >[sssd[be[ipa.example.com]]] [ipa_srv_ad_acct_lookup_done] (0x0040): >ipa_get_*_acct request failed: [1432158262]: Subdomain is inactive. >[sssd[be[ipa.example.com]]] [ipa_subdomain_account_done] (0x0040): >ipa_get_*_acct request failed: 1432158262 >[sssd[be[ipa.example.com]]] [ipa_account_info_error_text] (0x0020): Bug: >dp_error is OK on failed request >[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. >Returned 3,1432158262,Account info lookup failed > > >Stuff: >(4) IPA Masters at ipa.example.com >(4) root domain controllers in example.com >(4) child domain controllers in new.example.com >(4) second domain in legacy.example.org > >There is a (1) way trust between ipa.example.com and example.com (forest trust) >There is a (1) way trust between ipa.example.com and legacy.example.org >(forest with single domain) >There is a (2) way trust between example.com and legacy.example.org (forest >transitive trust) Was the trust between example.com and legacy.example.org established before establishing trust between IPA and any of those forest roots? Can you check in the trust properties on AD side for both forest roots, what is the state of name suffix routing to IPA domain? It should be enabled for both. If not, you need to solve conflicts. There is a documentation reference on Microsoft side how to add exclusion entries for name routing suffixes. This is the detailed instruction: https://msdn.microsoft.com/it-it/library/cc786254%28v=ws.10%29.aspx For configuration where: - AD example.com trusts IPA at ipa.example.com - AD example.org trusts AD example.com - a trust is tried to be established between ipa.example.com and example.org and a conflict is generated in example.org for example.com namespace. A sequence might be like a following one: 1. Establish trust between example.com and ipa.example.com 2. Establish trust between example.com and example.org 3. Now, as Administrator in example.org, do what https://msdn.microsoft.com/it-it/library/cc786254%28v=ws.10%29.aspx describes for the trust 'example.com' and add exclusion entry for ipa.example.com 4. Establish trust between ipa.example.com and example.org It is important to add the exclusion entry before step 4 or there will be conflict recorded which cannot be cleared easily right now due to a combination of bugs in both IPA and Active Directory. > >Users are in legacy.example.org and new.example.com >User Computers are in new .example.com >Linux Servers are in ipa.example.com as hostname linux.example.com > >Gist for kbr5.conf >https://gist.github.com/JakeDEvans/8e787bc5751d3d0e8f3b18943d63f00b >Gist for sssd.conf >https://gist.github.com/JakeDEvans/ed34098b96b6e061095da85e1db58d70 > >all other configs unmodified. > >Also, is it normal that the login is very slow? > >Thanks All, >-Jake > > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy
<<attachment: Evans, Jacob.vcf>>
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
