We've setup a two-way trust with AD and it seems to have worked, but it doesn't look like it is working correctly.
The kerberos commands (kinit and kvno) work fine, but things like 'id aduser@addomain.example.com' and 'getent passwd aduser@addomain.example.com' don't work.
# ipa trust-add --type ad addomain.example.com --admin adadmin --password --two-way=true Active Directory domain administrator's password: ----------------------------------------------------- Added Active Directory trust for realm "addomain.example.com" ----------------------------------------------------- Realm name: addomain.example.com Domain NetBIOS name: ADDOMAIN Domain Security Identifier: S-1-5-21-2229161606-873856335-779138662 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified
# kinit aduser@addomain.example.com Password for aduser@addomain.example.com:
# klist Ticket cache: KEYRING:persistent:0:krb_ccache_o3D2R5S Default principal: aduser@ADDOMAIN.EXAMPLE.COM
Valid starting Expires Service principal 07/20/2017 12:16:41 07/20/2017 22:16:41 krbtgt/ ADDOMAIN.EXAMPLE.COM@ADDOMAIN.EXAMPLE.COM renew until 07/21/2017 12:16:38
# id aduser@addomain.example.com id: ‘aduser@addomain.example.com’: no such user
Is this the best way to test the trust?
We are running FreeIPA 4.4 and Windows Server 2012 R2
When setting up the trust we needed to modify /etc/hosts as described in https://bugzilla.redhat.com/show_bug.cgi?id=878168
Thanks, Steve
On Thu, Jul 20, 2017 at 12:20:31PM -0400, Steve Weeks via FreeIPA-users wrote:
We've setup a two-way trust with AD and it seems to have worked, but it doesn't look like it is working correctly.
The kerberos commands (kinit and kvno) work fine, but things like 'id aduser@addomain.example.com' and 'getent passwd aduser@addomain.example.com' don't work.
# ipa trust-add --type ad addomain.example.com --admin adadmin --password --two-way=true Active Directory domain administrator's password:
Added Active Directory trust for realm "addomain.example.com"
Realm name: addomain.example.com Domain NetBIOS name: ADDOMAIN Domain Security Identifier: S-1-5-21-2229161606-873856335-779138662 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified
# kinit aduser@addomain.example.com Password for aduser@addomain.example.com:
# klist Ticket cache: KEYRING:persistent:0:krb_ccache_o3D2R5S Default principal: aduser@ADDOMAIN.EXAMPLE.COM
Valid starting Expires Service principal 07/20/2017 12:16:41 07/20/2017 22:16:41 krbtgt/ ADDOMAIN.EXAMPLE.COM@ADDOMAIN.EXAMPLE.COM renew until 07/21/2017 12:16:38
# id aduser@addomain.example.com id: ‘aduser@addomain.example.com’: no such user
Is this the best way to test the trust?
We are running FreeIPA 4.4 and Windows Server 2012 R2
When setting up the trust we needed to modify /etc/hosts as described in https://bugzilla.redhat.com/show_bug.cgi?id=878168
Since the trust is two-way, can you kinit using the system keytab and try searching the AD DC? e.g.
kinit -k ldapsearch -Y GSSAPI -H ldap://your.ad.dc -s base -b ""
that should return the rootDSE and give you the ldap/your.ad.dc ticket in the process if the trust works OK..
Looks like I got the rootDSE, 109 lines of information and got the following at the end. I don't know much about ldap so I'm guessing this was successful. And, yes I did get a ldap/ad.cd ticket. What should I look at next?
Thanks, Steve
isSynchronized: TRUE isGlobalCatalogReady: TRUE domainFunctionality: 6 forestFunctionality: 6 domainControllerFunctionality: 6
# search result search: 4 result: 0 Success
# numResponses: 2 # numEntries: 1
On Thu, Jul 20, 2017 at 3:21 PM, Jakub Hrozek jhrozek@redhat.com wrote:
On Thu, Jul 20, 2017 at 12:20:31PM -0400, Steve Weeks via FreeIPA-users wrote:
We've setup a two-way trust with AD and it seems to have worked, but it doesn't look like it is working correctly.
The kerberos commands (kinit and kvno) work fine, but things like 'id aduser@addomain.example.com' and 'getent passwd
aduser@addomain.example.com'
don't work.
# ipa trust-add --type ad addomain.example.com --admin adadmin
--password
--two-way=true Active Directory domain administrator's password:
Added Active Directory trust for realm "addomain.example.com"
Realm name: addomain.example.com Domain NetBIOS name: ADDOMAIN Domain Security Identifier: S-1-5-21-2229161606-873856335-779138662 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified
# kinit aduser@addomain.example.com Password for aduser@addomain.example.com:
# klist Ticket cache: KEYRING:persistent:0:krb_ccache_o3D2R5S Default principal: aduser@ADDOMAIN.EXAMPLE.COM
Valid starting Expires Service principal 07/20/2017 12:16:41 07/20/2017 22:16:41 krbtgt/ ADDOMAIN.EXAMPLE.COM@ADDOMAIN.EXAMPLE.COM renew until 07/21/2017 12:16:38
# id aduser@addomain.example.com id: ‘aduser@addomain.example.com’: no such user
Is this the best way to test the trust?
We are running FreeIPA 4.4 and Windows Server 2012 R2
When setting up the trust we needed to modify /etc/hosts as described in https://bugzilla.redhat.com/show_bug.cgi?id=878168
Since the trust is two-way, can you kinit using the system keytab and try searching the AD DC? e.g.
kinit -k ldapsearch -Y GSSAPI -H ldap://your.ad.dc -s base -b ""
that should return the rootDSE and give you the ldap/your.ad.dc ticket in the process if the trust works OK..
On Fri, Jul 21, 2017 at 05:53:57AM -0400, Steve Weeks via FreeIPA-users wrote:
Looks like I got the rootDSE, 109 lines of information and got the following at the end. I don't know much about ldap so I'm guessing this was successful
Yes, so the trust indeed works.
. And, yes I did get a ldap/ad.cd ticket. What should I look at next?
SSSD on the server itself. Please check out https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html, hopefully the server-side sssd logs would help..
Fixed.
It doesn't make sense to me, but there was an old broken trust to a different AD that was clearly from the logs getting checked *after* the new domain. The logs showed that there was a result from the new domain, but not enough detail to see what was going on. I removed the old domain only because it was polluting the logs, bump the log level to get more detail and now everything works fine.
The link to the SSSD trouble shooting page was very valuable. Thanks!
On Fri, Jul 21, 2017 at 10:12 AM, Jakub Hrozek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On Fri, Jul 21, 2017 at 05:53:57AM -0400, Steve Weeks via FreeIPA-users wrote:
Looks like I got the rootDSE, 109 lines of information and got the following at the end. I don't know much about ldap so I'm guessing this was successful
Yes, so the trust indeed works.
. And, yes I did get a ldap/ad.cd ticket. What should I look at next?
SSSD on the server itself. Please check out https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html, hopefully the server-side sssd logs would help.. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org
-
Jakub Hrozek -
Steve Weeks