I have been trying to reliably get an AD trust setup for a few weeks and no matter what I try, when I goto add AD users to an external group in FreeIPA, I get:
"trusted domain object not found"
Googling around tends to always yield the same suggestions:
1) Check time sync 2) Check DNS 3) Check firewall
I have done all of this ad nauseam in several different environments with several different versions of FreeIPA and Windows servers. I have gotten a setup to work maybe 2% of the time out of hundreds of attempts.
I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the COPR repo). I am trying to establish trust with a mixed Windows 2012 & 2008 forest. I have tried both one and two way trusts. Everything seems to work fine up until I try to add AD users to FreeIPA.
I have verified all of the requisite DNS records exist and return the proper information on both sides, there are no firewalls between any of the hosts, and the AD servers and FreeIPA servers are synchronized by the same NTP servers.
What could I possibly be missing?
On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via FreeIPA-users wrote:
I have been trying to reliably get an AD trust setup for a few weeks and no matter what I try, when I goto add AD users to an external group in FreeIPA, I get:
"trusted domain object not found"
Googling around tends to always yield the same suggestions:
- Check time sync
- Check DNS
- Check firewall
I have done all of this ad nauseam in several different environments with several different versions of FreeIPA and Windows servers. I have gotten a setup to work maybe 2% of the time out of hundreds of attempts.
I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the COPR repo). I am trying to establish trust with a mixed Windows 2012 & 2008 forest. I have tried both one and two way trusts. Everything seems to work fine up until I try to add AD users to FreeIPA.
I have verified all of the requisite DNS records exist and return the proper information on both sides, there are no firewalls between any of the hosts, and the AD servers and FreeIPA servers are synchronized by the same NTP servers.
What could I possibly be missing?
Can you resolve the object you're trying to add with sssd?
e.g. id foo@windows.domain
On Jul 24, 2017 4:14 AM, "Jakub Hrozek via FreeIPA-users" < freeipa-users@lists.fedorahosted.org> wrote:
On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via FreeIPA-users wrote:
I have been trying to reliably get an AD trust setup for a few weeks and
no
matter what I try, when I goto add AD users to an external group in FreeIPA, I get:
"trusted domain object not found"
Googling around tends to always yield the same suggestions:
- Check time sync
- Check DNS
- Check firewall
I have done all of this ad nauseam in several different environments with several different versions of FreeIPA and Windows servers. I have
gotten a
setup to work maybe 2% of the time out of hundreds of attempts.
I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the COPR repo).
I
am trying to establish trust with a mixed Windows 2012 & 2008 forest. I have tried both one and two way trusts. Everything seems to work fine up until I try to add AD users to FreeIPA.
I have verified all of the requisite DNS records exist and return the proper information on both sides, there are no firewalls between any of
the
hosts, and the AD servers and FreeIPA servers are synchronized by the
same
NTP servers.
What could I possibly be missing?
Can you resolve the object you're trying to add with sssd?
e.g. id foo@windows.domain _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
No. I can login via Kerberos, kinit user@ad.domain. But neither id user@ad.domain nor getent passwd user@ad.domain are successful.
On Mon, Jul 24, 2017 at 09:05:59AM -0400, Jason Beck wrote:
On Jul 24, 2017 4:14 AM, "Jakub Hrozek via FreeIPA-users" < freeipa-users@lists.fedorahosted.org> wrote:
On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via FreeIPA-users wrote:
I have been trying to reliably get an AD trust setup for a few weeks and
no
matter what I try, when I goto add AD users to an external group in FreeIPA, I get:
"trusted domain object not found"
Googling around tends to always yield the same suggestions:
- Check time sync
- Check DNS
- Check firewall
I have done all of this ad nauseam in several different environments with several different versions of FreeIPA and Windows servers. I have
gotten a
setup to work maybe 2% of the time out of hundreds of attempts.
I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the COPR repo).
I
am trying to establish trust with a mixed Windows 2012 & 2008 forest. I have tried both one and two way trusts. Everything seems to work fine up until I try to add AD users to FreeIPA.
I have verified all of the requisite DNS records exist and return the proper information on both sides, there are no firewalls between any of
the
hosts, and the AD servers and FreeIPA servers are synchronized by the
same
NTP servers.
What could I possibly be missing?
Can you resolve the object you're trying to add with sssd?
e.g. id foo@windows.domain _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
No. I can login via Kerberos, kinit user@ad.domain. But neither id user@ad.domain nor getent passwd user@ad.domain are successful.
Then please follow https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
On Mon, Jul 24, 2017 at 9:25 AM, Jakub Hrozek jhrozek@redhat.com wrote:
On Mon, Jul 24, 2017 at 09:05:59AM -0400, Jason Beck wrote:
On Jul 24, 2017 4:14 AM, "Jakub Hrozek via FreeIPA-users" < freeipa-users@lists.fedorahosted.org> wrote:
On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via FreeIPA-users wrote:
I have been trying to reliably get an AD trust setup for a few weeks
and
no
matter what I try, when I goto add AD users to an external group in FreeIPA, I get:
"trusted domain object not found"
Googling around tends to always yield the same suggestions:
- Check time sync
- Check DNS
- Check firewall
I have done all of this ad nauseam in several different environments
with
several different versions of FreeIPA and Windows servers. I have
gotten a
setup to work maybe 2% of the time out of hundreds of attempts.
I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the COPR
repo).
I
am trying to establish trust with a mixed Windows 2012 & 2008
forest. I
have tried both one and two way trusts. Everything seems to work
fine up
until I try to add AD users to FreeIPA.
I have verified all of the requisite DNS records exist and return the proper information on both sides, there are no firewalls between any
of
the
hosts, and the AD servers and FreeIPA servers are synchronized by the
same
NTP servers.
What could I possibly be missing?
Can you resolve the object you're trying to add with sssd?
e.g. id foo@windows.domain _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org
No. I can login via Kerberos, kinit user@ad.domain. But neither id user@ad.domain nor getent passwd user@ad.domain are successful.
Then please follow https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
Jakub,
Thank you for the support thus far. I have followed some suggestions in the sssd troubleshooting link you provided. I am seeing these errors whenever I try to perform an operation that would lookup an AD user, e.g. id user@ad.domain. I am performing the user lookups on the primary IPA server itself.
*sssd.conf:*
[domain/ipa.domain]
debug_level = 10
cache_credentials = True
enumerate = False
krb5_store_password_if_offline = True
ipa_domain = ipa.domain
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa01.ipa.domain
chpass_provider = ipa
ipa_server = _srv_
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = sudo, nss, ifp, pam, ssh, pac
debug_level = 10
domains = ipa.domain
[nss]
debug_level = 10
[pam]
debug_level = 10
[sudo]
debug_level = 10
[autofs]
debug_level = 10
[ssh]
debug_level = 10
[pac]
debug_level = 10
[ifp]
debug_level = 10
[secrets]
debug_level = 10
*sssd.log (debug 10 on everything):*
Jul 24 13:19:40 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:19:40 2017) [sssd[be[ipa.domain]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
Jul 24 13:19:40 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1
Jul 24 13:19:40 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1
Jul 24 13:19:40 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:19:40 2017) [sssd[pac]] [accept_fd_handler] (0x0020): Access denied for uid [389].
Jul 24 13:19:40 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1
Jul 24 13:19:40 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 2
Jul 24 13:19:46 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:19:46 2017) [sssd[be[ipa.domain]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
Jul 24 13:19:46 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:19:46 2017) [sssd[pac]] [accept_fd_handler] (0x0020): Access denied for uid [389].
Jul 24 13:19:46 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1
Jul 24 13:19:46 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1
Jul 24 13:19:46 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:19:46 2017) [sssd[pac]] [accept_fd_handler] (0x0020): Access denied for uid [389].
Jul 24 13:19:46 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1
Jul 24 13:19:46 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 2
Jul 24 13:19:52 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:19:52 2017) [sssd[be[ipa.domain]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
Jul 24 13:19:52 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1
Jul 24 13:19:52 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1
Jul 24 13:19:52 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1
Jul 24 13:19:52 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 2
Jul 24 13:19:58 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:19:58 2017) [sssd[be[ipa.domain]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
Jul 24 13:19:58 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:19:58 2017) [sssd[pac]] [accept_fd_handler] (0x0020): Access denied for uid [389].
Jul 24 13:19:58 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1
Jul 24 13:19:58 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1
Jul 24 13:19:58 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1
Jul 24 13:19:58 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 2
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[be[ipa.domain]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[be[ipa.domain]]] [fo_resolve_service_send] (0x0020): No available servers for service 'IPA'
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[be[ipa.domain]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[be[ipa.domain]]] [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: [11]: Resource temporarily unavailable.
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #39: Data Provider Error: 1, 11, Offline
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #40: Data Provider Error: 1, 11, Offline
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #39: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #40: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #39: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #40: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #42: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #43: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #43: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #43: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #44: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #45: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #45: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #45: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #46: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #47: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #47: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #47: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #48: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #49: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #49: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #49: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #50: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:06 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:06 2017) [sssd[pac]] [accept_fd_handler] (0x0020): Access denied for uid [389].
On Mon, Jul 24, 2017 at 01:53:20PM -0400, Jason Beck wrote:
On Mon, Jul 24, 2017 at 9:25 AM, Jakub Hrozek jhrozek@redhat.com wrote:
On Mon, Jul 24, 2017 at 09:05:59AM -0400, Jason Beck wrote:
On Jul 24, 2017 4:14 AM, "Jakub Hrozek via FreeIPA-users" < freeipa-users@lists.fedorahosted.org> wrote:
On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via FreeIPA-users wrote:
I have been trying to reliably get an AD trust setup for a few weeks
and
no
matter what I try, when I goto add AD users to an external group in FreeIPA, I get:
"trusted domain object not found"
Googling around tends to always yield the same suggestions:
- Check time sync
- Check DNS
- Check firewall
I have done all of this ad nauseam in several different environments
with
several different versions of FreeIPA and Windows servers. I have
gotten a
setup to work maybe 2% of the time out of hundreds of attempts.
I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the COPR
repo).
I
am trying to establish trust with a mixed Windows 2012 & 2008
forest. I
have tried both one and two way trusts. Everything seems to work
fine up
until I try to add AD users to FreeIPA.
I have verified all of the requisite DNS records exist and return the proper information on both sides, there are no firewalls between any
of
the
hosts, and the AD servers and FreeIPA servers are synchronized by the
same
NTP servers.
What could I possibly be missing?
Can you resolve the object you're trying to add with sssd?
e.g. id foo@windows.domain _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org
No. I can login via Kerberos, kinit user@ad.domain. But neither id user@ad.domain nor getent passwd user@ad.domain are successful.
Then please follow https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
Jakub,
Thank you for the support thus far. I have followed some suggestions in the sssd troubleshooting link you provided. I am seeing these errors whenever I try to perform an operation that would lookup an AD user, e.g. id user@ad.domain. I am performing the user lookups on the primary IPA server itself.
*sssd.conf:*
[domain/ipa.domain]
debug_level = 10
cache_credentials = True
enumerate = False
krb5_store_password_if_offline = True
ipa_domain = ipa.domain
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa01.ipa.domain
chpass_provider = ipa
ipa_server = _srv_
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = sudo, nss, ifp, pam, ssh, pac
debug_level = 10
domains = ipa.domain
[nss]
debug_level = 10
[pam]
debug_level = 10
[sudo]
debug_level = 10
[autofs]
debug_level = 10
[ssh]
debug_level = 10
[pac]
debug_level = 10
[ifp]
debug_level = 10
[secrets]
debug_level = 10
Are you sure it's the server itself? Because for one, I would expect to see ipa_server_mode=True in sssd.conf and also ipa_server set to fqdn of 'self', not to _srv_.
Also the s2n exop failed messages make it look like the debug messages are from a client.
Anyway, one thing to examine is:
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #49: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
This indicates a communication issue towards the server. You should look for messages that say that 'a port is not working'.
On Mon, Jul 24, 2017 at 2:23 PM, Jakub Hrozek jhrozek@redhat.com wrote:
On Mon, Jul 24, 2017 at 01:53:20PM -0400, Jason Beck wrote:
On Mon, Jul 24, 2017 at 9:25 AM, Jakub Hrozek jhrozek@redhat.com
wrote:
On Mon, Jul 24, 2017 at 09:05:59AM -0400, Jason Beck wrote:
On Jul 24, 2017 4:14 AM, "Jakub Hrozek via FreeIPA-users" < freeipa-users@lists.fedorahosted.org> wrote:
On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via
FreeIPA-users
wrote:
I have been trying to reliably get an AD trust setup for a few
weeks
and
no
matter what I try, when I goto add AD users to an external group
in
FreeIPA, I get:
"trusted domain object not found"
Googling around tends to always yield the same suggestions:
- Check time sync
- Check DNS
- Check firewall
I have done all of this ad nauseam in several different
environments
with
several different versions of FreeIPA and Windows servers. I
have
gotten a
setup to work maybe 2% of the time out of hundreds of attempts.
I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the COPR
repo).
I
am trying to establish trust with a mixed Windows 2012 & 2008
forest. I
have tried both one and two way trusts. Everything seems to work
fine up
until I try to add AD users to FreeIPA.
I have verified all of the requisite DNS records exist and
return the
proper information on both sides, there are no firewalls between
any
of
the
hosts, and the AD servers and FreeIPA servers are synchronized
by the
same
NTP servers.
What could I possibly be missing?
Can you resolve the object you're trying to add with sssd?
e.g. id foo@windows.domain _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org
No. I can login via Kerberos, kinit user@ad.domain. But neither id user@ad.domain nor getent passwd user@ad.domain are successful.
Then please follow https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
Jakub,
Thank you for the support thus far. I have followed some suggestions
in
the sssd troubleshooting link you provided. I am seeing these errors whenever I try to perform an operation that would lookup an AD user, e.g. id user@ad.domain. I am performing the user lookups on the primary IPA server itself.
*sssd.conf:*
[domain/ipa.domain]
debug_level = 10
cache_credentials = True
enumerate = False
krb5_store_password_if_offline = True
ipa_domain = ipa.domain
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa01.ipa.domain
chpass_provider = ipa
ipa_server = _srv_
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = sudo, nss, ifp, pam, ssh, pac
debug_level = 10
domains = ipa.domain
[nss]
debug_level = 10
[pam]
debug_level = 10
[sudo]
debug_level = 10
[autofs]
debug_level = 10
[ssh]
debug_level = 10
[pac]
debug_level = 10
[ifp]
debug_level = 10
[secrets]
debug_level = 10
Are you sure it's the server itself? Because for one, I would expect to see ipa_server_mode=True in sssd.conf and also ipa_server set to fqdn of 'self', not to _srv_.
Also the s2n exop failed messages make it look like the debug messages are from a client.
Anyway, one thing to examine is:
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #49: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
This indicates a communication issue towards the server. You should look for messages that say that 'a port is not working'.
Sorry, I've been troubleshooting this for weeks, trying various settings. When I add the variables to sssd.conf
[domain/ipa.domain] ... ipa_server_mode = True ipa_server = ipa01.ipa.domain ...
and restart sssd:
I am now getting the following errors, also id user@ad.domain and/or getent passwd user@ad.domain return failure immediately:
Jul 24 14:40:41 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:40:41 2017) [sssd[be[ipa.domain]]] [sdap_get_server_opts_from_rootdse] (0x0020): ldap_rootdse_last_usn configured but not found in rootdse!
Jul 24 14:40:41 iad1aipa01.ipa.domain sssd_be[12156]: GSSAPI client step 1
Jul 24 14:40:41 iad1aipa01.ipa.domain sssd_be[12156]: GSSAPI client step 1
Jul 24 14:40:41 iad1aipa01.ipa.domain sssd_be[12156]: GSSAPI client step 1
Jul 24 14:40:41 iad1aipa01.ipa.domain sssd_be[12156]: GSSAPI client step 2
Jul 24 14:40:47 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:40:47 2017) [sssd[be[ipa.domain]]] [ipa_sudo_fetch_rules_done] (0x0040): Received 0 sudo rules
Jul 24 14:41:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:41:13 2017) [sssd[nss]] [cache_req_data_create] (0x0020): Bug: id cannot be 0!
Jul 24 14:41:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:41:13 2017) [sssd[nss]] [cache_req_data_create] (0x0020): Unable to create cache_req data [1432158209]: Internal Error
Jul 24 14:41:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:41:13 2017) [sssd[nss]] [nss_getby_id] (0x0020): Unable to set cache request data!
Jul 24 14:41:27 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:41:27 2017) [sssd[pac]] [accept_fd_handler] (0x0020): Access denied for uid [389].
Jul 24 14:42:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:42:13 2017) [sssd[nss]] [cache_req_data_create] (0x0020): Bug: id cannot be 0!
Jul 24 14:42:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:42:13 2017) [sssd[nss]] [cache_req_data_create] (0x0020): Unable to create cache_req data [1432158209]: Internal Error
Jul 24 14:42:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:42:13 2017) [sssd[nss]] [nss_getby_id] (0x0020): Unable to set cache request data!
As far as ports not working, all of the IPA services are running, the local firewalls are all turned off on the IPA servers and the firewalls between the AD servers and the IPA servers are completely open for the IPA server addresses. LDAP queries work fine to both the AD servers and the IPA servers. I can kinit fine as an AD user on the IPA servers.
# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
On Mon, Jul 24, 2017 at 2:53 PM, Jason Beck jason.s.beck@gmail.com wrote:
On Mon, Jul 24, 2017 at 2:23 PM, Jakub Hrozek jhrozek@redhat.com wrote:
On Mon, Jul 24, 2017 at 01:53:20PM -0400, Jason Beck wrote:
On Mon, Jul 24, 2017 at 9:25 AM, Jakub Hrozek jhrozek@redhat.com
wrote:
On Mon, Jul 24, 2017 at 09:05:59AM -0400, Jason Beck wrote:
On Jul 24, 2017 4:14 AM, "Jakub Hrozek via FreeIPA-users" < freeipa-users@lists.fedorahosted.org> wrote:
On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via
FreeIPA-users
wrote: > I have been trying to reliably get an AD trust setup for a few
weeks
and
no > matter what I try, when I goto add AD users to an external
group in
> FreeIPA, I get: > > "trusted domain object not found" > > Googling around tends to always yield the same suggestions: > > 1) Check time sync > 2) Check DNS > 3) Check firewall > > I have done all of this ad nauseam in several different
environments
with
> several different versions of FreeIPA and Windows servers. I
have
gotten a > setup to work maybe 2% of the time out of hundreds of attempts. > > I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the COPR
repo).
I > am trying to establish trust with a mixed Windows 2012 & 2008
forest. I
> have tried both one and two way trusts. Everything seems to
work
fine up
> until I try to add AD users to FreeIPA. > > I have verified all of the requisite DNS records exist and
return the
> proper information on both sides, there are no firewalls
between any
of
the > hosts, and the AD servers and FreeIPA servers are synchronized
by the
same > NTP servers. > > What could I possibly be missing?
Can you resolve the object you're trying to add with sssd?
e.g. id foo@windows.domain _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahost
ed.org
To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org
No. I can login via Kerberos, kinit user@ad.domain. But neither
id
user@ad.domain nor getent passwd user@ad.domain are successful.
Then please follow https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
Jakub,
Thank you for the support thus far. I have followed some suggestions
in
the sssd troubleshooting link you provided. I am seeing these errors whenever I try to perform an operation that would lookup an AD user,
e.g.
id user@ad.domain. I am performing the user lookups on the primary IPA server itself.
*sssd.conf:*
[domain/ipa.domain]
debug_level = 10
cache_credentials = True
enumerate = False
krb5_store_password_if_offline = True
ipa_domain = ipa.domain
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa01.ipa.domain
chpass_provider = ipa
ipa_server = _srv_
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = sudo, nss, ifp, pam, ssh, pac
debug_level = 10
domains = ipa.domain
[nss]
debug_level = 10
[pam]
debug_level = 10
[sudo]
debug_level = 10
[autofs]
debug_level = 10
[ssh]
debug_level = 10
[pac]
debug_level = 10
[ifp]
debug_level = 10
[secrets]
debug_level = 10
Are you sure it's the server itself? Because for one, I would expect to see ipa_server_mode=True in sssd.conf and also ipa_server set to fqdn of 'self', not to _srv_.
Also the s2n exop failed messages make it look like the debug messages are from a client.
Anyway, one thing to examine is:
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #49: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
This indicates a communication issue towards the server. You should look for messages that say that 'a port is not working'.
Sorry, I've been troubleshooting this for weeks, trying various settings. When I add the variables to sssd.conf
[domain/ipa.domain] ... ipa_server_mode = True ipa_server = ipa01.ipa.domain ...
and restart sssd:
I am now getting the following errors, also id user@ad.domain and/or getent passwd user@ad.domain return failure immediately:
Jul 24 14:40:41 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:40:41 2017) [sssd[be[ipa.domain]]] [sdap_get_server_opts_from_rootdse] (0x0020): ldap_rootdse_last_usn configured but not found in rootdse!
Jul 24 14:40:41 iad1aipa01.ipa.domain sssd_be[12156]: GSSAPI client step 1
Jul 24 14:40:41 iad1aipa01.ipa.domain sssd_be[12156]: GSSAPI client step 1
Jul 24 14:40:41 iad1aipa01.ipa.domain sssd_be[12156]: GSSAPI client step 1
Jul 24 14:40:41 iad1aipa01.ipa.domain sssd_be[12156]: GSSAPI client step 2
Jul 24 14:40:47 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:40:47 2017) [sssd[be[ipa.domain]]] [ipa_sudo_fetch_rules_done] (0x0040): Received 0 sudo rules
Jul 24 14:41:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:41:13 2017) [sssd[nss]] [cache_req_data_create] (0x0020): Bug: id cannot be 0!
Jul 24 14:41:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:41:13 2017) [sssd[nss]] [cache_req_data_create] (0x0020): Unable to create cache_req data [1432158209]: Internal Error
Jul 24 14:41:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:41:13 2017) [sssd[nss]] [nss_getby_id] (0x0020): Unable to set cache request data!
Jul 24 14:41:27 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:41:27 2017) [sssd[pac]] [accept_fd_handler] (0x0020): Access denied for uid [389].
Jul 24 14:42:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:42:13 2017) [sssd[nss]] [cache_req_data_create] (0x0020): Bug: id cannot be 0!
Jul 24 14:42:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:42:13 2017) [sssd[nss]] [cache_req_data_create] (0x0020): Unable to create cache_req data [1432158209]: Internal Error
Jul 24 14:42:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:42:13 2017) [sssd[nss]] [nss_getby_id] (0x0020): Unable to set cache request data!
As far as ports not working, all of the IPA services are running, the local firewalls are all turned off on the IPA servers and the firewalls between the AD servers and the IPA servers are completely open for the IPA server addresses. LDAP queries work fine to both the AD servers and the IPA servers. I can kinit fine as an AD user on the IPA servers.
# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
I have reinstalled everything from scratch again and run through the setup instructions here: https://www.freeipa.org/page/Active_Directory_trust_setup .
Everything "works" until I get to the point of adding an external user to an external group in FreeIPA.
The only configuration I have changed is to increase the debug logging in both sssd.conf and smb/netconf and adding the 'auth_to_local' lines in krb5.conf.
When I start sssd I am seeing the following:
Jul 24 16:10:14 ipa01.ipa.domain sssd[be[ipa.domain]][11828]: SRV discovery is enabled on the IPA server while using custom dns_discovery_domain. DNS discovery of trusted AD domain will likely fail. It is recommended not to use SRV discovery or the dns_discovery_domain option for the IPA domain while running on the server itself
Jul 24 16:10:14 ipa01.ipa.domain sssd[11826]: (Mon Jul 24 16:10:14 2017) [sssd[be[ipa.chewy.com]]] [ipa_init_server_mode] (0x0020): SRV discovery is enabled on the IPA server while using custom dns_discovery_domain. DNS discovery of trusted AD domain will likely fail. It is recommended not to use SRV discovery or the dns_discovery_domain option for the IPA domain while running on the server itself
I am not setting a custom dns_discovery_domain in sssd.conf.
Whenever I try to id user@ad.domain or getent passwd user@ad.domain nothing is logged in sssd. Is it possible to have the sssd on the IPA servers also be clients?
Thanks,
J
On Mon, Jul 24, 2017 at 04:25:14PM -0400, Jason Beck via FreeIPA-users wrote:
On Mon, Jul 24, 2017 at 2:53 PM, Jason Beck jason.s.beck@gmail.com wrote:
On Mon, Jul 24, 2017 at 2:23 PM, Jakub Hrozek jhrozek@redhat.com wrote:
On Mon, Jul 24, 2017 at 01:53:20PM -0400, Jason Beck wrote:
On Mon, Jul 24, 2017 at 9:25 AM, Jakub Hrozek jhrozek@redhat.com
wrote:
On Mon, Jul 24, 2017 at 09:05:59AM -0400, Jason Beck wrote:
On Jul 24, 2017 4:14 AM, "Jakub Hrozek via FreeIPA-users" < freeipa-users@lists.fedorahosted.org> wrote:
> On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via
FreeIPA-users
> wrote: > > I have been trying to reliably get an AD trust setup for a few
weeks
and
> no > > matter what I try, when I goto add AD users to an external
group in
> > FreeIPA, I get: > > > > "trusted domain object not found" > > > > Googling around tends to always yield the same suggestions: > > > > 1) Check time sync > > 2) Check DNS > > 3) Check firewall > > > > I have done all of this ad nauseam in several different
environments
with
> > several different versions of FreeIPA and Windows servers. I
have
> gotten a > > setup to work maybe 2% of the time out of hundreds of attempts. > > > > I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the COPR
repo).
> I > > am trying to establish trust with a mixed Windows 2012 & 2008
forest. I
> > have tried both one and two way trusts. Everything seems to
work
fine up
> > until I try to add AD users to FreeIPA. > > > > I have verified all of the requisite DNS records exist and
return the
> > proper information on both sides, there are no firewalls
between any
of
> the > > hosts, and the AD servers and FreeIPA servers are synchronized
by the
> same > > NTP servers. > > > > What could I possibly be missing? > > Can you resolve the object you're trying to add with sssd? > > e.g. id foo@windows.domain > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahost
ed.org
> To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org
No. I can login via Kerberos, kinit user@ad.domain. But neither
id
user@ad.domain nor getent passwd user@ad.domain are successful.
Then please follow https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
Jakub,
Thank you for the support thus far. I have followed some suggestions
in
the sssd troubleshooting link you provided. I am seeing these errors whenever I try to perform an operation that would lookup an AD user,
e.g.
id user@ad.domain. I am performing the user lookups on the primary IPA server itself.
*sssd.conf:*
[domain/ipa.domain]
debug_level = 10
cache_credentials = True
enumerate = False
krb5_store_password_if_offline = True
ipa_domain = ipa.domain
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa01.ipa.domain
chpass_provider = ipa
ipa_server = _srv_
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = sudo, nss, ifp, pam, ssh, pac
debug_level = 10
domains = ipa.domain
[nss]
debug_level = 10
[pam]
debug_level = 10
[sudo]
debug_level = 10
[autofs]
debug_level = 10
[ssh]
debug_level = 10
[pac]
debug_level = 10
[ifp]
debug_level = 10
[secrets]
debug_level = 10
Are you sure it's the server itself? Because for one, I would expect to see ipa_server_mode=True in sssd.conf and also ipa_server set to fqdn of 'self', not to _srv_.
Also the s2n exop failed messages make it look like the debug messages are from a client.
Anyway, one thing to examine is:
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #49: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
This indicates a communication issue towards the server. You should look for messages that say that 'a port is not working'.
Sorry, I've been troubleshooting this for weeks, trying various settings. When I add the variables to sssd.conf
[domain/ipa.domain] ... ipa_server_mode = True ipa_server = ipa01.ipa.domain ...
and restart sssd:
I am now getting the following errors, also id user@ad.domain and/or getent passwd user@ad.domain return failure immediately:
Jul 24 14:40:41 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:40:41 2017) [sssd[be[ipa.domain]]] [sdap_get_server_opts_from_rootdse] (0x0020): ldap_rootdse_last_usn configured but not found in rootdse!
Jul 24 14:40:41 iad1aipa01.ipa.domain sssd_be[12156]: GSSAPI client step 1
Jul 24 14:40:41 iad1aipa01.ipa.domain sssd_be[12156]: GSSAPI client step 1
Jul 24 14:40:41 iad1aipa01.ipa.domain sssd_be[12156]: GSSAPI client step 1
Jul 24 14:40:41 iad1aipa01.ipa.domain sssd_be[12156]: GSSAPI client step 2
Jul 24 14:40:47 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:40:47 2017) [sssd[be[ipa.domain]]] [ipa_sudo_fetch_rules_done] (0x0040): Received 0 sudo rules
Jul 24 14:41:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:41:13 2017) [sssd[nss]] [cache_req_data_create] (0x0020): Bug: id cannot be 0!
Jul 24 14:41:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:41:13 2017) [sssd[nss]] [cache_req_data_create] (0x0020): Unable to create cache_req data [1432158209]: Internal Error
Jul 24 14:41:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:41:13 2017) [sssd[nss]] [nss_getby_id] (0x0020): Unable to set cache request data!
Jul 24 14:41:27 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:41:27 2017) [sssd[pac]] [accept_fd_handler] (0x0020): Access denied for uid [389].
Jul 24 14:42:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:42:13 2017) [sssd[nss]] [cache_req_data_create] (0x0020): Bug: id cannot be 0!
Jul 24 14:42:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:42:13 2017) [sssd[nss]] [cache_req_data_create] (0x0020): Unable to create cache_req data [1432158209]: Internal Error
Jul 24 14:42:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:42:13 2017) [sssd[nss]] [nss_getby_id] (0x0020): Unable to set cache request data!
As far as ports not working, all of the IPA services are running, the local firewalls are all turned off on the IPA servers and the firewalls between the AD servers and the IPA servers are completely open for the IPA server addresses. LDAP queries work fine to both the AD servers and the IPA servers. I can kinit fine as an AD user on the IPA servers.
# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
I have reinstalled everything from scratch again and run through the setup instructions here: https://www.freeipa.org/page/Active_Directory_trust_setup .
Everything "works" until I get to the point of adding an external user to an external group in FreeIPA.
The only configuration I have changed is to increase the debug logging in both sssd.conf and smb/netconf and adding the 'auth_to_local' lines in krb5.conf.
When I start sssd I am seeing the following:
Jul 24 16:10:14 ipa01.ipa.domain sssd[be[ipa.domain]][11828]: SRV discovery is enabled on the IPA server while using custom dns_discovery_domain. DNS discovery of trusted AD domain will likely fail. It is recommended not to use SRV discovery or the dns_discovery_domain option for the IPA domain while running on the server itself
Jul 24 16:10:14 ipa01.ipa.domain sssd[11826]: (Mon Jul 24 16:10:14 2017) [sssd[be[ipa.chewy.com]]] [ipa_init_server_mode] (0x0020): SRV discovery is enabled on the IPA server while using custom dns_discovery_domain. DNS discovery of trusted AD domain will likely fail. It is recommended not to use SRV discovery or the dns_discovery_domain option for the IPA domain while running on the server itself
I am not setting a custom dns_discovery_domain in sssd.conf.
Maybe the debug message is imprecise, IIRC this also gets logged if the setup sees a "_srv_" in the list of ipa_server values.
Whenever I try to id user@ad.domain or getent passwd user@ad.domain nothing is logged in sssd. Is it possible to have the sssd on the IPA servers also be clients?
No, the sssd on the servers is really running in a special configuration.
How exactly did you end up with that configuration? Did you run anything else except ipa-server-install and ipa-adtrust-install on the server?
On Tue, Jul 25, 2017 at 2:29 AM, Jakub Hrozek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On Mon, Jul 24, 2017 at 04:25:14PM -0400, Jason Beck via FreeIPA-users wrote:
On Mon, Jul 24, 2017 at 2:53 PM, Jason Beck jason.s.beck@gmail.com
wrote:
On Mon, Jul 24, 2017 at 2:23 PM, Jakub Hrozek jhrozek@redhat.com
wrote:
On Mon, Jul 24, 2017 at 01:53:20PM -0400, Jason Beck wrote:
On Mon, Jul 24, 2017 at 9:25 AM, Jakub Hrozek jhrozek@redhat.com
wrote:
On Mon, Jul 24, 2017 at 09:05:59AM -0400, Jason Beck wrote: > On Jul 24, 2017 4:14 AM, "Jakub Hrozek via FreeIPA-users" < > freeipa-users@lists.fedorahosted.org> wrote: > > > On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via
FreeIPA-users
> > wrote: > > > I have been trying to reliably get an AD trust setup for a
few
weeks
and > > no > > > matter what I try, when I goto add AD users to an external
group in
> > > FreeIPA, I get: > > > > > > "trusted domain object not found" > > > > > > Googling around tends to always yield the same suggestions: > > > > > > 1) Check time sync > > > 2) Check DNS > > > 3) Check firewall > > > > > > I have done all of this ad nauseam in several different
environments
with > > > several different versions of FreeIPA and Windows servers.
I
have
> > gotten a > > > setup to work maybe 2% of the time out of hundreds of
attempts.
> > > > > > I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the
COPR
repo). > > I > > > am trying to establish trust with a mixed Windows 2012 &
2008
forest. I > > > have tried both one and two way trusts. Everything seems to
work
fine up > > > until I try to add AD users to FreeIPA. > > > > > > I have verified all of the requisite DNS records exist and
return the
> > > proper information on both sides, there are no firewalls
between any
of > > the > > > hosts, and the AD servers and FreeIPA servers are
synchronized
by the
> > same > > > NTP servers. > > > > > > What could I possibly be missing? > > > > Can you resolve the object you're trying to add with sssd? > > > > e.g. id foo@windows.domain > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahost
ed.org
> > To unsubscribe send an email to freeipa-users-leave@lists. fedorahosted.org > > > No. I can login via Kerberos, kinit user@ad.domain. But
neither
id
> user@ad.domain nor getent passwd user@ad.domain are successful.
Then please follow https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
Jakub,
Thank you for the support thus far. I have followed some
suggestions
in
the sssd troubleshooting link you provided. I am seeing these
errors
whenever I try to perform an operation that would lookup an AD user,
e.g.
id user@ad.domain. I am performing the user lookups on the
primary IPA
server itself.
*sssd.conf:*
[domain/ipa.domain]
debug_level = 10
cache_credentials = True
enumerate = False
krb5_store_password_if_offline = True
ipa_domain = ipa.domain
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa01.ipa.domain
chpass_provider = ipa
ipa_server = _srv_
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = sudo, nss, ifp, pam, ssh, pac
debug_level = 10
domains = ipa.domain
[nss]
debug_level = 10
[pam]
debug_level = 10
[sudo]
debug_level = 10
[autofs]
debug_level = 10
[ssh]
debug_level = 10
[pac]
debug_level = 10
[ifp]
debug_level = 10
[secrets]
debug_level = 10
Are you sure it's the server itself? Because for one, I would expect
to
see ipa_server_mode=True in sssd.conf and also ipa_server set to fqdn
of
'self', not to _srv_.
Also the s2n exop failed messages make it look like the debug messages are from a client.
Anyway, one thing to examine is:
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04
[sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #49: Data
Provider
Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04
[sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned
an
error [org.freedesktop.sssd.Error.DataProvider.Offline]
This indicates a communication issue towards the server. You should
look
for messages that say that 'a port is not working'.
Sorry, I've been troubleshooting this for weeks, trying various
settings.
When I add the variables to sssd.conf
[domain/ipa.domain] ... ipa_server_mode = True ipa_server = ipa01.ipa.domain ...
and restart sssd:
I am now getting the following errors, also id user@ad.domain and/or getent passwd user@ad.domain return failure immediately:
Jul 24 14:40:41 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:40:41 2017) [sssd[be[ipa.domain]]] [sdap_get_server_opts_from_rootdse] (0x0020): ldap_rootdse_last_usn configured but not found in rootdse!
Jul 24 14:40:41 iad1aipa01.ipa.domain sssd_be[12156]: GSSAPI client
step 1
Jul 24 14:40:41 iad1aipa01.ipa.domain sssd_be[12156]: GSSAPI client
step 1
Jul 24 14:40:41 iad1aipa01.ipa.domain sssd_be[12156]: GSSAPI client
step 1
Jul 24 14:40:41 iad1aipa01.ipa.domain sssd_be[12156]: GSSAPI client
step 2
Jul 24 14:40:47 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:40:47 2017) [sssd[be[ipa.domain]]] [ipa_sudo_fetch_rules_done] (0x0040):
Received
0 sudo rules
Jul 24 14:41:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:41:13 2017) [sssd[nss]] [cache_req_data_create] (0x0020): Bug: id cannot be
0!
Jul 24 14:41:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:41:13 2017) [sssd[nss]] [cache_req_data_create] (0x0020): Unable to create cache_req data [1432158209]: Internal Error
Jul 24 14:41:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:41:13 2017) [sssd[nss]] [nss_getby_id] (0x0020): Unable to set cache request
data!
Jul 24 14:41:27 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:41:27 2017) [sssd[pac]] [accept_fd_handler] (0x0020): Access denied for uid
[389].
Jul 24 14:42:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:42:13 2017) [sssd[nss]] [cache_req_data_create] (0x0020): Bug: id cannot be
0!
Jul 24 14:42:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:42:13 2017) [sssd[nss]] [cache_req_data_create] (0x0020): Unable to create cache_req data [1432158209]: Internal Error
Jul 24 14:42:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:42:13 2017) [sssd[nss]] [nss_getby_id] (0x0020): Unable to set cache request
data!
As far as ports not working, all of the IPA services are running, the local firewalls are all turned off on the IPA servers and the firewalls between the AD servers and the IPA servers are completely open for the
IPA
server addresses. LDAP queries work fine to both the AD servers and
the
IPA servers. I can kinit fine as an AD user on the IPA servers.
# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
I have reinstalled everything from scratch again and run through the
setup
instructions here: https://www.freeipa.org/page/
Active_Directory_trust_setup
.
Everything "works" until I get to the point of adding an external user to an external group in FreeIPA.
The only configuration I have changed is to increase the debug logging in both sssd.conf and smb/netconf and adding the 'auth_to_local' lines in krb5.conf.
When I start sssd I am seeing the following:
Jul 24 16:10:14 ipa01.ipa.domain sssd[be[ipa.domain]][11828]: SRV
discovery
is enabled on the IPA server while using custom dns_discovery_domain. DNS discovery of trusted AD domain will likely fail. It is recommended not to use SRV discovery or the dns_discovery_domain option for the IPA domain while running on the server itself
Jul 24 16:10:14 ipa01.ipa.domain sssd[11826]: (Mon Jul 24 16:10:14 2017) [sssd[be[ipa.chewy.com]]] [ipa_init_server_mode] (0x0020): SRV
discovery is
enabled on the IPA server while using custom dns_discovery_domain. DNS discovery of trusted AD domain will likely fail. It is recommended not to use SRV discovery or the dns_discovery_domain option for the IPA domain while running on the server itself
I am not setting a custom dns_discovery_domain in sssd.conf.
Maybe the debug message is imprecise, IIRC this also gets logged if the setup sees a "_srv_" in the list of ipa_server values.
Whenever I try to id user@ad.domain or getent passwd user@ad.domain
nothing
is logged in sssd. Is it possible to have the sssd on the IPA servers
also
be clients?
No, the sssd on the servers is really running in a special configuration.
How exactly did you end up with that configuration? Did you run anything else except ipa-server-install and ipa-adtrust-install on the server? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
I just followed the steps outlined here: https://www.freeipa.org/page/ Active_Directory_trust_setup
to be fair this was on a host that had previously has freeipa configured and uninstalled via ipa-server-install --uninstall so I am unsure if there may have been artifacts left over from that.
This is with FreeIPA 4.5.2 and deps from the COPR repo on Fedora 25.
On Tue, Jul 25, 2017 at 10:12:38AM -0400, Jason Hensley via FreeIPA-users wrote:
On Tue, Jul 25, 2017 at 2:29 AM, Jakub Hrozek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On Mon, Jul 24, 2017 at 04:25:14PM -0400, Jason Beck via FreeIPA-users wrote:
On Mon, Jul 24, 2017 at 2:53 PM, Jason Beck jason.s.beck@gmail.com
wrote:
On Mon, Jul 24, 2017 at 2:23 PM, Jakub Hrozek jhrozek@redhat.com
wrote:
On Mon, Jul 24, 2017 at 01:53:20PM -0400, Jason Beck wrote:
On Mon, Jul 24, 2017 at 9:25 AM, Jakub Hrozek jhrozek@redhat.com
wrote:
> On Mon, Jul 24, 2017 at 09:05:59AM -0400, Jason Beck wrote: > > On Jul 24, 2017 4:14 AM, "Jakub Hrozek via FreeIPA-users" < > > freeipa-users@lists.fedorahosted.org> wrote: > > > > > On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via
FreeIPA-users
> > > wrote: > > > > I have been trying to reliably get an AD trust setup for a
few
weeks
> and > > > no > > > > matter what I try, when I goto add AD users to an external
group in
> > > > FreeIPA, I get: > > > > > > > > "trusted domain object not found" > > > > > > > > Googling around tends to always yield the same suggestions: > > > > > > > > 1) Check time sync > > > > 2) Check DNS > > > > 3) Check firewall > > > > > > > > I have done all of this ad nauseam in several different
environments
> with > > > > several different versions of FreeIPA and Windows servers.
I
have
> > > gotten a > > > > setup to work maybe 2% of the time out of hundreds of
attempts.
> > > > > > > > I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the
COPR
> repo). > > > I > > > > am trying to establish trust with a mixed Windows 2012 &
2008
> forest. I > > > > have tried both one and two way trusts. Everything seems to
work
> fine up > > > > until I try to add AD users to FreeIPA. > > > > > > > > I have verified all of the requisite DNS records exist and
return the
> > > > proper information on both sides, there are no firewalls
between any
> of > > > the > > > > hosts, and the AD servers and FreeIPA servers are
synchronized
by the
> > > same > > > > NTP servers. > > > > > > > > What could I possibly be missing? > > > > > > Can you resolve the object you're trying to add with sssd? > > > > > > e.g. id foo@windows.domain > > > _______________________________________________ > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahost
ed.org
> > > To unsubscribe send an email to freeipa-users-leave@lists. > fedorahosted.org > > > > > > No. I can login via Kerberos, kinit user@ad.domain. But
neither
id
> > user@ad.domain nor getent passwd user@ad.domain are successful. > > Then please follow > https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html >
Jakub,
Thank you for the support thus far. I have followed some
suggestions
in
the sssd troubleshooting link you provided. I am seeing these
errors
whenever I try to perform an operation that would lookup an AD user,
e.g.
id user@ad.domain. I am performing the user lookups on the
primary IPA
server itself.
*sssd.conf:*
[domain/ipa.domain]
debug_level = 10
cache_credentials = True
enumerate = False
krb5_store_password_if_offline = True
ipa_domain = ipa.domain
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa01.ipa.domain
chpass_provider = ipa
ipa_server = _srv_
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = sudo, nss, ifp, pam, ssh, pac
debug_level = 10
domains = ipa.domain
[nss]
debug_level = 10
[pam]
debug_level = 10
[sudo]
debug_level = 10
[autofs]
debug_level = 10
[ssh]
debug_level = 10
[pac]
debug_level = 10
[ifp]
debug_level = 10
[secrets]
debug_level = 10
Are you sure it's the server itself? Because for one, I would expect
to
see ipa_server_mode=True in sssd.conf and also ipa_server set to fqdn
of
'self', not to _srv_.
Also the s2n exop failed messages make it look like the debug messages are from a client.
Anyway, one thing to examine is:
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04
[sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #49: Data
Provider
Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04
[sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned
an
error [org.freedesktop.sssd.Error.DataProvider.Offline]
This indicates a communication issue towards the server. You should
look
for messages that say that 'a port is not working'.
Sorry, I've been troubleshooting this for weeks, trying various
settings.
When I add the variables to sssd.conf
[domain/ipa.domain] ... ipa_server_mode = True ipa_server = ipa01.ipa.domain ...
and restart sssd:
I am now getting the following errors, also id user@ad.domain and/or getent passwd user@ad.domain return failure immediately:
Jul 24 14:40:41 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:40:41 2017) [sssd[be[ipa.domain]]] [sdap_get_server_opts_from_rootdse] (0x0020): ldap_rootdse_last_usn configured but not found in rootdse!
Jul 24 14:40:41 iad1aipa01.ipa.domain sssd_be[12156]: GSSAPI client
step 1
Jul 24 14:40:41 iad1aipa01.ipa.domain sssd_be[12156]: GSSAPI client
step 1
Jul 24 14:40:41 iad1aipa01.ipa.domain sssd_be[12156]: GSSAPI client
step 1
Jul 24 14:40:41 iad1aipa01.ipa.domain sssd_be[12156]: GSSAPI client
step 2
Jul 24 14:40:47 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:40:47 2017) [sssd[be[ipa.domain]]] [ipa_sudo_fetch_rules_done] (0x0040):
Received
0 sudo rules
Jul 24 14:41:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:41:13 2017) [sssd[nss]] [cache_req_data_create] (0x0020): Bug: id cannot be
0!
Jul 24 14:41:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:41:13 2017) [sssd[nss]] [cache_req_data_create] (0x0020): Unable to create cache_req data [1432158209]: Internal Error
Jul 24 14:41:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:41:13 2017) [sssd[nss]] [nss_getby_id] (0x0020): Unable to set cache request
data!
Jul 24 14:41:27 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:41:27 2017) [sssd[pac]] [accept_fd_handler] (0x0020): Access denied for uid
[389].
Jul 24 14:42:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:42:13 2017) [sssd[nss]] [cache_req_data_create] (0x0020): Bug: id cannot be
0!
Jul 24 14:42:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:42:13 2017) [sssd[nss]] [cache_req_data_create] (0x0020): Unable to create cache_req data [1432158209]: Internal Error
Jul 24 14:42:13 iad1aipa01.ipa.domain sssd[12154]: (Mon Jul 24 14:42:13 2017) [sssd[nss]] [nss_getby_id] (0x0020): Unable to set cache request
data!
As far as ports not working, all of the IPA services are running, the local firewalls are all turned off on the IPA servers and the firewalls between the AD servers and the IPA servers are completely open for the
IPA
server addresses. LDAP queries work fine to both the AD servers and
the
IPA servers. I can kinit fine as an AD user on the IPA servers.
# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
I have reinstalled everything from scratch again and run through the
setup
instructions here: https://www.freeipa.org/page/
Active_Directory_trust_setup
.
Everything "works" until I get to the point of adding an external user to an external group in FreeIPA.
The only configuration I have changed is to increase the debug logging in both sssd.conf and smb/netconf and adding the 'auth_to_local' lines in krb5.conf.
When I start sssd I am seeing the following:
Jul 24 16:10:14 ipa01.ipa.domain sssd[be[ipa.domain]][11828]: SRV
discovery
is enabled on the IPA server while using custom dns_discovery_domain. DNS discovery of trusted AD domain will likely fail. It is recommended not to use SRV discovery or the dns_discovery_domain option for the IPA domain while running on the server itself
Jul 24 16:10:14 ipa01.ipa.domain sssd[11826]: (Mon Jul 24 16:10:14 2017) [sssd[be[ipa.chewy.com]]] [ipa_init_server_mode] (0x0020): SRV
discovery is
enabled on the IPA server while using custom dns_discovery_domain. DNS discovery of trusted AD domain will likely fail. It is recommended not to use SRV discovery or the dns_discovery_domain option for the IPA domain while running on the server itself
I am not setting a custom dns_discovery_domain in sssd.conf.
Maybe the debug message is imprecise, IIRC this also gets logged if the setup sees a "_srv_" in the list of ipa_server values.
Whenever I try to id user@ad.domain or getent passwd user@ad.domain
nothing
is logged in sssd. Is it possible to have the sssd on the IPA servers
also
be clients?
No, the sssd on the servers is really running in a special configuration.
How exactly did you end up with that configuration? Did you run anything else except ipa-server-install and ipa-adtrust-install on the server? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
I just followed the steps outlined here: https://www.freeipa.org/page/ Active_Directory_trust_setup
to be fair this was on a host that had previously has freeipa configured and uninstalled via ipa-server-install --uninstall so I am unsure if there may have been artifacts left over from that.
This is with FreeIPA 4.5.2 and deps from the COPR repo on Fedora 25.
But I'm really at loss to explain why your /IDM master/ would end up with "ipa_server = _srv_" and no "ipa_server_mode = True" in sssd.conf.
If you can reproduce that after running ipa-server-install, then I would say that is a bug in the IPA installer (although I would hope bugs like this would be discovered sooner). If you can reproduce this, I would file a bug and attach /var/log/ipaserver-install.log.(see https://www.freeipa.org/page/Troubleshooting#Server_Installation)
I have the same error. I established two-way trust with AD which went fine. Authentication with Kerberos to AD is working. Since I have one test FreeIPA which is working correctly (relatively) I compared logs and pinpointed problem to strange LDAP search which is FreeIPA sending to DC: (&(sAMAccountName=domain\20admins)(objectClass=group)(sAMAccountName=*)(&(gidNumber=*)(!(gidNumber=0)))) This LDAP query is of course not working on AD. I don’t know why FreeIPA is sending this kind of query to AD in this case? Only difference that I can think of in this case is that I didn’t establish trust in two steps, but in one step from FreeIPA using command switch --two-way=true.
On Tue, Aug 01, 2017 at 11:20:16AM -0000, Igor Sever via FreeIPA-users wrote:
I have the same error. I established two-way trust with AD which went fine. Authentication with Kerberos to AD is working. Since I have one test FreeIPA which is working correctly (relatively) I compared logs and pinpointed problem to strange LDAP search which is FreeIPA sending to DC: (&(sAMAccountName=domain\20admins)(objectClass=group)(sAMAccountName=*)(&(gidNumber=*)(!(gidNumber=0)))) This LDAP query is of course not working on AD. I don’t know why FreeIPA is sending this kind of query to AD in this case? Only difference that I can think of in this case is that I didn’t establish trust in two steps, but in one step from FreeIPA using command switch --two-way=true.
Pardon my ignorance, but what part of that query doesn't work?
There is no gidNumber attribute on AD group objects. If I want to apply posix attributes directly in AD, then I don't need FreeIPA, do I... https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-ma... It is obvious that FreeIPA integration with AD is not production ready, and probably never will be for numerous reasons, just like samba...
On 08/02/2017 07:40 AM, Igor Sever via FreeIPA-users wrote:
There is no gidNumber attribute on AD group objects. If I want to apply posix attributes directly in AD, then I don't need FreeIPA, do I... https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-ma... It is obvious that FreeIPA integration with AD is not production ready, and probably never will be for numerous reasons, just like samba...
I suspect that the ID range automatically created for the AD trust was assigned a POSIX attributes range type, this can happen if any POSIX attributes exist in your environment. You can check this with 'ipa idrange-find'
The Range Type should be 'Active Directory domain range' for automatic SSSD ID mapping to be done not requiring POSIX attributes.
For me at least, the easiest way to fix is to remove the trust and re-add specifying the argument --range-type=ipa-ad-trust
# ipa trust-del ad.domain # ipa idrange-del 'AD.DOMAIN_id_range' # ipa trust-add ad.domain --range-type=ipa-ad-trust
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
Kind regards, Justin Stephenson
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On Wed, Aug 02, 2017 at 11:40:46AM -0000, Igor Sever via FreeIPA-users wrote:
There is no gidNumber attribute on AD group objects. If I want to apply posix attributes directly in AD, then I don't need FreeIPA, do I...
Many users and customers have an existing environment where some machines are enrolled directly to AD and new ones are being added directly to IPA and they want to use the same POSIX IDs every where.
Others choose to ID-map.
As per why the idrange was selected as posix, see Justin's answer.
https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-ma...
Well, only the tools are deprecated, the schema is there to stay.
On ke, 02 elo 2017, Igor Sever via FreeIPA-users wrote:
There is no gidNumber attribute on AD group objects. If I want to apply posix attributes directly in AD, then I don't need FreeIPA, do I... https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-ma...
Can you show details about your trust configuration?
# ipa trust-show my.ad.domain # ipa idrange-show MY.AD.DOMAIN_id_range
My hunch is that you established a trust with an ID range that defines you have POSIX IDs in your Active Directory. Thus, SSSD assumes you have allocated uidNumber/gidNumber yourself in user/group entries in AD LDAP.
If you definitely don't have POSIX IDs in AD, then it might be that you had at some point NIS integration enabled on AD side and thus 'ipa trust-add' detected appropriate settings for this mode in AD and configured the ID range accordingly.
It is obvious that FreeIPA integration with AD is not production ready, and probably never will be for numerous reasons, just like samba...
It does not help to throw accusations without providing any details on how you configured a system.
I didn’t specify any ID range. This was all done automagically by setup. I read a lot of documentation, and I can’t remember that ever been mentioned. We indeed had NIS at some point, but this is not supported any more by MS, and FreeIPA should not just presume that we have gidNumber on all accounts. Where should I look for settings that you specify?
On to, 03 elo 2017, Igor Sever via FreeIPA-users wrote:
I didn’t specify any ID range. This was all done automagically by setup. I read a lot of documentation, and I can’t remember that ever been mentioned. We indeed had NIS at some point, but this is not supported any more by MS, and FreeIPA should not just presume that we have gidNumber on all accounts. Where should I look for settings that you specify?
For a succinct answer look at what Justin wrote you yesterday.
Documentation is available here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
You have all the options to either go with automated detection or override which ID range type to use.
It looks like my problems with AD trust on server side went away when I upgraded to FreeIPA 4.5 using Centos 7.4 packages, but unfortunately this is only half of the way. I have alot of SLES servers 11 and 12, but it looks like SSSD that comes with SLES is not fully featured as RHEL or Centos. Basic authentication is working , but policies are not working because group membership is not available on SLES SSSD client (when checking with id command). Even on SLES 12 SP1 I cannot get it to work. In krb5_child.log I see error: [validate_tgt] (0x0040): sss_extract_and_send_pac failed, group membership for user with principal [******] might not be correct. When I try to enable PAC service starting of SSSD fails and I get: [service_startup_handler] (0x0010): Could not exec /usr/lib/sssd/sssd_pac --debug-to-files, reason: No such file or directory I installed all packages related to SSSD and all dependencies. Is PAC service necessary for group resolution? Is there any other option?
On 10 Sep 2017, at 16:36, Igor Sever via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
It looks like my problems with AD trust on server side went away when I upgraded to FreeIPA 4.5 using Centos 7.4 packages, but unfortunately this is only half of the way. I have alot of SLES servers 11 and 12, but it looks like SSSD that comes with SLES is not fully featured as RHEL or Centos. Basic authentication is working , but policies are not working because group membership is not available on SLES SSSD client (when checking with id command). Even on SLES 12 SP1 I cannot get it to work. In krb5_child.log I see error: [validate_tgt] (0x0040): sss_extract_and_send_pac failed, group membership for user with principal [******] might not be correct. When I try to enable PAC service starting of SSSD fails and I get: [service_startup_handler] (0x0010): Could not exec /usr/lib/sssd/sssd_pac --debug-to-files, reason: No such file or directory I installed all packages related to SSSD and all dependencies. Is PAC service necessary for group resolution? Is there any other option?
Umm, how old is the sssd there? What version?
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
sssd-krb5-common-1.11.5.1-14.1.x86_64 sssd-32bit-1.11.5.1-28.1.x86_64 sssd-ad-1.11.5.1-14.1.x86_64 sssd-ipa-1.11.5.1-14.1.x86_64 python-sssd-config-1.11.5.1-14.1.x86_64 sssd-1.11.5.1-14.1.x86_64 sssd-tools-1.11.5.1-14.1.x86_64 sssd-krb5-1.11.5.1-14.1.x86_64 sssd-ldap-1.11.5.1-14.1.x86_64 ipa-client:~ # rpm -qa | grep krb5 sssd-krb5-common-1.11.5.1-14.1.x86_64 krb5-plugin-preauth-pkinit-1.12.1-19.1.x86_64 libndr-krb5pac0-4.2.4-28.3.1.x86_64 krb5-1.12.1-36.4.x86_64 libndr-krb5pac0-32bit-4.2.4-28.3.1.x86_64 krb5-client-1.12.1-19.1.x86_64 sssd-krb5-1.11.5.1-14.1.x86_64 krb5-32bit-1.12.1-36.4.x86_64
On Suse site there is no any info about integration with FreeIPA. They are mostly focused on LDAP authentication. No mention of sssd_pac existing in their sssd packages. I think I am out of luck with this.
Can I use FreeIPA as Kerberos and LDAP provider (not as IPA) and still use policies somehow?
On (11/09/17 07:42), Igor Sever via FreeIPA-users wrote:
Can I use FreeIPA as Kerberos and LDAP provider (not as IPA) and still use policies somehow?
Yes you can, but sssd-1.11.5.1 was quite broken and contained many bugs. 1.11.8 should be much better but from sssd upstream POV 1.13 is long term maintenance branch. Older branches are not supported by upstream anymore.
LS
Unfortunately, I cannot upgrade systems and packages as I want because of legacy applications. Is there somewhere information how would I approach to configure SSSD to use FreeIPA as Kerberos and LDAP provider and for policies to work? I can only find where access is enforced with LDAP filter in SSSD configuration in that case. Thanks.
On ti, 12 syys 2017, Igor Sever via FreeIPA-users wrote:
Unfortunately, I cannot upgrade systems and packages as I want because of legacy applications. Is there somewhere information how would I approach to configure SSSD to use FreeIPA as Kerberos and LDAP provider and for policies to work? I can only find where access is enforced with LDAP filter in SSSD configuration in that case. Thanks.
If SUSE version of SSSD is built without IPA provider, then HBAC rules wouldn't be available. Part of functionality is implemented in the IPA provider and does not exist in a pure LDAP provider.
There is IPA provider, but no sssd_pac module. [service_startup_handler] (0x0010): Could not exec /usr/lib/sssd/sssd_pac --debug-to-files, reason: No such file or directory
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Igor Sever -
Jakub Hrozek -
Jason Beck -
Jason Hensley -
Justin Stephenson -
Lukas Slebodnik