On ma, 28 loka 2019, Danijel Bojic via FreeIPA-users wrote:
Hi dear freeipa-users :D
I am currently testing FreeIPA in a Windows Active Directory
environment.
The goal is to use this as a productive secondary domain with a one-way
trust from AD to FreeIPA. (We have lots of developers that work with
Linux clients (Fedora and CentOS) aswell as want to profit from their
already existing user account in the AD environment. This will also
make it easier for the IT to track which clients/vms etc. are domain
joined and which are not and would allow us to restrict them slightly
on our systems.)
I did the installation following the manual on the Freeipa page.
After that i had to troubleshoot why AD users are not getting correct
UID/GID assigned from AD -->
https://www.reddit.com/r/linuxadmin/comments/dcb1xh/freeipa_and_windows_a...
I fixed that by doing the said thing by deleting established trust,
re-adding trust with correct parameters, deleting sssd cache.
Now im facing something else that gives me a headache since a few days.
I am unable to login to AD users from IPA joined Client.
ipa-client-install etc. done. and should be fine.
But im unable to su to user, or ssh, or get infos with ID or getent passwd user.
I can kinit into said user though from client, thats why im guessing
that ipa-client install worked.
kinit with AD user has nothing to do with FreeIPA.
You talk to AD DCs
here, avoiding FreeIPA infra.
And from ipa server off, im also able to login to the user like
intended (ssh, su, getent, id works all fine).
I added debug_level 9 to sssd but im unable to identify the problem.
The log below
is only for SSSD on IPA client. The log shows that the
client asked IPA master to resolve AD users and that one failed. But you
haven't provided SSSD logs for the same timeframe from IPA master.
See here:
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html#common-ipa-p...
(Fri Oct 25 15:08:44 2019) [sssd[be[domain.test]]]
[ipa_s2n_get_acct_info_send] (0x0400): Sending request_type: [REQ_FULL_WITH_MEMBERS] for
trust user [user(a)domain.ad] to IPA server
(Fri Oct 25 15:08:44 2019) [sssd[be[domain.test]]] [ipa_s2n_exop_send] (0x0400): Executing
extended operation
(Fri Oct 25 15:08:44 2019) [sssd[be[domain.test]]] [ipa_s2n_exop_send] (0x2000):
ldap_extended_operation sent, msgid = 21
(Fri Oct 25 15:08:44 2019) [sssd[be[domain.test]]] [sdap_op_add] (0x2000): New operation
21 timeout 6
(Fri Oct 25 15:08:44 2019) [sssd[be[domain.test]]] [sdap_process_result] (0x2000): Trace:
sh[0x55a487f69200], connected[1], ops[0x55a487f7d750], ldap[0x55a487f688d0]
(Fri Oct 25 15:08:44 2019) [sssd[be[domain.test]]] [sdap_process_message] (0x4000):
Message type: [LDAP_RES_EXTENDED]
(Fri Oct 25 15:08:44 2019) [sssd[be[domain.test]]] [ipa_s2n_exop_done] (0x0040):
ldap_extended_operation result: No such object(32), (null).
(Fri Oct 25 15:08:44 2019) [sssd[be[domain.test]]] [sdap_op_destructor] (0x2000):
Operation 21 finished
(Fri Oct 25 15:08:44 2019) [sssd[be[domain.test]]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x55a487f97630
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland