Alexander,
Enable debugging for IPA server framework by creating a file
/etc/ipa/server.conf with the following content:
--------
[global]
debug=True
--------
Restart httpd and try again. Then collect logs and show that access
attempt. The logs you attached so far only contain Apache modules'
debugging information, not IPA framework's one.
Thanks for your reply. I went ahead and disabled the debug logs via
httpd/conf.d/nss.conf to "warn", and now am only using server.conf
"debug=True" (which was already set). I've attached the logs
generated via a fresh request and `tail -f krb5kdc.log
httpd/{access,error}_log dirsrv/slapd-IPA-DOMAIN-COM/{access,error}`,
but you'll see that there is much less output.
Other than self-management, you wouldn't achieve anything in
FreeIPA 4.6
for that. Web UI / CLI administration with AD users is only available in
RHEL 8.0 beta.
Right. I did see a post suggesting limited AD user access in terms of
Web UI and cli, but the post below suggests that ipa cli access was/is
available as of FreeIPA 4.5.0:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Looks like fine -- the framework actually asked for the ldap/...
ticket
on behalf of AD user, so S4U2Proxy did work. Can you see anything in
LDAP server access logs at the same time?
Thanks for the suggestion. There is a "SASL(-14) authorization
failure" in the dirsrv/INSTANCE/access log, but no entries within the
dirsv/INSTANCE/error log; I've attached a copy of the relevant log
entries.
John DeSantis
Il giorno lun 8 apr 2019 alle ore 14:46 Alexander Bokovoy
<abokovoy(a)redhat.com> ha scritto:
>
> On ma, 08 huhti 2019, John Desantis via FreeIPA-users wrote:
> >Hello all,
> >
> >I'm wondering if anyone could help shed light on why IPA CLI commands
> >fail for a trusted AD user, and why Web UI logins for the same user
> >fail with the message "Your session has expired. Please re-login.",
> >despite creating a view for the user via `ipa idoverrideuser-add
> >'Default Trust View' ad_user(a)ad_domain.com`. The symptoms appear
> >almost identical to the post [0], except that the cli and Web UI were
> >never working previously.
Enable debugging for IPA server framework by creating a file
/etc/ipa/server.conf with the following content:
--------
[global]
debug=True
--------
Restart httpd and try again. Then collect logs and show that access
attempt. The logs you attached so far only contain Apache modules'
debugging information, not IPA framework's one.
>
> >I am able to login via SSH (on a host with an HBAC configured), and
> >able to `kinit` and obtain the appropriate tickets across the realms.
> >I've configured the system accordingly, per the URL:
> >https://www.freeipa.org/page/Active_Directory_trust_setup.
> >
> >I am running FreeIPA version 4.6.4 with a successful AD Trust (one
> >way) using the range type "ipa-ad-trust-posix", both nodes completely
> >re-provisioned (fresh installation purposes). SELinux is disabled,
> >and the configuration IPA-wise is untouched, with the exception of
> >enabling debugging and editing krb5.conf per the URL:
>
>https://www.freeipa.org/page/Active_Directory_trust_setup#Edit_.2Fetc.2Fkrb5.conf
> >
> >I've attached Apache logs referencing the Web UI and from the console.
> >From what I have found online, it should be possible to allow an AD
> >user to login to Web UI and ipa CLI commands should function, too.
> >All IPA services are running and have been restarted, just in case
> >something was "stuck". The interesting entries within the logs:
> >(Failed to unseal session data!, GSSapiImpersonate not On) seem to be
> >red herrings.
Other than self-management, you wouldn't achieve anything in
FreeIPA 4.6
for that. Web UI / CLI administration with AD users is only available in
RHEL 8.0 beta.
>
> ># /var/log/krb5kdc.log
> >
> >Apr 08 12:01:30
IPASERVER1.ipa.domain.com krb5kdc[10297](info): TGS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 131.247.188.132: ISSUE: authtime 1554738690, etypes {rep=18
tkt=18 ses=18}, HTTP/IPASERVER1.ipa.domain.com(a)IPA.DOMAIN.COM for
ldap/IPASERVER1.ipa.domain.com(a)IPA.DOMAIN.COM
> >Apr 08 12:01:30
IPASERVER1.ipa.domain.com krb5kdc[10297](info): ...
CONSTRAINED-DELEGATION s4u-client=desantis(a)AD.DOMAIN.COM
> >Apr 08 12:01:30
IPASERVER1.ipa.domain.com krb5kdc[10297](info): closing down fd
11
> >Apr 08 12:01:31
IPASERVER1.ipa.domain.com krb5kdc[10298](info): TGS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 131.247.188.132: ISSUE: authtime 1554738690, etypes {rep=18
tkt=18 ses=18}, HTTP/IPASERVER1.ipa.domain.com(a)IPA.DOMAIN.COM for
ldap/IPASERVER1.ipa.domain.com(a)IPA.DOMAIN.COM
> >Apr 08 12:01:31
IPASERVER1.ipa.domain.com krb5kdc[10298](info): ...
CONSTRAINED-DELEGATION s4u-client=desantis(a)AD.DOMAIN.COM
> >Apr 08 12:01:31
IPASERVER1.ipa.domain.com krb5kdc[10298](info): closing down fd
11
Looks like fine -- the framework actually asked for the ldap/...
ticket
on behalf of AD user, so S4U2Proxy did work. Can you see anything in
LDAP server access logs at the same time?
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland