Dear Alexander,
The main intention is to setup a freeipa-server with a trust domain to a Windows 2019 AD server. So for all windows env we would like to use Windows 2019AD server and for all our Linux based server we would like to use FreeIPA-server.
From this point we have setup a basic Windows2019 AD domain with the following realm ad.srv.world And the FreeIPA server has the following realm ipa.srv.world
The Windowd 2019 server also acts as the DNS server, where the freeipa-server has his own dns rules and forwarding rule enabled to zone ad.srv.world (windows 2019 DNS server).
From the ipa-server run the following command
ipa-server-install --realm=AD.SRV.WORLD --domain=ad.srv.domain --ssh-trust-dns --setup-dns --forwarder=xxx.xxx.xxx.xxx
All seems working ok on the ipa-server. But when trying to add the freeipa server to a windows 2019 AD im getting the following error:
ipa trust-add --type=ad ad.srv.world --admin Administrator --password Active Directory domain administrator's password: ipa: ERROR: Insufficient access: CIFS server dlp.ipa.srv.world denied your credentials
Already tried to change permission on the AD site, but group policy domain admin should be enough to setup a trused domain between these two.
kinit admin Password for admin@IPA.SRV.WORLDmailto:admin@IPA.SRV.WORLD:
klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin@IPA.SRV.WORLD Valid starting Expires Service principal 11/13/2018 11:12:38 11/14/2018 11:12:36 krbtgt/IPA.SRV.WORLD@IPA.SRV.WORL
smbclient -L dlp.ipa.srv.world -k -d 3 lp_load_ex: refreshing parameters Initialising global parameters Processing section "[global]" lp_load_ex: changing to config backend registry Initialising global parameters lp_load_ex: refreshing parameters Initialising global parameters Processing section "[global]" added interface eth0 ip=10.50.1.103 bcast=10.50.1.255 netmask=255.255.255.0 Client started (version 4.7.1). Connecting to 10.50.1.103 at port 445 got OID=1.2.840.48018.1.2.2 GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered SPNEGO login failed: {Access Denied} A proc
ipa/default.conf [global] host = dlp.ipa.srv.world basedn = dc=ipa,dc=srv,dc=world realm = IPA.SRV.WORLD domain = ipa.srv.world xmlrpc_uri = https://dlp.ipa.srv.world/ipa/xml ldap_uri = ldapi://%2fvar%2frun%2fslapd-IPA-SRV-WORLD.socket enable_ra = True ra_plugin = dogtag dogtag_version = 10 mode = production
krb5.conf includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = IPA.SRV.WORLD dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid}
[realms] IPA.SRV.WORLD = { kdc = dlp.ipa.srv.world:88 master_kdc = dlp.ipa.srv.world:88 admin_server = dlp.ipa.srv.world:749 default_domain = ipa.srv.world pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem }
[domain_realm] .ipa.srv.world = IPA.SRV.WORLD ipa.srv.world = IPA.SRV.WORLD dlp.ipa.srv.world = IPA.SRV.WORLD
[dbmodules] IPA.SRV.WORLD = { db_library = ipadb.so }
/var/log/http/*
rpc reply data: [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 ........ ........ [0020] 01 00 00 00 03 00 00 00 4B 00 00 00 4B 00 00 00 ........ K...K... [0030] 05 00 13 00 0D 78 57 34 12 34 12 CD AB EF 00 01 .....xW4 .4...... [0040] 23 45 67 89 AB 00 00 02 00 00 00 13 00 0D 04 5D #Eg..... .......] [0050] 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 ........ ..+.H`.. [0060] 02 00 00 00 01 00 0B 02 00 00 00 01 00 07 02 00 ........ ........ [0070] C0 00 01 00 09 04 00 0A 32 01 67 00 00 00 00 00 ........ 2.g..... s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f45cc3dee40 s4_tevent: Cancel immediate event 0x7f45cc3dee40 "tevent_req_trigger" Mapped to DCERPC endpoint 49152 added interface eth0 ip= xx.xx.xx.xxx bcast= xx.xx.xx.255 netmask=255.255.255.0 added interface eth0 ip= xx.xx.xx.xxx bcast= xx.xx.xx.255 netmask=255.255.255.0 resolve_lmhosts: Attempting lmhosts lookup for name dlp.ipa.srv.world<0x20> getlmhostsent: lmhost entry: 127.0.0.1 localhost s4_tevent: Added timed event "composite_trigger": 0x7f45cc3c41f0 s4_tevent: Running timer event 0x7f45cc3c41f0 "composite_trigger" s4_tevent: Ending timer event 0x7f45cc3c41f0 "composite_trigger" Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 GSSAPI credentials for admin@IPA.SRV.WORLD will expire in 86359 secs GSS client Update(krb5)(1) Update failed: Unspecified GSS failure. Minor code may provide more information: Credential cache is empty s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f45cc3dde50 s4_tevent: Cancel immediate event 0x7f45cc3dde50 "tevent_req_trigger" SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for host/DLP.IPA.SRV.WORLD failed (next[(null)]): NT_STATUS_LOGON_FAILURE Failed to setup SPNEGO negTokenInit request: NT_STATUS_LOGON_FAILURE s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f45cc3dd540 s4_tevent: Run immediate event "tevent_req_trigger": 0x7f45cc3dd540 Failed to bind to uuid 12345778-1234-abcd-ef00-0123456789ab for ncacn_ip_tcp: xx.xx.xx.xxx [49152,print,target_hostname=dlp.ipa.srv.world,abstract_syntax=12345778-1234-abcd-ef00-0123456789ab/0x00000000,localaddress=xx.xx.xx.xxx] NT_STATUS_LOGON_FAILURE s4_tevent: Destroying timer event 0x7f45cc3b9670 "dcerpc_connect_timeout_handler" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f45cc3c5ef0 s4_tevent: Cancel immediate event 0x7f45cc3c5ef0 "tevent_req_trigger" [Tue Nov 13 10:51:04.693630 2018] [:error] [pid 24146] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last): [Tue Nov 13 10:51:04.693675 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 367, in wsgi_execute [Tue Nov 13 10:51:04.693689 2018] [:error] [pid 24146] result = command(*args, **options) [Tue Nov 13 10:51:04.693700 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__ [Tue Nov 13 10:51:04.693711 2018] [:error] [pid 24146] return self.__do_call(*args, **options) [Tue Nov 13 10:51:04.693722 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call [Tue Nov 13 10:51:04.693733 2018] [:error] [pid 24146] ret = self.run(*args, **options) [Tue Nov 13 10:51:04.693743 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run [Tue Nov 13 10:51:04.693754 2018] [:error] [pid 24146] return self.execute(*args, **options) [Tue Nov 13 10:51:04.693765 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 726, in execute [Tue Nov 13 10:51:04.693776 2018] [:error] [pid 24146] full_join = self.validate_options(*keys, **options) [Tue Nov 13 10:51:04.693786 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 829, in validate_options [Tue Nov 13 10:51:04.693797 2018] [:error] [pid 24146] self.trustinstance = ipaserver.dcerpc.TrustDomainJoins(self.api) [Tue Nov 13 10:51:04.693808 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1557, in __init__ [Tue Nov 13 10:51:04.693818 2018] [:error] [pid 24146] self.__populate_local_domain() [Tue Nov 13 10:51:04.693829 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1570, in __populate_local_domain [Tue Nov 13 10:51:04.693840 2018] [:error] [pid 24146] ld.retrieve(installutils.get_fqdn()) [Tue Nov 13 10:51:04.693850 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 960, in retrieve [Tue Nov 13 10:51:04.693861 2018] [:error] [pid 24146] self.init_lsa_pipe(remote_host) [Tue Nov 13 10:51:04.693900 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 879, in init_lsa_pipe [Tue Nov 13 10:51:04.693922 2018] [:error] [pid 24146] % dict(host=remote_host)) [Tue Nov 13 10:51:04.693933 2018] [:error] [pid 24146] ACIError: Insufficient access: CIFS server dlp.ipa.srv.world denied your credentials [Tue Nov 13 10:51:04.693944 2018] [:error] [pid 24146] [Tue Nov 13 10:51:04.694550 2018] [:error] [pid 24146] ipa: INFO: [jsonserver_session] admin@IPA.SRV.WORLD: trust_add/1(u'ad.srv.world', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', version=u'2.228'): ACIError [Tue Nov 13 10:51:04.696944 2018] [:error] [pid 24146] ipa: DEBUG: Destroyed connection context.ldap2_139937313614032
/var/log/samba/*
10:51:04.514558, 1, pid=26847, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:419(ndr_print_debug) &global_blob: struct smbXsrv_session_globalB version : SMBXSRV_VERSION_0 (0) seqnum : 0x00000001 (1) info : union smbXsrv_session_globalU(case 0) info0 : * info0: struct smbXsrv_session_global0 db_rec : * session_global_id : 0x7990abe5 (2039524325) session_wire_id : 0x000000007990abe5 (2039524325) creation_time : Tue Nov 13 10:51:05 AM 2018 CET expiration_time : Thu Jan 1 01:00:00 AM 1970 CET auth_time : NTTIME(0) auth_session_info_seqnum : 0x00000000 (0) auth_session_info : NULL connection_dialect : 0x0311 (785) signing_flags : 0x00 (0) 0: SMBXSRV_SIGNING_REQUIRED 0: SMBXSRV_PROCESSED_SIGNED_PACKET 0: SMBXSRV_PROCESSED_UNSIGNED_PACKET encryption_flags : 0x00 (0) 0: SMBXSRV_ENCRYPTION_REQUIRED 0: SMBXSRV_ENCRYPTION_DESIRED 0: SMBXSRV_PROCESSED_ENCRYPTED_PACKET 0: SMBXSRV_PROCESSED_UNENCRYPTED_PACKET num_channels : 0x00000001 (1) channels: ARRAY(1) channels: struct smbXsrv_channel_global0 server_id: struct server_id pid : 0x00000000000068df (26847) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0xbd2b8cdb3e78c171 (-4815600503268785807) local_address : 'ipv4:10.50.1.103:445' remote_address : 'ipv4:10.50.1.103:56404' remote_name : '10.50.1.103' auth_session_info_seqnum : 0x00000000 (0) connection : * encryption_cipher : 0x0000 (0) [2018/11/13 10:51:04.515148, 5, pid=26847, effective(0, 0), real(0, 0)]
018/11/13 10:51:04.515354, 1, pid=26847, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:419(ndr_print_debug) &session_blob: struct smbXsrv_sessionB version : SMBXSRV_VERSION_0 (0) reserved : 0x00000000 (0) info : union smbXsrv_sessionU(case 0) info0 : * info0: struct smbXsrv_session table : * db_rec : NULL client : * local_id : 0x7990abe5 (2039524325) global : * global: struct smbXsrv_session_global0 db_rec : NULL session_global_id : 0x7990abe5 (2039524325) session_wire_id : 0x000000007990abe5 (2039524325) creation_time : Tue Nov 13 10:51:05 AM 2018 CET expiration_time : Thu Jan 1 01:00:00 AM 1970 CET auth_time : NTTIME(0) auth_session_info_seqnum : 0x00000000 (0) auth_session_info : NULL connection_dialect : 0x0311 (785) signing_flags : 0x00 (0) 0: SMBXSRV_SIGNING_REQUIRED 0: SMBXSRV_PROCESSED_SIGNED_PACKET 0: SMBXSRV_PROCESSED_UNSIGNED_PACKET encryption_flags : 0x00 (0) 0: SMBXSRV_ENCRYPTION_REQUIRED 0: SMBXSRV_ENCRYPTION_DESIRED 0: SMBXSRV_PROCESSED_ENCRYPTED_PACKET 0: SMBXSRV_PROCESSED_UNENCRYPTED_PACKET num_channels : 0x00000001 (1) channels: ARRAY(1) channels: struct smbXsrv_channel_global0 server_id: struct server_id pid : 0x00000000000068df (26847) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0xbd2b8cdb3e78c171 (-4815600503268785807) local_address : 'ipv4:10.50.1.103:445' remote_address : 'ipv4:10.50.1.103:56404' remote_name : '10.50.1.103' auth_session_info_seqnum : 0x00000000 (0) connection : * encryption_cipher : 0x0000 (0) status : NT_STATUS_MORE_PROCESSING_REQUIRED idle_time : Tue Nov 13 10:51:05 AM 2018 CET nonce_high_random : 0x0000000000000000 (0) nonce_high_max : 0x0000000000000000 (0) nonce_high : 0x0000000000000000 (0) nonce_low : 0x0000000000000000 (0) compat : NULL tcon_table : * pending_auth : NULL
version : SMBXSRV_VERSION_0 (0) reserved : 0x00000000 (0) info : union smbXsrv_sessionU(case 0) info0 : * info0: struct smbXsrv_session table : * db_rec : NULL client : * local_id : 0x7990abe5 (2039524325) global : * global: struct smbXsrv_session_global0 db_rec : NULL session_global_id : 0x7990abe5 (2039524325) session_wire_id : 0x000000007990abe5 (2039524325) creation_time : Tue Nov 13 10:51:05 AM 2018 CET expiration_time : Thu Jan 1 01:00:00 AM 1970 CET auth_time : NTTIME(0) auth_session_info_seqnum : 0x00000000 (0) auth_session_info : NULL connection_dialect : 0x0311 (785) signing_flags : 0x00 (0) 0: SMBXSRV_SIGNING_REQUIRED 0: SMBXSRV_PROCESSED_SIGNED_PACKET 0: SMBXSRV_PROCESSED_UNSIGNED_PACKET encryption_flags : 0x00 (0) 0: SMBXSRV_ENCRYPTION_REQUIRED 0: SMBXSRV_ENCRYPTION_DESIRED 0: SMBXSRV_PROCESSED_ENCRYPTED_PACKET 0: SMBXSRV_PROCESSED_UNENCRYPTED_PACKET num_channels : 0x00000001 (1) channels: ARRAY(1) channels: struct smbXsrv_channel_global0 server_id: struct server_id pid : 0x00000000000068df (26847) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0xbd2b8cdb3e78c171 (-4815600503268785807) local_address : 'ipv4:10.50.1.103:445' remote_address : 'ipv4:10.50.1.103:56404' remote_name : '10.50.1.103' auth_session_info_seqnum : 0x00000000 (0) connection : * encryption_cipher : 0x0000 (0) status : NT_STATUS_MORE_PROCESSING_REQUIRED idle_time : Tue Nov 13 10:51:05 AM 2018 CET nonce_high_random : 0x0000000000000000 (0) nonce_high_max : 0x0000000000000000 (0) nonce_high : 0x0000000000000000 (0) nonce_low : 0x0000000000000000 (0) compat : NULL tcon_table : * pending_auth : * pending_auth: struct smbXsrv_session_auth0 prev : * next : NULL session : * connection : * gensec : * preauth : * in_flags : 0x00 (0) in_security_mode : 0x03 (3) creation_time : Tue Nov 13 10:51:05 AM 2018 CET idle_time : Tue Nov 13 10:51:05 AM 2018 CET
Successfully validated Kerberos PAC pac_data: struct PAC_DATA num_buffers : 0x00000005 (5) version : 0x00000000 (0) buffers: ARRAY(5) buffers: struct PAC_BUFFER type : PAC_TYPE_LOGON_INFO (1) _ndr_size : 0x000001a8 (424) info : * info : union PAC_INFO(case 1) logon_info: struct PAC_LOGON_INFO_CTR info : * info: struct PAC_LOGON_INFO info3: struct netr_SamInfo3 base: struct netr_SamBaseInfo logon_time : NTTIME(0) logoff_time : Thu Jan 1 01:00:00 AM 1970 CET kickoff_time : Thu Jan 1 01:00:00 AM 1970 CET last_password_change : Fri Nov 2 04:41:05 PM 2018 CET allow_password_change : NTTIME(0) force_password_change : Thu Jan 1 01:00:00 AM 1970 CET account_name: struct lsa_String length : 0x000a (10) size : 0x000a (10) string : * string : 'admin' full_name: struct lsa_String length : 0x001a (26) size : 0x001a (26) string : * string : 'Administrator' logon_script: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : * string : '' profile_path: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : * string : '' home_directory: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : * string : '' home_drive: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : * string : '' logon_count : 0x0000 (0) bad_password_count : 0x0000 (0) rid : 0x000001f4 (500) primary_gid : 0x00000200 (512) groups: struct samr_RidWithAttributeArray count : 0x00000000 (0) rids : * rids: ARRAY(0) user_flags : 0x00000000 (0) 0: NETLOGON_GUEST 0: NETLOGON_NOENCRYPTION 0: NETLOGON_CACHED_ACCOUNT 0: NETLOGON_USED_LM_PASSWORD 0: NETLOGON_EXTRA_SIDS 0: NETLOGON_SUBAUTH_SESSION_KEY 0: NETLOGON_SERVER_TRUST_ACCOUNT 0: NETLOGON_NTLMV2_ENABLED 0: NETLOGON_RESOURCE_GROUPS 0: NETLOGON_PROFILE_PATH_RETURNED 0: NETLOGON_GRACE_LOGON key: struct netr_UserSessionKey key: ARRAY(16): <REDACTED SECRET VALUES> logon_server: struct lsa_StringLarge length : 0x0006 (6) size : 0x0008 (8) string : * string : 'DLP' logon_domain: struct lsa_StringLarge
buffers: struct PAC_BUFFER type : PAC_TYPE_LOGON_NAME (10) _ndr_size : 0x00000014 (20) info : * info : union PAC_INFO(case 10) logon_name: struct PAC_LOGON_NAME logon_time : Mon Nov 12 04:01:01 PM 2018 CET size : 0x000a (10) account_name : 'admin' _pad : 0x00000000 (0) buffers: struct PAC_BUFFER type : PAC_TYPE_CONSTRAINED_DELEGATION (11) _ndr_size : 0x000000d8 (216) info : * info : union PAC_INFO(case 11) constrained_delegation: struct PAC_CONSTRAINED_DELEGATION_CTR info : * info: struct PAC_CONSTRAINED_DELEGATION proxy_target: struct lsa_String length : 0x0048 (72) size : 0x0048 (72) string : * string : 'HTTP/dlp.ipa.srv.world@IPA.SRV.WORLD' num_transited_services : 0x00000001 (1) transited_services : * transited_services: ARRAY(1) transited_services: struct lsa_String length : 0x0048 (72) size : 0x0048 (72) string : * string : 'cifs/dlp.ipa.srv.world@IPA.SRV.WORLD' _pad : 0x00000000 (0) buffers: struct PAC_BUFFER type : PAC_TYPE_SRV_CHECKSUM (6) _ndr_size : 0x00000010 (16) info : * info : union PAC_INFO(case 6) srv_cksum: struct PAC_SIGNATURE_DATA type : 0x00000010 (16) signature : DATA_BLOB length=12 [0000] 39 30 31 38 5E 6B 2C 47 9B 75 B8 50 9018^k,G .u.P _pad : 0x00000000 (0) buffers: struct PAC_BUFFER type : PAC_TYPE_KDC_CHECKSUM (7) _ndr_size : 0x00000010 (16) info : * info : union PAC_INFO(case 7) kdc_cksum: struct PAC_SIGNATURE_DATA type : 0x00000010 (16) signature : DATA_BLOB length=12
im a bit stuck with this issue.
Kind regards
freeipa-users@lists.fedorahosted.org