IPA AD Trust - The attempted logon is invalid. This is either due to a bad username or authentication information.
Hi!
This is my first FreeIPA setup that needs to be trusted against AD. I spent some hours to debug my issue but I need some help:
root@auth1 ~ # ipa trust-add --two-way=true --type=ad intra.example.com --admin administrator --password Active Directory domain administrator's password: ipa: ERROR: CIFS server communication error: code "3221225581", message "The attempted logon is invalid. This is either due to a bad username or authentication information." (both may be "None")
I've also tried "administrator@intra.example.com" as well as another administrative account with domain admin privileges. The password is 100% fine and works for ldapadmin (windows tool) as well as windows logons.
DNS is also fine: I set up forwarding of "intra.example.com" from IPA to the AD domain and reverse "auth.example.com" from AD to IPA.
WORKS: ldapsearch -H ldap://192.168.80.1:389 -x -W -D " administrator@intra.example.com" -b "dc=intra,dc=example,dc=com" -d8
Environment: Debian Sid, FreeIPA 4.7.2
Did I miss something? What am I doing wrong here?
Kind regards Kevin
Sorry, version is: 4.8.3
I also receive this error regardless of the DNS domain I enter...
Kind regards Kevin
Am Di., 24. Dez. 2019 um 00:41 Uhr schrieb Kevin Olbrich ko@sv01.de:
Hi!
This is my first FreeIPA setup that needs to be trusted against AD. I spent some hours to debug my issue but I need some help:
root@auth1 ~ # ipa trust-add --two-way=true --type=ad intra.example.com --admin administrator --password Active Directory domain administrator's password: ipa: ERROR: CIFS server communication error: code "3221225581", message "The attempted logon is invalid. This is either due to a bad username or authentication information." (both may be "None")
I've also tried "administrator@intra.example.com" as well as another administrative account with domain admin privileges. The password is 100% fine and works for ldapadmin (windows tool) as well as windows logons.
DNS is also fine: I set up forwarding of "intra.example.com" from IPA to the AD domain and reverse "auth.example.com" from AD to IPA.
WORKS: ldapsearch -H ldap://192.168.80.1:389 -x -W -D " administrator@intra.example.com" -b "dc=intra,dc=example,dc=com" -d8
Environment: Debian Sid, FreeIPA 4.7.2
Did I miss something? What am I doing wrong here?
Kind regards Kevin
On ti, 24 joulu 2019, Kevin Olbrich via FreeIPA-users wrote:
Hi!
This is my first FreeIPA setup that needs to be trusted against AD. I spent some hours to debug my issue but I need some help:
root@auth1 ~ # ipa trust-add --two-way=true --type=ad intra.example.com --admin administrator --password Active Directory domain administrator's password: ipa: ERROR: CIFS server communication error: code "3221225581", message "The attempted logon is invalid. This is either due to a bad username or authentication information." (both may be "None")
I've also tried "administrator@intra.example.com" as well as another administrative account with domain admin privileges. The password is 100% fine and works for ldapadmin (windows tool) as well as windows logons.
DNS is also fine: I set up forwarding of "intra.example.com" from IPA to the AD domain and reverse "auth.example.com" from AD to IPA.
WORKS: ldapsearch -H ldap://192.168.80.1:389 -x -W -D " administrator@intra.example.com" -b "dc=intra,dc=example,dc=com" -d8
Environment: Debian Sid, FreeIPA 4.7.2
Did I miss something? What am I doing wrong here?
Do not use Debian/Ubuntu for IPA master with trust controller role. Samba in Debian/Ubuntu is built against Heimdal Kerberos implementation while 'ipasam' component of FreeIPA (a plugin to Samba) can only be compiled against MIT Kerberos. The two implementations cannot be mixed in the same address space when 'smbd' or 'winbindd' processes are operating, thus it is not possible to use IPA master with trust controller role on Debian/Ubuntu distributions right now.
This might change when Samba upstream will fully switch to MIT Kerberos and Debian/Ubuntu would stop building against Heimdal, but this is not going to happen any time soon for technical reasons as there are few important fixes that need to be developed in both MIT Kerberos and Samba first. This work is ongoing and even though it all affects the configuration of Samba that FreeIPA is not using, distributions generally do not ship two different versions of Samba (each built against own Kerberos implementation), so the end result is that Debian/Ubuntu version of Samba is not suitable for FreeIPA integration.
An older bug https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1552249 was used to track it in Ubuntu but the actual work is happening Samba and MIT Kerberos upstream, not downstream. Thus, you wouldn't get any move on Ubuntu or Debian side here.
Hi Alexander,
Thanks for your input. Indeed, Debian still compiles against Heimdal. I've added both devel MLs for Debian, maybe someone can give some input whats needed to get "freeipa-server-trust-ad" working.
@Debian Team: If there is something I can test, please let me know! I know Sid is not for production but I would like to see FreeIPA in Bullseye.
Ref.: https://packages.debian.org/en/sid/freeipa-server-trust-ad
Fedora 31: HAVE_LIBKADM5SRV_MIT SAMBA_USES_MITKDC
Debian Sid: SAMBA4_USES_HEIMDAL
I will try Fedora 31 / CentOS 8 then.
Kind regards Kevin
Am Di., 24. Dez. 2019 um 08:57 Uhr schrieb Alexander Bokovoy abokovoy@redhat.com:
On ti, 24 joulu 2019, Kevin Olbrich via FreeIPA-users wrote:
Hi!
This is my first FreeIPA setup that needs to be trusted against AD. I spent some hours to debug my issue but I need some help:
root@auth1 ~ # ipa trust-add --two-way=true --type=ad intra.example.com --admin administrator --password Active Directory domain administrator's password: ipa: ERROR: CIFS server communication error: code "3221225581", message "The attempted logon is invalid. This is either due to a bad username or authentication information." (both may be "None")
I've also tried "administrator@intra.example.com" as well as another administrative account with domain admin privileges. The password is 100% fine and works for ldapadmin (windows tool) as well as windows logons.
DNS is also fine: I set up forwarding of "intra.example.com" from IPA to the AD domain and reverse "auth.example.com" from AD to IPA.
WORKS: ldapsearch -H ldap://192.168.80.1:389 -x -W -D " administrator@intra.example.com" -b "dc=intra,dc=example,dc=com" -d8
Environment: Debian Sid, FreeIPA 4.7.2
Did I miss something? What am I doing wrong here?
Do not use Debian/Ubuntu for IPA master with trust controller role. Samba in Debian/Ubuntu is built against Heimdal Kerberos implementation while 'ipasam' component of FreeIPA (a plugin to Samba) can only be compiled against MIT Kerberos. The two implementations cannot be mixed in the same address space when 'smbd' or 'winbindd' processes are operating, thus it is not possible to use IPA master with trust controller role on Debian/Ubuntu distributions right now.
This might change when Samba upstream will fully switch to MIT Kerberos and Debian/Ubuntu would stop building against Heimdal, but this is not going to happen any time soon for technical reasons as there are few important fixes that need to be developed in both MIT Kerberos and Samba first. This work is ongoing and even though it all affects the configuration of Samba that FreeIPA is not using, distributions generally do not ship two different versions of Samba (each built against own Kerberos implementation), so the end result is that Debian/Ubuntu version of Samba is not suitable for FreeIPA integration.
An older bug https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1552249 was used to track it in Ubuntu but the actual work is happening Samba and MIT Kerberos upstream, not downstream. Thus, you wouldn't get any move on Ubuntu or Debian side here.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
On ti, 24 joulu 2019, Kevin Olbrich via FreeIPA-users wrote:
Hi Alexander,
Thanks for your input. Indeed, Debian still compiles against Heimdal. I've added both devel MLs for Debian, maybe someone can give some input whats needed to get "freeipa-server-trust-ad" working.
@Debian Team: If there is something I can test, please let me know! I know Sid is not for production but I would like to see FreeIPA in Bullseye.
Ref.: https://packages.debian.org/en/sid/freeipa-server-trust-ad
Debian makes Samba AD DC available, that's priority over FreeIPA. Once we get MIT Kerberos to support all required features for Samba AD DC, I'm sure Debian will consider unifying their build too.
Fedora 31: HAVE_LIBKADM5SRV_MIT SAMBA_USES_MITKDC
Debian Sid: SAMBA4_USES_HEIMDAL
I will try Fedora 31 / CentOS 8 then.
Kind regards Kevin
Am Di., 24. Dez. 2019 um 08:57 Uhr schrieb Alexander Bokovoy abokovoy@redhat.com:
On ti, 24 joulu 2019, Kevin Olbrich via FreeIPA-users wrote:
Hi!
This is my first FreeIPA setup that needs to be trusted against AD. I spent some hours to debug my issue but I need some help:
root@auth1 ~ # ipa trust-add --two-way=true --type=ad intra.example.com --admin administrator --password Active Directory domain administrator's password: ipa: ERROR: CIFS server communication error: code "3221225581", message "The attempted logon is invalid. This is either due to a bad username or authentication information." (both may be "None")
I've also tried "administrator@intra.example.com" as well as another administrative account with domain admin privileges. The password is 100% fine and works for ldapadmin (windows tool) as well as windows logons.
DNS is also fine: I set up forwarding of "intra.example.com" from IPA to the AD domain and reverse "auth.example.com" from AD to IPA.
WORKS: ldapsearch -H ldap://192.168.80.1:389 -x -W -D " administrator@intra.example.com" -b "dc=intra,dc=example,dc=com" -d8
Environment: Debian Sid, FreeIPA 4.7.2
Did I miss something? What am I doing wrong here?
Do not use Debian/Ubuntu for IPA master with trust controller role. Samba in Debian/Ubuntu is built against Heimdal Kerberos implementation while 'ipasam' component of FreeIPA (a plugin to Samba) can only be compiled against MIT Kerberos. The two implementations cannot be mixed in the same address space when 'smbd' or 'winbindd' processes are operating, thus it is not possible to use IPA master with trust controller role on Debian/Ubuntu distributions right now.
This might change when Samba upstream will fully switch to MIT Kerberos and Debian/Ubuntu would stop building against Heimdal, but this is not going to happen any time soon for technical reasons as there are few important fixes that need to be developed in both MIT Kerberos and Samba first. This work is ongoing and even though it all affects the configuration of Samba that FreeIPA is not using, distributions generally do not ship two different versions of Samba (each built against own Kerberos implementation), so the end result is that Debian/Ubuntu version of Samba is not suitable for FreeIPA integration.
An older bug https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1552249 was used to track it in Ubuntu but the actual work is happening Samba and MIT Kerberos upstream, not downstream. Thus, you wouldn't get any move on Ubuntu or Debian side here.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Kevin Olbrich