Learn more about these different git repos.
Other Git URLs
https://bugzilla.redhat.com/show_bug.cgi?id=869071 (Red Hat Enterprise Linux 6)
Description of problem: I'm trying to setup an AD Trust and to allow AD users to log into IPA Clients. For the most part, I followed this: https://fedoraproject.org/wiki/QA:Testcase_freeipav3_ad_trust [root@rhel6-1 ~]# vi /etc/krb5.conf ... [realms] TESTRELM.COM = { ... auth_to_local = RULE:[1:$1@$0](^.*@ADTESTDOM.COM$)s/@ADTESTDOM.COM/@adtestdom.com/ auth_to_local = DEFAULT } [root@rhel6-1 ~]# vi /etc/sssd/sssd.conf ... [domain/ipa.lan] ... subdomains_provider = ipa ... [sssd] services = nss, pam, ssh, pac [root@rhel6-1 ~]# service sssd restart Stopping sssd: [ OK ] Starting sssd: [ OK ] [root@rhel6-1 samba]# ipa group-add --desc='adtestdom.com Domain users external map' adtestdom_domain_users_external --external --------------------------------------------- Added group "adtestdom_domain_users_external" --------------------------------------------- Group name: adtestdom_domain_users_external Description: adtestdom.com Domain users external map [root@rhel6-1 samba]# ipa group-add --desc='adtestdom.com Domain users' adtestdom_domain_users ------------------------------------ Added group "adtestdom_domain_users" ------------------------------------ Group name: adtestdom_domain_users Description: adtestdom.com Domain users GID: 1277200028 Here I ran into a problem where wbinfo returned: [root@rhel6-1 ~]# wbinfo --online-status BUILTIN : online TESTRELM : online ADTESTDOM : offline AD2TESTDOM : offline [root@rhel6-1 ~]# wbinfo -n "ADTESTDOM\Domain Users" failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name ADTESTDOM\Domain Users After some troubleshooting and rebooting AD server, I found that the time was off on the AD server and saw this error in messages: Oct 22 17:43:05 rhel6-1 winbindd[12089]: kerberos_kinit_password TESTRELM@ADTESTDOM.COM failed: Ticket is ineligible for postdating Fixed time on AD server. I think that fixed it. wbinfo --online status still showed offline but, the rest seemed to work: [root@rhel6-1 samba]# wbinfo -n "ADTESTDOM\Domain Users" S-1-5-21-1246088475-3077293710-2580964704-513 SID_DOM_GROUP (2) [root@rhel6-1 samba]# ipa group-add-member adtestdom_domain_users_external --external S-1-5-21-1246088475-3077293710-2580964704-513 [member user]: [member group]: Group name: adtestdom_domain_users_external Description: adtestdom.com Domain users external map External member: S-1-5-21-1246088475-3077293710-2580964704-513 ------------------------- Number of members added 1 ------------------------- [root@rhel6-1 samba]# ipa group-add-member adtestdom_domain_users --groups adtestdom_domain_users_external Group name: adtestdom_domain_users Description: adtestdom.com Domain users GID: 1277200028 Member groups: adtestdom_domain_users_external ------------------------- Number of members added 1 ------------------------- Tailing the logs during ssh in shows this: (Mon Oct 22 19:08:53 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000): dbus conn: 74D180 (Mon Oct 22 19:08:53 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Oct 22 19:08:53 2012) [sssd[be[testrelm.com]]] [sbus_message_handler] (0x4000): Received SBUS method [ping] ==> /var/log/secure <== Oct 22 19:08:56 rhel6-1 sshd[14064]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.1 user=testuser1@adtestdom.com ==> /var/log/sssd/sssd_testrelm.com.log <== (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000): dbus conn: 769C30 (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [sbus_message_handler] (0x4000): Received SBUS method [getAccountInfo] (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=testuser1] (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [ipa_get_subdomain_account_info_send] (0x0040): Invalid sub-domain request type. (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,22,User lookup failed (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000): dbus conn: 769C30 (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [sbus_message_handler] (0x4000): Received SBUS method [pamHandler] (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): domain: adtestdom.com (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): user: testuser1 (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): service: sshd (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): tty: ssh (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): ruser: (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): rhost: 192.168.122.1 (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): authtok type: 1 (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): authtok size: 9 (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): priv: 1 (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): cli_pid: 14064 (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [ipa_auth] (0x0040): This operation is not allowed for subdomains! (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, <NULL>) [Internal Error (System error)] (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [be_pam_handler_callback] (0x0100): Sending result [4][adtestdom.com] (Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [be_pam_handler_callback] (0x0100): Sent result [4][adtestdom.com] ==> /var/log/secure <== Oct 22 19:08:56 rhel6-1 sshd[14064]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.1 user=testuser1@adtestdom.com Oct 22 19:08:56 rhel6-1 sshd[14064]: pam_sss(sshd:auth): received for user testuser1@adtestdom.com: 4 (System error) Oct 22 19:08:58 rhel6-1 sshd[14064]: Failed password for testuser1@adtestdom.com from 192.168.122.1 port 54362 ssh2 ==> /var/log/messages <== Oct 22 19:09:02 rhel6-1 smbd[13657]: [2012/10/22 19:09:02.293018, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Oct 22 19:09:02 rhel6-1 smbd[13657]: dcesrv_interface_register: interface 'lsarpc' already registered on endpoint Oct 22 19:09:02 rhel6-1 smbd[13657]: [2012/10/22 19:09:02.317630, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Oct 22 19:09:02 rhel6-1 smbd[13657]: dcesrv_interface_register: interface 'samr' already registered on endpoint Oct 22 19:09:02 rhel6-1 smbd[13657]: [2012/10/22 19:09:02.318604, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Oct 22 19:09:02 rhel6-1 smbd[13657]: dcesrv_interface_register: interface 'netlogon' already registered on endpoint ==> /var/log/sssd/sssd_testrelm.com.log <== (Mon Oct 22 19:09:03 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000): dbus conn: 74D180 (Mon Oct 22 19:09:03 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Oct 22 19:09:03 2012) [sssd[be[testrelm.com]]] [sbus_message_handler] (0x4000): Received SBUS method [ping] Version-Release number of selected component (if applicable): How reproducible: unknown Steps to Reproduce: 1. Setup IPA server 2. Setup AD server 3. ipa-adtrust-install 4. ipa trust-add --type=ad adtestdom.com --admin Administrator --password 5. see above for following where this failed. Actual results: Expected results: Additional info:
Sumit has patches on the list.
blockedby: => blocking: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => owner: somebody => sbose patch: 0 => 1 testsupdated: => 0
Fields changed
summary: IPA client with AD Trust fails to authenticate AD user with sssd Internal Error => Password authentication with users coming via AD trust
milestone: NEEDS_TRIAGE => SSSD 1.9.3
master:
ac7a7ee Make sub-domains case-insensitive bfc3b76 sss_parse_name_for_domains: always return the canonical domain name 7c4845b krb5_auth: update with correct UPN if needed 964628a Use find_or_guess_upn() where needed 29c0fdd Add new call find_or_guess_upn() d3dca30 krb5_child: send back the client principal cac29dc krb5_mod_ccname: replace wrong memory context dca03a9 krb5_child: send PAC to PAC responder 916674f krb5_auth: send different_realm flag to krb5_child 83f2463 krb5_auth: check if principal belongs to a different realm 7219ef8 Add replacement for krb5_find_authdata() 28269b2 check_ccache_files: search sub-domains as well 73550e4 sysdb: add sysdb_base_dn() d29e913 krb5_auth_send: check for sub-domains d9137b1 pac responder: add user principal and name alias to cached user object f578084 pac responder: use only lower case user name 0089408 sysdb: look for ranges in the parent tree 05ea6f6 pac responder: fix copy-and-paste error 4cf3bc3 subdomain-id: Generate homedir only for users not groups
sssd-1-9:
004968e Make sub-domains case-insensitive fe41254 sss_parse_name_for_domains: always return the canonical domain name 541ba2d krb5_auth: update with correct UPN if needed 5fcdbf6 Use find_or_guess_upn() where needed 53e2d78 Add new call find_or_guess_upn() f67ee4a krb5_child: send back the client principal 6caff4c krb5_mod_ccname: replace wrong memory context b3435ea krb5_child: send PAC to PAC responder 2b61532 krb5_auth: send different_realm flag to krb5_child ba772c9 krb5_auth: check if principal belongs to a different realm 95a386c Add replacement for krb5_find_authdata() 8af633c check_ccache_files: search sub-domains as well aab727b sysdb: add sysdb_base_dn() 203663b krb5_auth_send: check for sub-domains 538db73 pac responder: add user principal and name alias to cached user object 8847542 pac responder: use only lower case user name 1a21292 sysdb: look for ranges in the parent tree 00e7269 pac responder: fix copy-and-paste error 4ecd8c5 subdomain-id: Generate homedir only for users not groups
resolution: => fixed status: new => closed
Metadata Update from @jhrozek: - Issue assigned to sbose - Issue set to the milestone: SSSD 1.9.3
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2637
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.