Hello everyone,
I’m new to this and are trying to setup a working trust against an AD forrest, I seem to have a working trust but when I try to reference external groups (or users) I get:
# ipa group-add-member ad_users_external --external "AD2\Domain Users" [member user]: [member group]: Group name: ad_users_external Description: AD users external map Failed members: member user: member group: AD2\Domain Users: trusted domain object not found ------------------------- Number of members added 0 -------------------------
I enable some logging and last in the mail is the output there from the command above, any suggestions what could cause this? Current version of IPA is 4.5.
Regards Henrik
Tue Nov 21 13:10:42.675713 2017] [:warn] [pid 38221] [client 192.168.6.82:34714] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@IDM.TEST.NET)!, referer: https://ipaserver.idm.test.net/ipa/xml string_to_sid: SID AD2\Domain Users is not in a valid format lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty Processing section "[global]" INFO: Current debug levels: all: 11 tdb: 11 printdrivers: 11 lanman: 11 smb: 11 rpc_parse: 11 rpc_srv: 11 rpc_cli: 11 passdb: 11 sam: 11 auth: 11 winbind: 11 vfs: 11 idmap: 11 quota: 11 acls: 11 locking: 11 msdfs: 11 dmapi: 11 registry: 11 scavenger: 11 dns: 11 ldb: 11 tevent: 11 pm_process() returned Yes added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0 added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0 added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0 added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0 added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0 added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0 added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0 added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0 finddcs: searching for a DC by DNS domain ad2.test.net finddcs: looking for SRV records for _ldap._tcp.ad2.test.net resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.ad2.test.net<0x0> getlmhostsent: lmhost entry: 127.0.0.1 localhost ads_dns_lookup_srv: 2 records returned in the answer section. ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389] ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389] Addrs = 192.168.5.158@389/adserver,192.168.5.104@389/adserver finddcs: DNS SRV response 0 at '192.168.5.158' finddcs: DNS SRV response 1 at '192.168.5.104' finddcs: performing CLDAP query on 192.168.5.158 &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX command : LOGON_SAM_LOGON_RESPONSE_EX (23) sbz : 0x0000 (0) server_type : 0x0001f1fc (127484) 0: NBT_SERVER_PDC 1: NBT_SERVER_GC 1: NBT_SERVER_LDAP 1: NBT_SERVER_DS 1: NBT_SERVER_KDC 1: NBT_SERVER_TIMESERV 1: NBT_SERVER_CLOSEST 1: NBT_SERVER_WRITABLE 0: NBT_SERVER_GOOD_TIMESERV 0: NBT_SERVER_NDNC 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6 1: NBT_SERVER_FULL_SECRET_DOMAIN_6 1: NBT_SERVER_ADS_WEB_SERVICE 1: NBT_SERVER_DS_8 0: NBT_SERVER_HAS_DNS_NAME 0: NBT_SERVER_IS_DEFAULT_NC 0: NBT_SERVER_FOREST_ROOT domain_uuid : 63c3a477-85f9-5f01-96e8-2597a5c48978 forest : 'ad2.test.net' dns_domain : 'ad2.test.net' pdc_dns_name : 'adserver.ad2.test.net' domain_name : 'AD2' pdc_name : 'adserver' user_name : '' server_site : 'AS001' client_site : 'AS002' sockaddr_size : 0x00 (0) sockaddr: struct nbt_sockaddr sockaddr_family : 0x00000000 (0) pdc_ip : (null) remaining : DATA_BLOB length=0 next_closest_site : NULL nt_version : 0x00000005 (5) 1: NETLOGON_NT_VERSION_1 0: NETLOGON_NT_VERSION_5 1: NETLOGON_NT_VERSION_5EX 0: NETLOGON_NT_VERSION_5EX_WITH_IP 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE 0: NETLOGON_NT_VERSION_AVOID_NT4EMUL 0: NETLOGON_NT_VERSION_PDC 0: NETLOGON_NT_VERSION_IP 0: NETLOGON_NT_VERSION_LOCAL 0: NETLOGON_NT_VERSION_GC lmnt_token : 0xffff (65535) lm20_token : 0xffff (65535) finddcs: Found matching DC 192.168.5.158 with server_type=0x0001f1fc [Tue Nov 21 13:10:42.740320 2017] [:error] [pid 26496] ipa: INFO: [jsonserver_session] admin@IDM.TEST.NET: group_add_member/1(u'ad_users_external', ipaexternalmember=(u'AD2\\Domain Users',), version=u'2.228'): SUCCESS
On Tue, Nov 21, 2017 at 01:55:31PM +0100, Henrik Stigendal via FreeIPA-users wrote:
Hello everyone,
I’m new to this and are trying to setup a working trust against an AD forrest, I seem to have a working trust but when I try to reference external groups (or users) I get:
# ipa group-add-member ad_users_external --external "AD2\Domain Users" [member user]: [member group]: Group name: ad_users_external Description: AD users external map Failed members: member user: member group: AD2\Domain Users: trusted domain object not found
Number of members added 0
I think the lookup goes eventually from the ipa command line framework to SSSD, does lookup through the usual SSSD channels (getent passwd username@domain) work?
I enable some logging and last in the mail is the output there from the command above, any suggestions what could cause this? Current version of IPA is 4.5.
Regards Henrik
Tue Nov 21 13:10:42.675713 2017] [:warn] [pid 38221] [client 192.168.6.82:34714] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@IDM.TEST.NET)!, referer: https://ipaserver.idm.test.net/ipa/xml string_to_sid: SID AD2\Domain Users is not in a valid format
btw did you try also a lookup of a name qualified with the full AD domain name (i.e. username@ad.domain instead of ad\username)? I wonder if just the flatname is acting up..
lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty Processing section "[global]" INFO: Current debug levels: all: 11 tdb: 11 printdrivers: 11 lanman: 11 smb: 11 rpc_parse: 11 rpc_srv: 11 rpc_cli: 11 passdb: 11 sam: 11 auth: 11 winbind: 11 vfs: 11 idmap: 11 quota: 11 acls: 11 locking: 11 msdfs: 11 dmapi: 11 registry: 11 scavenger: 11 dns: 11 ldb: 11 tevent: 11 pm_process() returned Yes added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0 added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0 added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0 added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0 added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0 added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0 added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0 added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0 finddcs: searching for a DC by DNS domain ad2.test.net finddcs: looking for SRV records for _ldap._tcp.ad2.test.net resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.ad2.test.net<0x0> getlmhostsent: lmhost entry: 127.0.0.1 localhost ads_dns_lookup_srv: 2 records returned in the answer section. ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389] ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389] Addrs = 192.168.5.158@389/adserver,192.168.5.104@389/adserver finddcs: DNS SRV response 0 at '192.168.5.158' finddcs: DNS SRV response 1 at '192.168.5.104' finddcs: performing CLDAP query on 192.168.5.158 &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX command : LOGON_SAM_LOGON_RESPONSE_EX (23) sbz : 0x0000 (0) server_type : 0x0001f1fc (127484) 0: NBT_SERVER_PDC 1: NBT_SERVER_GC 1: NBT_SERVER_LDAP 1: NBT_SERVER_DS 1: NBT_SERVER_KDC 1: NBT_SERVER_TIMESERV 1: NBT_SERVER_CLOSEST 1: NBT_SERVER_WRITABLE 0: NBT_SERVER_GOOD_TIMESERV 0: NBT_SERVER_NDNC 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6 1: NBT_SERVER_FULL_SECRET_DOMAIN_6 1: NBT_SERVER_ADS_WEB_SERVICE 1: NBT_SERVER_DS_8 0: NBT_SERVER_HAS_DNS_NAME 0: NBT_SERVER_IS_DEFAULT_NC 0: NBT_SERVER_FOREST_ROOT domain_uuid : 63c3a477-85f9-5f01-96e8-2597a5c48978 forest : 'ad2.test.net' dns_domain : 'ad2.test.net' pdc_dns_name : 'adserver.ad2.test.net' domain_name : 'AD2' pdc_name : 'adserver' user_name : '' server_site : 'AS001' client_site : 'AS002' sockaddr_size : 0x00 (0) sockaddr: struct nbt_sockaddr sockaddr_family : 0x00000000 (0) pdc_ip : (null) remaining : DATA_BLOB length=0 next_closest_site : NULL nt_version : 0x00000005 (5) 1: NETLOGON_NT_VERSION_1 0: NETLOGON_NT_VERSION_5 1: NETLOGON_NT_VERSION_5EX 0: NETLOGON_NT_VERSION_5EX_WITH_IP 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE 0: NETLOGON_NT_VERSION_AVOID_NT4EMUL 0: NETLOGON_NT_VERSION_PDC 0: NETLOGON_NT_VERSION_IP 0: NETLOGON_NT_VERSION_LOCAL 0: NETLOGON_NT_VERSION_GC lmnt_token : 0xffff (65535) lm20_token : 0xffff (65535) finddcs: Found matching DC 192.168.5.158 with server_type=0x0001f1fc [Tue Nov 21 13:10:42.740320 2017] [:error] [pid 26496] ipa: INFO: [jsonserver_session] admin@IDM.TEST.NET: group_add_member/1(u'ad_users_external', ipaexternalmember=(u'AD2\\Domain Users',), version=u'2.228'): SUCCESS
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,
Answers below, I found one thing that don’t look correct, on another virtualised test-system I can get a cifs ticket when I am admin on the IPA server, in this setup it only works if I get tickets from the AD domain manually first:
[root@ipaserver httpd]# kinit admin Password for admin@IDM.TEST.NET: [root@ipaserver httpd]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin@IDM.TEST.NET
Valid starting Expires Service principal 12/01/2017 10:25:48 12/02/2017 10:25:39 krbtgt/IDM.TEST.NET@IDM.TEST.NET [root@ipaserver httpd]# kvno -S cifs adserver.ad2.test.net kvno: Server krbtgt/AD2.TEST.NET@IDM.TEST.NET not found in Kerberos database while getting credentials for cifs/adserver.ad2.test.net@AD2.TEST.NET [root@ipaserver httpd]# kinit adminuser@ad2.test.net Password for adminuser@ad2.test.net: Warning: Your password will expire in 5 days on Wed 06 Dec 2017 03:20:14 PM CET [root@ipaserver httpd]# kvno -S cifs adserver.ad2.test.net cifs/adserver.ad2.test.net@AD2.TEST.NET: kvno = 13
On 27 Nov 2017, at 14:06, Jakub Hrozek via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On Tue, Nov 21, 2017 at 01:55:31PM +0100, Henrik Stigendal via FreeIPA-users wrote:
Hello everyone,
I’m new to this and are trying to setup a working trust against an AD forrest, I seem to have a working trust but when I try to reference external groups (or users) I get:
# ipa group-add-member ad_users_external --external "AD2\Domain Users" [member user]: [member group]: Group name: ad_users_external Description: AD users external map Failed members: member user: member group: AD2\Domain Users: trusted domain object not found
Number of members added 0
I think the lookup goes eventually from the ipa command line framework to SSSD, does lookup through the usual SSSD channels (getent passwd username@domain) work?
No, that does not work at all.
I enable some logging and last in the mail is the output there from the command above, any suggestions what could cause this? Current version of IPA is 4.5.
Regards Henrik
Tue Nov 21 13:10:42.675713 2017] [:warn] [pid 38221] [client 192.168.6.82:34714] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@IDM.TEST.NET mailto:var/run/ipa/ccaches/admin@IDM.TEST.NET)!, referer: https://ipaserver.idm.test.net/ipa/xml https://ipaserver.idm.test.net/ipa/xml string_to_sid: SID AD2\Domain Users is not in a valid format
btw did you try also a lookup of a name qualified with the full AD domain name (i.e. username@ad.domain mailto:username@ad.domain instead of ad\username)? I wonder if just the flatname is acting up..
I’ve tested both without luck.
lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty Processing section "[global]" INFO: Current debug levels: all: 11 tdb: 11 printdrivers: 11 lanman: 11 smb: 11 rpc_parse: 11 rpc_srv: 11 rpc_cli: 11 passdb: 11 sam: 11 auth: 11 winbind: 11 vfs: 11 idmap: 11 quota: 11 acls: 11 locking: 11 msdfs: 11 dmapi: 11 registry: 11 scavenger: 11 dns: 11 ldb: 11 tevent: 11 pm_process() returned Yes added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0 added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0 added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0 added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0 added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0 added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0 added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0 added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0 finddcs: searching for a DC by DNS domain ad2.test.net finddcs: looking for SRV records for _ldap._tcp.ad2.test.net resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.ad2.test.net<0x0> getlmhostsent: lmhost entry: 127.0.0.1 localhost ads_dns_lookup_srv: 2 records returned in the answer section. ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389] ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389] Addrs = 192.168.5.158@389/adserver,192.168.5.104@389/adserver finddcs: DNS SRV response 0 at '192.168.5.158' finddcs: DNS SRV response 1 at '192.168.5.104' finddcs: performing CLDAP query on 192.168.5.158 &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX command : LOGON_SAM_LOGON_RESPONSE_EX (23) sbz : 0x0000 (0) server_type : 0x0001f1fc (127484) 0: NBT_SERVER_PDC 1: NBT_SERVER_GC 1: NBT_SERVER_LDAP 1: NBT_SERVER_DS 1: NBT_SERVER_KDC 1: NBT_SERVER_TIMESERV 1: NBT_SERVER_CLOSEST 1: NBT_SERVER_WRITABLE 0: NBT_SERVER_GOOD_TIMESERV 0: NBT_SERVER_NDNC 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6 1: NBT_SERVER_FULL_SECRET_DOMAIN_6 1: NBT_SERVER_ADS_WEB_SERVICE 1: NBT_SERVER_DS_8 0: NBT_SERVER_HAS_DNS_NAME 0: NBT_SERVER_IS_DEFAULT_NC 0: NBT_SERVER_FOREST_ROOT domain_uuid : 63c3a477-85f9-5f01-96e8-2597a5c48978 forest : 'ad2.test.net' dns_domain : 'ad2.test.net' pdc_dns_name : 'adserver.ad2.test.net' domain_name : 'AD2' pdc_name : 'adserver' user_name : '' server_site : 'AS001' client_site : 'AS002' sockaddr_size : 0x00 (0) sockaddr: struct nbt_sockaddr sockaddr_family : 0x00000000 (0) pdc_ip : (null) remaining : DATA_BLOB length=0 next_closest_site : NULL nt_version : 0x00000005 (5) 1: NETLOGON_NT_VERSION_1 0: NETLOGON_NT_VERSION_5 1: NETLOGON_NT_VERSION_5EX 0: NETLOGON_NT_VERSION_5EX_WITH_IP 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE 0: NETLOGON_NT_VERSION_AVOID_NT4EMUL 0: NETLOGON_NT_VERSION_PDC 0: NETLOGON_NT_VERSION_IP 0: NETLOGON_NT_VERSION_LOCAL 0: NETLOGON_NT_VERSION_GC lmnt_token : 0xffff (65535) lm20_token : 0xffff (65535) finddcs: Found matching DC 192.168.5.158 with server_type=0x0001f1fc [Tue Nov 21 13:10:42.740320 2017] [:error] [pid 26496] ipa: INFO: [jsonserver_session] admin@IDM.TEST.NET: group_add_member/1(u'ad_users_external', ipaexternalmember=(u'AD2\\Domain Users',), version=u'2.228'): SUCCESS
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
On 1 Dec 2017, at 10:52, Henrik Johansson henrikj@henkis.net wrote:
Hi,
Answers below, I found one thing that don’t look correct, on another virtualised test-system I can get a cifs ticket when I am admin on the IPA server, in this setup it only works if I get tickets from the AD domain manually first:
[root@ipaserver httpd]# kinit admin Password for admin@IDM.TEST.NET: [root@ipaserver httpd]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin@IDM.TEST.NET
Valid starting Expires Service principal 12/01/2017 10:25:48 12/02/2017 10:25:39 krbtgt/IDM.TEST.NET@IDM.TEST.NET [root@ipaserver httpd]# kvno -S cifs adserver.ad2.test.net kvno: Server krbtgt/AD2.TEST.NET@IDM.TEST.NET not found in Kerberos database while getting credentials for cifs/adserver.ad2.test.net@AD2.TEST.NET [root@ipaserver httpd]# kinit adminuser@ad2.test.net Password for adminuser@ad2.test.net: Warning: Your password will expire in 5 days on Wed 06 Dec 2017 03:20:14 PM CET [root@ipaserver httpd]# kvno -S cifs adserver.ad2.test.net cifs/adserver.ad2.test.net@AD2.TEST.NET: kvno = 13
On 27 Nov 2017, at 14:06, Jakub Hrozek via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On Tue, Nov 21, 2017 at 01:55:31PM +0100, Henrik Stigendal via FreeIPA-users wrote:
Hello everyone,
I’m new to this and are trying to setup a working trust against an AD forrest, I seem to have a working trust but when I try to reference external groups (or users) I get:
# ipa group-add-member ad_users_external --external "AD2\Domain Users" [member user]: [member group]: Group name: ad_users_external Description: AD users external map Failed members: member user: member group: AD2\Domain Users: trusted domain object not found
Number of members added 0
I think the lookup goes eventually from the ipa command line framework to SSSD, does lookup through the usual SSSD channels (getent passwd username@domain) work?
No, that does not work at all.
I enable some logging and last in the mail is the output there from the command above, any suggestions what could cause this? Current version of IPA is 4.5.
Regards Henrik
Tue Nov 21 13:10:42.675713 2017] [:warn] [pid 38221] [client 192.168.6.82:34714] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@IDM.TEST.NET)!, referer: https://ipaserver.idm.test.net/ipa/xml string_to_sid: SID AD2\Domain Users is not in a valid format
btw did you try also a lookup of a name qualified with the full AD domain name (i.e. username@ad.domain instead of ad\username)? I wonder if just the flatname is acting up..
I’ve tested both without luck.
I would suggest to find out why the lookups from the command line don’t work. You can check how to debug sssd here: https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html
feel free to share your logs if they are not easy to read.
lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty Processing section "[global]" INFO: Current debug levels: all: 11 tdb: 11 printdrivers: 11 lanman: 11 smb: 11 rpc_parse: 11 rpc_srv: 11 rpc_cli: 11 passdb: 11 sam: 11 auth: 11 winbind: 11 vfs: 11 idmap: 11 quota: 11 acls: 11 locking: 11 msdfs: 11 dmapi: 11 registry: 11 scavenger: 11 dns: 11 ldb: 11 tevent: 11 pm_process() returned Yes added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0 added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0 added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0 added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0 added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0 added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0 added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0 added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0 finddcs: searching for a DC by DNS domain ad2.test.net finddcs: looking for SRV records for _ldap._tcp.ad2.test.net resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.ad2.test.net<0x0> getlmhostsent: lmhost entry: 127.0.0.1 localhost ads_dns_lookup_srv: 2 records returned in the answer section. ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389] ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389] Addrs = 192.168.5.158@389/adserver,192.168.5.104@389/adserver finddcs: DNS SRV response 0 at '192.168.5.158' finddcs: DNS SRV response 1 at '192.168.5.104' finddcs: performing CLDAP query on 192.168.5.158 &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX command : LOGON_SAM_LOGON_RESPONSE_EX (23) sbz : 0x0000 (0) server_type : 0x0001f1fc (127484) 0: NBT_SERVER_PDC 1: NBT_SERVER_GC 1: NBT_SERVER_LDAP 1: NBT_SERVER_DS 1: NBT_SERVER_KDC 1: NBT_SERVER_TIMESERV 1: NBT_SERVER_CLOSEST 1: NBT_SERVER_WRITABLE 0: NBT_SERVER_GOOD_TIMESERV 0: NBT_SERVER_NDNC 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6 1: NBT_SERVER_FULL_SECRET_DOMAIN_6 1: NBT_SERVER_ADS_WEB_SERVICE 1: NBT_SERVER_DS_8 0: NBT_SERVER_HAS_DNS_NAME 0: NBT_SERVER_IS_DEFAULT_NC 0: NBT_SERVER_FOREST_ROOT domain_uuid : 63c3a477-85f9-5f01-96e8-2597a5c48978 forest : 'ad2.test.net' dns_domain : 'ad2.test.net' pdc_dns_name : 'adserver.ad2.test.net' domain_name : 'AD2' pdc_name : 'adserver' user_name : '' server_site : 'AS001' client_site : 'AS002' sockaddr_size : 0x00 (0) sockaddr: struct nbt_sockaddr sockaddr_family : 0x00000000 (0) pdc_ip : (null) remaining : DATA_BLOB length=0 next_closest_site : NULL nt_version : 0x00000005 (5) 1: NETLOGON_NT_VERSION_1 0: NETLOGON_NT_VERSION_5 1: NETLOGON_NT_VERSION_5EX 0: NETLOGON_NT_VERSION_5EX_WITH_IP 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE 0: NETLOGON_NT_VERSION_AVOID_NT4EMUL 0: NETLOGON_NT_VERSION_PDC 0: NETLOGON_NT_VERSION_IP 0: NETLOGON_NT_VERSION_LOCAL 0: NETLOGON_NT_VERSION_GC lmnt_token : 0xffff (65535) lm20_token : 0xffff (65535) finddcs: Found matching DC 192.168.5.158 with server_type=0x0001f1fc [Tue Nov 21 13:10:42.740320 2017] [:error] [pid 26496] ipa: INFO: [jsonserver_session] admin@IDM.TEST.NET: group_add_member/1(u'ad_users_external', ipaexternalmember=(u'AD2\\Domain Users',), version=u'2.228'): SUCCESS
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi again,
I have generated debug, both in samba and in sssd and attached the log files. From what I can see from the sssd-logfile we are talkin to the AD domain but does not find any groups? The rest for the debug files are from the whole session including the trust-add. If you could have a quick look at it I would be grateful since pretty much stuck here.
Terminal output: # ipa -v trust-add --type=ad ad.test.net --admin aduser ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json ipa: INFO: [try 1]: Forwarding 'schema' to json server 'https://ipaserver.idm.test.net/ipa/session/json' ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json Active Directory domain administrator's password: ipa: INFO: [try 1]: Forwarding 'trust_add/1' to json server 'https://ipaserver.idm.test.net/ipa/session/json' ----------------------------------------------------- Added Active Directory trust for realm "ad.test.net" ----------------------------------------------------- Realm name: ad.test.net Domain NetBIOS name: AD Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543 Trust direction: Trusting forest Trust type: Active Directory domain Trust status: Established and verified
# ipa trust-fetch-domains ad.test.net ---------------------------------------------------------------------------------------- List of trust domains successfully refreshed. Use trustdomain-find command to list them. ---------------------------------------------------------------------------------------- ---------------------------- Number of entries returned 0 ---------------------------- [root@ipaserver samba]# ipa trustdomain-find ad.test.net Domain name: ad.test.net Domain NetBIOS name: AD Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543 Domain enabled: True
Domain name: corp.ad.test.net Domain NetBIOS name: CORP Domain Security Identifier: S-1-6-42-2417082233-1637723082-1916539915 Domain enabled: True ---------------------------- Number of entries returned 2
]# ipa -v group-add-member ad_users_external --external 'AD\Domain Users' ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json [member user]: [member group]: ipa: INFO: [try 1]: Forwarding 'group_add_member/1' to json server 'https://ipaserver.idm.test.net/ipa/session/json' Group name: ad_users_external Description: AD users external map Failed members: member user: member group: AD\Domain Users: trusted domain object not found ------------------------- Number of members added 0
Regards Henrik
On 3 Dec 2017, at 21:14, Jakub Hrozek jhrozek@redhat.com wrote:
On 1 Dec 2017, at 10:52, Henrik Johansson henrikj@henkis.net wrote:
Hi,
Answers below, I found one thing that don’t look correct, on another virtualised test-system I can get a cifs ticket when I am admin on the IPA server, in this setup it only works if I get tickets from the AD domain manually first:
[root@ipaserver httpd]# kinit admin Password for admin@IDM.TEST.NET: [root@ipaserver httpd]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin@IDM.TEST.NET
Valid starting Expires Service principal 12/01/2017 10:25:48 12/02/2017 10:25:39 krbtgt/IDM.TEST.NET@IDM.TEST.NET [root@ipaserver httpd]# kvno -S cifs adserver.ad2.test.net kvno: Server krbtgt/AD2.TEST.NET@IDM.TEST.NET not found in Kerberos database while getting credentials for cifs/adserver.ad2.test.net@AD2.TEST.NET [root@ipaserver httpd]# kinit adminuser@ad2.test.net Password for adminuser@ad2.test.net: Warning: Your password will expire in 5 days on Wed 06 Dec 2017 03:20:14 PM CET [root@ipaserver httpd]# kvno -S cifs adserver.ad2.test.net cifs/adserver.ad2.test.net@AD2.TEST.NET: kvno = 13
On 27 Nov 2017, at 14:06, Jakub Hrozek via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On Tue, Nov 21, 2017 at 01:55:31PM +0100, Henrik Stigendal via FreeIPA-users wrote:
Hello everyone,
I’m new to this and are trying to setup a working trust against an AD forrest, I seem to have a working trust but when I try to reference external groups (or users) I get:
# ipa group-add-member ad_users_external --external "AD2\Domain Users" [member user]: [member group]: Group name: ad_users_external Description: AD users external map Failed members: member user: member group: AD2\Domain Users: trusted domain object not found
Number of members added 0
I think the lookup goes eventually from the ipa command line framework to SSSD, does lookup through the usual SSSD channels (getent passwd username@domain) work?
No, that does not work at all.
I enable some logging and last in the mail is the output there from the command above, any suggestions what could cause this? Current version of IPA is 4.5.
Regards Henrik
Tue Nov 21 13:10:42.675713 2017] [:warn] [pid 38221] [client 192.168.6.82:34714] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@IDM.TEST.NET)!, referer: https://ipaserver.idm.test.net/ipa/xml string_to_sid: SID AD2\Domain Users is not in a valid format
btw did you try also a lookup of a name qualified with the full AD domain name (i.e. username@ad.domain instead of ad\username)? I wonder if just the flatname is acting up..
I’ve tested both without luck.
I would suggest to find out why the lookups from the command line don’t work. You can check how to debug sssd here: https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html
feel free to share your logs if they are not easy to read.
lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty Processing section "[global]" INFO: Current debug levels: all: 11 tdb: 11 printdrivers: 11 lanman: 11 smb: 11 rpc_parse: 11 rpc_srv: 11 rpc_cli: 11 passdb: 11 sam: 11 auth: 11 winbind: 11 vfs: 11 idmap: 11 quota: 11 acls: 11 locking: 11 msdfs: 11 dmapi: 11 registry: 11 scavenger: 11 dns: 11 ldb: 11 tevent: 11 pm_process() returned Yes added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0 added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0 added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0 added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0 added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0 added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0 added interface eno16780032 ip=192.168.6.82 bcast=192.168.6.255 netmask=255.255.255.0 added interface eno33559296 ip=192.168.44.67 bcast=192.168.44.255 netmask=255.255.255.0 finddcs: searching for a DC by DNS domain ad2.test.net finddcs: looking for SRV records for _ldap._tcp.ad2.test.net resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.ad2.test.net<0x0> getlmhostsent: lmhost entry: 127.0.0.1 localhost ads_dns_lookup_srv: 2 records returned in the answer section. ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389] ads_dns_parse_rr_srv: Parsed adserver.ad2.test.net [0, 100, 389] Addrs = 192.168.5.158@389/adserver,192.168.5.104@389/adserver finddcs: DNS SRV response 0 at '192.168.5.158' finddcs: DNS SRV response 1 at '192.168.5.104' finddcs: performing CLDAP query on 192.168.5.158 &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX command : LOGON_SAM_LOGON_RESPONSE_EX (23) sbz : 0x0000 (0) server_type : 0x0001f1fc (127484) 0: NBT_SERVER_PDC 1: NBT_SERVER_GC 1: NBT_SERVER_LDAP 1: NBT_SERVER_DS 1: NBT_SERVER_KDC 1: NBT_SERVER_TIMESERV 1: NBT_SERVER_CLOSEST 1: NBT_SERVER_WRITABLE 0: NBT_SERVER_GOOD_TIMESERV 0: NBT_SERVER_NDNC 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6 1: NBT_SERVER_FULL_SECRET_DOMAIN_6 1: NBT_SERVER_ADS_WEB_SERVICE 1: NBT_SERVER_DS_8 0: NBT_SERVER_HAS_DNS_NAME 0: NBT_SERVER_IS_DEFAULT_NC 0: NBT_SERVER_FOREST_ROOT domain_uuid : 63c3a477-85f9-5f01-96e8-2597a5c48978 forest : 'ad2.test.net' dns_domain : 'ad2.test.net' pdc_dns_name : 'adserver.ad2.test.net' domain_name : 'AD2' pdc_name : 'adserver' user_name : '' server_site : 'AS001' client_site : 'AS002' sockaddr_size : 0x00 (0) sockaddr: struct nbt_sockaddr sockaddr_family : 0x00000000 (0) pdc_ip : (null) remaining : DATA_BLOB length=0 next_closest_site : NULL nt_version : 0x00000005 (5) 1: NETLOGON_NT_VERSION_1 0: NETLOGON_NT_VERSION_5 1: NETLOGON_NT_VERSION_5EX 0: NETLOGON_NT_VERSION_5EX_WITH_IP 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE 0: NETLOGON_NT_VERSION_AVOID_NT4EMUL 0: NETLOGON_NT_VERSION_PDC 0: NETLOGON_NT_VERSION_IP 0: NETLOGON_NT_VERSION_LOCAL 0: NETLOGON_NT_VERSION_GC lmnt_token : 0xffff (65535) lm20_token : 0xffff (65535) finddcs: Found matching DC 192.168.5.158 with server_type=0x0001f1fc [Tue Nov 21 13:10:42.740320 2017] [:error] [pid 26496] ipa: INFO: [jsonserver_session] admin@IDM.TEST.NET: group_add_member/1(u'ad_users_external', ipaexternalmember=(u'AD2\\Domain Users',), version=u'2.228'): SUCCESS
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On ma, 11 joulu 2017, Henrik Johansson via FreeIPA-users wrote:
Hi again,
I have generated debug, both in samba and in sssd and attached the log files. From what I can see from the sssd-logfile we are talkin to the AD domain but does not find any groups? The rest for the debug files are from the whole session including the trust-add. If you could have a quick look at it I would be grateful since pretty much stuck here.
Terminal output: # ipa -v trust-add --type=ad ad.test.net --admin aduser ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json ipa: INFO: [try 1]: Forwarding 'schema' to json server 'https://ipaserver.idm.test.net/ipa/session/json' ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json Active Directory domain administrator's password: ipa: INFO: [try 1]: Forwarding 'trust_add/1' to json server 'https://ipaserver.idm.test.net/ipa/session/json'
Added Active Directory trust for realm "ad.test.net"
Realm name: ad.test.net Domain NetBIOS name: AD Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543 Trust direction: Trusting forest Trust type: Active Directory domain Trust status: Established and verified
# ipa trust-fetch-domains ad.test.net
List of trust domains successfully refreshed. Use trustdomain-find command to list them.
Number of entries returned 0
[root@ipaserver samba]# ipa trustdomain-find ad.test.net Domain name: ad.test.net Domain NetBIOS name: AD Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543 Domain enabled: True
Domain name: corp.ad.test.net Domain NetBIOS name: CORP Domain Security Identifier: S-1-6-42-2417082233-1637723082-1916539915 Domain enabled: True
Number of entries returned 2
]# ipa -v group-add-member ad_users_external --external 'AD\Domain Users' ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json [member user]: [member group]: ipa: INFO: [try 1]: Forwarding 'group_add_member/1' to json server 'https://ipaserver.idm.test.net/ipa/session/json' Group name: ad_users_external Description: AD users external map Failed members: member user: member group: AD\Domain Users: trusted domain object not found
Number of members added 0
Did you try with a different group/user? Because Domain Users is a bit special group in AD, it is Domain Global group. Your logs show that a search done by SSSD against AD DC does not end up with any 'cn=domain users' result.
On 11 Dec 2017, at 16:04, Alexander Bokovoy via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On ma, 11 joulu 2017, Henrik Johansson via FreeIPA-users wrote:
Hi again,
I have generated debug, both in samba and in sssd and attached the log files. From what I can see from the sssd-logfile we are talkin to the AD domain but does not find any groups? The rest for the debug files are from the whole session including the trust-add. If you could have a quick look at it I would be grateful since pretty much stuck here.
Terminal output: # ipa -v trust-add --type=ad ad.test.net --admin aduser ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json ipa: INFO: [try 1]: Forwarding 'schema' to json server 'https://ipaserver.idm.test.net/ipa/session/json' ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json Active Directory domain administrator's password: ipa: INFO: [try 1]: Forwarding 'trust_add/1' to json server 'https://ipaserver.idm.test.net/ipa/session/json'
Added Active Directory trust for realm "ad.test.net"
Realm name: ad.test.net Domain NetBIOS name: AD Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543 Trust direction: Trusting forest Trust type: Active Directory domain Trust status: Established and verified
# ipa trust-fetch-domains ad.test.net
List of trust domains successfully refreshed. Use trustdomain-find command to list them.
Number of entries returned 0
[root@ipaserver samba]# ipa trustdomain-find ad.test.net Domain name: ad.test.net Domain NetBIOS name: AD Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543 Domain enabled: True
Domain name: corp.ad.test.net Domain NetBIOS name: CORP Domain Security Identifier: S-1-6-42-2417082233-1637723082-1916539915 Domain enabled: True
Number of entries returned 2
]# ipa -v group-add-member ad_users_external --external 'AD\Domain Users' ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json [member user]: [member group]: ipa: INFO: [try 1]: Forwarding 'group_add_member/1' to json server 'https://ipaserver.idm.test.net/ipa/session/json' Group name: ad_users_external Description: AD users external map Failed members: member user: member group: AD\Domain Users: trusted domain object not found
Number of members added 0
Did you try with a different group/user? Because Domain Users is a bit special group in AD, it is Domain Global group. Your logs show that a search done by SSSD against AD DC does not end up with any 'cn=domain users' result.
Yes, i’ve tried with a few groups and the user I am using to create the trust witch, no luck.
On ma, 11 joulu 2017, Henrik Johansson via FreeIPA-users wrote:
On 11 Dec 2017, at 16:04, Alexander Bokovoy via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On ma, 11 joulu 2017, Henrik Johansson via FreeIPA-users wrote:
Hi again,
I have generated debug, both in samba and in sssd and attached the log files. From what I can see from the sssd-logfile we are talkin to the AD domain but does not find any groups? The rest for the debug files are from the whole session including the trust-add. If you could have a quick look at it I would be grateful since pretty much stuck here.
Terminal output: # ipa -v trust-add --type=ad ad.test.net --admin aduser ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json ipa: INFO: [try 1]: Forwarding 'schema' to json server 'https://ipaserver.idm.test.net/ipa/session/json' ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json Active Directory domain administrator's password: ipa: INFO: [try 1]: Forwarding 'trust_add/1' to json server 'https://ipaserver.idm.test.net/ipa/session/json'
Added Active Directory trust for realm "ad.test.net"
Realm name: ad.test.net Domain NetBIOS name: AD Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543 Trust direction: Trusting forest Trust type: Active Directory domain Trust status: Established and verified
# ipa trust-fetch-domains ad.test.net
List of trust domains successfully refreshed. Use trustdomain-find command to list them.
Number of entries returned 0
[root@ipaserver samba]# ipa trustdomain-find ad.test.net Domain name: ad.test.net Domain NetBIOS name: AD Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543 Domain enabled: True
Domain name: corp.ad.test.net Domain NetBIOS name: CORP Domain Security Identifier: S-1-6-42-2417082233-1637723082-1916539915 Domain enabled: True
Number of entries returned 2
]# ipa -v group-add-member ad_users_external --external 'AD\Domain Users' ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json [member user]: [member group]: ipa: INFO: [try 1]: Forwarding 'group_add_member/1' to json server 'https://ipaserver.idm.test.net/ipa/session/json' Group name: ad_users_external Description: AD users external map Failed members: member user: member group: AD\Domain Users: trusted domain object not found
Number of members added 0
Did you try with a different group/user? Because Domain Users is a bit special group in AD, it is Domain Global group. Your logs show that a search done by SSSD against AD DC does not end up with any 'cn=domain users' result.
Yes, i’ve tried with a few groups and the user I am using to create the trust witch, no luck.
Is there any additional policy applied on AD side that prevents a TDO to access information about AD users/groups?
Something like https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... ?
On Mon, Dec 11, 2017 at 10:47:44PM +0200, Alexander Bokovoy wrote:
On ma, 11 joulu 2017, Henrik Johansson via FreeIPA-users wrote:
On 11 Dec 2017, at 16:04, Alexander Bokovoy via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On ma, 11 joulu 2017, Henrik Johansson via FreeIPA-users wrote:
Hi again,
I have generated debug, both in samba and in sssd and attached the log files. From what I can see from the sssd-logfile we are talkin to the AD domain but does not find any groups? The rest for the debug files are from the whole session including the trust-add. If you could have a quick look at it I would be grateful since pretty much stuck here.
Terminal output: # ipa -v trust-add --type=ad ad.test.net --admin aduser ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json ipa: INFO: [try 1]: Forwarding 'schema' to json server 'https://ipaserver.idm.test.net/ipa/session/json' ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json Active Directory domain administrator's password: ipa: INFO: [try 1]: Forwarding 'trust_add/1' to json server 'https://ipaserver.idm.test.net/ipa/session/json'
Added Active Directory trust for realm "ad.test.net"
Realm name: ad.test.net Domain NetBIOS name: AD Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543 Trust direction: Trusting forest Trust type: Active Directory domain Trust status: Established and verified
# ipa trust-fetch-domains ad.test.net
List of trust domains successfully refreshed. Use trustdomain-find command to list them.
Number of entries returned 0
[root@ipaserver samba]# ipa trustdomain-find ad.test.net Domain name: ad.test.net Domain NetBIOS name: AD Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543 Domain enabled: True
Domain name: corp.ad.test.net Domain NetBIOS name: CORP Domain Security Identifier: S-1-6-42-2417082233-1637723082-1916539915 Domain enabled: True
Number of entries returned 2
]# ipa -v group-add-member ad_users_external --external 'AD\Domain Users' ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json [member user]: [member group]: ipa: INFO: [try 1]: Forwarding 'group_add_member/1' to json server 'https://ipaserver.idm.test.net/ipa/session/json' Group name: ad_users_external Description: AD users external map Failed members: member user: member group: AD\Domain Users: trusted domain object not found
Number of members added 0
Did you try with a different group/user? Because Domain Users is a bit special group in AD, it is Domain Global group. Your logs show that a search done by SSSD against AD DC does not end up with any 'cn=domain users' result.
Yes, i’ve tried with a few groups and the user I am using to create the trust witch, no luck.
Is there any additional policy applied on AD side that prevents a TDO to access information about AD users/groups?
Something like https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... ?
I'm sorry for the late reply, but in general I agree with Alexander.
Could you run a test with ldapsearch? Something like: kinit -kt 'IDM$@AD.TEST.NET' /var/lib/sss/keytabs/ad.test.net.keytab ldapsearch -Y GSSAPI -H ldap://ADSERVERC.corp.ad.test.net -b dc=corp,dc=ad,dc=test,dc=net '(&(sAMAccountName=domain\20users)(objectClass=group)(sAMAccountName=*)(&(gidNumber=*)(!(gidNumber=0))))'
if this doesn't find anything (and the search base and the server are as expected), could you re-run the same search binding as some known user with their password?
btw note that the ldapsearch is looking for POSIX attributes, is that expected? Do all users you search for have uidNumber set?
On 13 Dec 2017, at 15:03, Jakub Hrozek via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On Mon, Dec 11, 2017 at 10:47:44PM +0200, Alexander Bokovoy wrote:
On ma, 11 joulu 2017, Henrik Johansson via FreeIPA-users wrote:
On 11 Dec 2017, at 16:04, Alexander Bokovoy via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On ma, 11 joulu 2017, Henrik Johansson via FreeIPA-users wrote:
Hi again,
I have generated debug, both in samba and in sssd and attached the log files. From what I can see from the sssd-logfile we are talkin to the AD domain but does not find any groups? The rest for the debug files are from the whole session including the trust-add. If you could have a quick look at it I would be grateful since pretty much stuck here.
Terminal output: # ipa -v trust-add --type=ad ad.test.net --admin aduser ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json ipa: INFO: [try 1]: Forwarding 'schema' to json server 'https://ipaserver.idm.test.net/ipa/session/json' ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json Active Directory domain administrator's password: ipa: INFO: [try 1]: Forwarding 'trust_add/1' to json server 'https://ipaserver.idm.test.net/ipa/session/json'
Added Active Directory trust for realm "ad.test.net"
Realm name: ad.test.net Domain NetBIOS name: AD Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543 Trust direction: Trusting forest Trust type: Active Directory domain Trust status: Established and verified
# ipa trust-fetch-domains ad.test.net
List of trust domains successfully refreshed. Use trustdomain-find command to list them.
Number of entries returned 0
[root@ipaserver samba]# ipa trustdomain-find ad.test.net Domain name: ad.test.net Domain NetBIOS name: AD Domain Security Identifier: S-1-6-42-491525448-2008367481-725548543 Domain enabled: True
Domain name: corp.ad.test.net Domain NetBIOS name: CORP Domain Security Identifier: S-1-6-42-2417082233-1637723082-1916539915 Domain enabled: True
Number of entries returned 2
]# ipa -v group-add-member ad_users_external --external 'AD\Domain Users' ipa: INFO: trying https://ipaserver.idm.test.net/ipa/session/json [member user]: [member group]: ipa: INFO: [try 1]: Forwarding 'group_add_member/1' to json server 'https://ipaserver.idm.test.net/ipa/session/json' Group name: ad_users_external Description: AD users external map Failed members: member user: member group: AD\Domain Users: trusted domain object not found
Number of members added 0
Did you try with a different group/user? Because Domain Users is a bit special group in AD, it is Domain Global group. Your logs show that a search done by SSSD against AD DC does not end up with any 'cn=domain users' result.
Yes, i’ve tried with a few groups and the user I am using to create the trust witch, no luck.
Is there any additional policy applied on AD side that prevents a TDO to access information about AD users/groups?
Something like https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... ?
I'm sorry for the late reply, but in general I agree with Alexander.
Could you run a test with ldapsearch? Something like: kinit -kt 'IDM$@AD.TEST.NET mailto:IDM$@AD.TEST.NET' /var/lib/sss/keytabs/ad.test.net.keytab ldapsearch -Y GSSAPI -H ldap://ADSERVERC.corp.ad.test.net ldap://ADSERVERC.corp.ad.test.net -b dc=corp,dc=ad,dc=test,dc=net '(&(sAMAccountName=domain\20users)(objectClass=group)(sAMAccountName=*)(&(gidNumber=*)(!(gidNumber=0))))'
if this doesn't find anything (and the search base and the server are as expected), could you re-run the same search binding as some known user with their password?
btw note that the ldapsearch is looking for POSIX attributes, is that expected? Do all users you search for have uidNumber set?
I had tested both, we have posix attributes in the AD schema. I seems to have stumbled over a solution to the problem while debuting. I seems that sssd was caching something even when we where unable to lookup anything, and it did nod invalidate the cache after several weeks, reboots or when removing trusts. After removing /var/lib/sss/db/* and restarting sssd it seems to work as expected. Thanks for all the help!
Regards Henrik
freeipa-users@lists.fedorahosted.org