On Mon, Jul 24, 2017 at 9:25 AM, Jakub Hrozek jhrozek@redhat.com wrote:
On Mon, Jul 24, 2017 at 09:05:59AM -0400, Jason Beck wrote:
On Jul 24, 2017 4:14 AM, "Jakub Hrozek via FreeIPA-users" < freeipa-users@lists.fedorahosted.org> wrote:
On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via FreeIPA-users wrote:
I have been trying to reliably get an AD trust setup for a few weeks
and
no
matter what I try, when I goto add AD users to an external group in FreeIPA, I get:
"trusted domain object not found"
Googling around tends to always yield the same suggestions:
- Check time sync
- Check DNS
- Check firewall
I have done all of this ad nauseam in several different environments
with
several different versions of FreeIPA and Windows servers. I have
gotten a
setup to work maybe 2% of the time out of hundreds of attempts.
I am currently using FreeIPA 4.5.2 on Fedora 25 (out of the COPR
repo).
I
am trying to establish trust with a mixed Windows 2012 & 2008
forest. I
have tried both one and two way trusts. Everything seems to work
fine up
until I try to add AD users to FreeIPA.
I have verified all of the requisite DNS records exist and return the proper information on both sides, there are no firewalls between any
of
the
hosts, and the AD servers and FreeIPA servers are synchronized by the
same
NTP servers.
What could I possibly be missing?
Can you resolve the object you're trying to add with sssd?
e.g. id foo@windows.domain _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org
No. I can login via Kerberos, kinit user@ad.domain. But neither id user@ad.domain nor getent passwd user@ad.domain are successful.
Then please follow https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
Jakub,
Thank you for the support thus far. I have followed some suggestions in the sssd troubleshooting link you provided. I am seeing these errors whenever I try to perform an operation that would lookup an AD user, e.g. id user@ad.domain. I am performing the user lookups on the primary IPA server itself.
*sssd.conf:*
[domain/ipa.domain]
debug_level = 10
cache_credentials = True
enumerate = False
krb5_store_password_if_offline = True
ipa_domain = ipa.domain
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa01.ipa.domain
chpass_provider = ipa
ipa_server = _srv_
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = sudo, nss, ifp, pam, ssh, pac
debug_level = 10
domains = ipa.domain
[nss]
debug_level = 10
[pam]
debug_level = 10
[sudo]
debug_level = 10
[autofs]
debug_level = 10
[ssh]
debug_level = 10
[pac]
debug_level = 10
[ifp]
debug_level = 10
[secrets]
debug_level = 10
*sssd.log (debug 10 on everything):*
Jul 24 13:19:40 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:19:40 2017) [sssd[be[ipa.domain]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
Jul 24 13:19:40 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1
Jul 24 13:19:40 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1
Jul 24 13:19:40 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:19:40 2017) [sssd[pac]] [accept_fd_handler] (0x0020): Access denied for uid [389].
Jul 24 13:19:40 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1
Jul 24 13:19:40 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 2
Jul 24 13:19:46 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:19:46 2017) [sssd[be[ipa.domain]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
Jul 24 13:19:46 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:19:46 2017) [sssd[pac]] [accept_fd_handler] (0x0020): Access denied for uid [389].
Jul 24 13:19:46 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1
Jul 24 13:19:46 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1
Jul 24 13:19:46 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:19:46 2017) [sssd[pac]] [accept_fd_handler] (0x0020): Access denied for uid [389].
Jul 24 13:19:46 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1
Jul 24 13:19:46 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 2
Jul 24 13:19:52 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:19:52 2017) [sssd[be[ipa.domain]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
Jul 24 13:19:52 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1
Jul 24 13:19:52 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1
Jul 24 13:19:52 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1
Jul 24 13:19:52 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 2
Jul 24 13:19:58 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:19:58 2017) [sssd[be[ipa.domain]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
Jul 24 13:19:58 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:19:58 2017) [sssd[pac]] [accept_fd_handler] (0x0020): Access denied for uid [389].
Jul 24 13:19:58 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1
Jul 24 13:19:58 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1
Jul 24 13:19:58 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 1
Jul 24 13:19:58 ipa01.ipa.domain sssd_be[6537]: GSSAPI client step 2
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[be[ipa.domain]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[be[ipa.domain]]] [fo_resolve_service_send] (0x0020): No available servers for service 'IPA'
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[be[ipa.domain]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[be[ipa.domain]]] [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: [11]: Resource temporarily unavailable.
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #39: Data Provider Error: 1, 11, Offline
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #40: Data Provider Error: 1, 11, Offline
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #39: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #40: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #39: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #40: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #42: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #43: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #43: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #43: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #44: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #45: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #45: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #45: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #46: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #47: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #47: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #47: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #48: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #49: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #49: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #49: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
Jul 24 13:20:04 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:04 2017) [sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #50: Data Provider Error: 3, 5, Failed to get reply from Data Provider
Jul 24 13:20:06 ipa01.ipa.domain sssd[6535]: (Mon Jul 24 13:20:06 2017) [sssd[pac]] [accept_fd_handler] (0x0020): Access denied for uid [389].