One thing to check which was our problem when we first implemented this is that every user
must have a gidNumber assigned and that gidNumber has to be assigned to a group existing
in AD (might work if the group is just in IPA, never tested that). Also, all of the
groups that a user is a member of need to have a gidNumber assigned in AD. That fixed the
vast majority of our issues when first implementing.
—
Bob Jones
Lead Linux Services Engineer
ITS ECP - Linux Services
On Oct 28, 2019, at 4:52 AM, Alexander Bokovoy via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
On ma, 28 loka 2019, Danijel Bojic via FreeIPA-users wrote:
> Hi dear freeipa-users :D
>
> I am currently testing FreeIPA in a Windows Active Directory
> environment.
>
> The goal is to use this as a productive secondary domain with a one-way
> trust from AD to FreeIPA. (We have lots of developers that work with
> Linux clients (Fedora and CentOS) aswell as want to profit from their
> already existing user account in the AD environment. This will also
> make it easier for the IT to track which clients/vms etc. are domain
> joined and which are not and would allow us to restrict them slightly
> on our systems.)
>
> I did the installation following the manual on the Freeipa page.
>
> After that i had to troubleshoot why AD users are not getting correct
> UID/GID assigned from AD -->
>
https://www.reddit.com/r/linuxadmin/comments/dcb1xh/freeipa_and_windows_a...
>
>
>
> I fixed that by doing the said thing by deleting established trust,
> re-adding trust with correct parameters, deleting sssd cache.
>
> Now im facing something else that gives me a headache since a few days.
>
> I am unable to login to AD users from IPA joined Client.
>
> ipa-client-install etc. done. and should be fine.
>
> But im unable to su to user, or ssh, or get infos with ID or getent passwd user.
>
> I can kinit into said user though from client, thats why im guessing
> that ipa-client install worked.
kinit with AD user has nothing to do with FreeIPA. You talk to AD DCs
here, avoiding FreeIPA infra.
> And from ipa server off, im also able to login to the user like
> intended (ssh, su, getent, id works all fine).
>
> I added debug_level 9 to sssd but im unable to identify the problem.
The log below is only for SSSD on IPA client. The log shows that the
client asked IPA master to resolve AD users and that one failed. But you
haven't provided SSSD logs for the same timeframe from IPA master.
See here:
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html#common-ipa-p...
> (Fri Oct 25 15:08:44 2019) [sssd[be[domain.test]]] [ipa_s2n_get_acct_info_send]
(0x0400): Sending request_type: [REQ_FULL_WITH_MEMBERS] for trust user [user(a)domain.ad] to
IPA server
> (Fri Oct 25 15:08:44 2019) [sssd[be[domain.test]]] [ipa_s2n_exop_send] (0x0400):
Executing extended operation
> (Fri Oct 25 15:08:44 2019) [sssd[be[domain.test]]] [ipa_s2n_exop_send] (0x2000):
ldap_extended_operation sent, msgid = 21
> (Fri Oct 25 15:08:44 2019) [sssd[be[domain.test]]] [sdap_op_add] (0x2000): New
operation 21 timeout 6
> (Fri Oct 25 15:08:44 2019) [sssd[be[domain.test]]] [sdap_process_result] (0x2000):
Trace: sh[0x55a487f69200], connected[1], ops[0x55a487f7d750], ldap[0x55a487f688d0]
> (Fri Oct 25 15:08:44 2019) [sssd[be[domain.test]]] [sdap_process_message] (0x4000):
Message type: [LDAP_RES_EXTENDED]
> (Fri Oct 25 15:08:44 2019) [sssd[be[domain.test]]] [ipa_s2n_exop_done] (0x0040):
ldap_extended_operation result: No such object(32), (null).
> (Fri Oct 25 15:08:44 2019) [sssd[be[domain.test]]] [sdap_op_destructor] (0x2000):
Operation 21 finished
> (Fri Oct 25 15:08:44 2019) [sssd[be[domain.test]]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x55a487f97630
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...