Hi All,
We have IPA running in a one-way trust with our AD and it’s working well. However, there are a number of users who belong to an affiliated institution who are nonetheless present in our AD, but with a different UPN suffix to the trust domains. The particulars are:
IPA realm: IPA.LOCALDOMAIN AD realms: STAFF.LOCALDOMAIN, STUDENT.LOCALDOMAIN
Regular users typically have a UPN of ‘firstname.lastname@staff.localdomain’ The affiliated users have a UPN of ‘firstname.lastname@affiliate'
The trust relationship looks like this on the IPA server:
# ipa trustdomain-find Realm name: STAFF.LOCALDOMAIN Domain name: staff.localdomain Domain NetBIOS name: STAFF Domain Security Identifier: S-1-5-21-2593845812-3993450118-3195856661 Domain enabled: True
Domain name: student.localdomain Domain NetBIOS name: STUDENT Domain Security Identifier: S-1-5-21-3906414162-3274047707-1428844997 Domain enabled: True ---------------------------- Number of entries returned 2 ——————————————
We have a test IPA server with HBAC allow_all and we can ssh to it reliably as a regular user, but when we try to ssh as ‘first name.lastname@affiliate’ we see the following exceptions in /var/log/sssd/krb5_child.log:
(Thu Jul 6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [IPA.LOCALDOMAIN] (Thu Jul 6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [get_and_save_tgt] (0x0020): 1296: [-1765328378][Client 'firstname.lastname@AFFILIATE@IPA.LOCALDOMAIN' not found in Kerberos database] (Thu Jul 6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [map_krb5_error] (0x0020): 1365: [-1765328378][Client 'firstname.lastname@AFFILIATE@IPA.LOCALDOMAIN' not found in Kerberos database] (Thu Jul 6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Thu Jul 6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [main] (0x0400): krb5_child completed successfully
(The test environment is RHEL7.3, running ipa-server-4.4.0-14.el7_3.7.x86_64 and associated packages).
Is this version of IPA able to support trust users with a different UPN suffix, and if so, what special configuration is required to achieve this?
Regards,
Robert.
On to, 06 heinä 2017, Robert Sturrock via FreeIPA-users wrote:
Hi All,
We have IPA running in a one-way trust with our AD and it’s working well. However, there are a number of users who belong to an affiliated institution who are nonetheless present in our AD, but with a different UPN suffix to the trust domains. The particulars are:
IPA realm: IPA.LOCALDOMAIN AD realms: STAFF.LOCALDOMAIN, STUDENT.LOCALDOMAIN
Regular users typically have a UPN of ‘firstname.lastname@staff.localdomain’ The affiliated users have a UPN of ‘firstname.lastname@affiliate'
The trust relationship looks like this on the IPA server:
# ipa trustdomain-find Realm name: STAFF.LOCALDOMAIN Domain name: staff.localdomain Domain NetBIOS name: STAFF Domain Security Identifier: S-1-5-21-2593845812-3993450118-3195856661 Domain enabled: True
Domain name: student.localdomain Domain NetBIOS name: STUDENT Domain Security Identifier: S-1-5-21-3906414162-3274047707-1428844997 Domain enabled: True
Number of entries returned 2 ——————————————
We have a test IPA server with HBAC allow_all and we can ssh to it reliably as a regular user, but when we try to ssh as ‘first name.lastname@affiliate’ we see the following exceptions in /var/log/sssd/krb5_child.log:
(Thu Jul 6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [IPA.LOCALDOMAIN] (Thu Jul 6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [get_and_save_tgt] (0x0020): 1296: [-1765328378][Client 'firstname.lastname@AFFILIATE@IPA.LOCALDOMAIN' not found in Kerberos database] (Thu Jul 6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [map_krb5_error] (0x0020): 1365: [-1765328378][Client 'firstname.lastname@AFFILIATE@IPA.LOCALDOMAIN' not found in Kerberos database] (Thu Jul 6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Thu Jul 6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [main] (0x0400): krb5_child completed successfully
(The test environment is RHEL7.3, running ipa-server-4.4.0-14.el7_3.7.x86_64 and associated packages).
Is this version of IPA able to support trust users with a different UPN suffix, and if so, what special configuration is required to achieve this?
Can you show 'ipa trust-show staff.localdomain'? It should have list of additional name suffixes we derive from the AD forest trust. After releasing 4.4.x we found out that there are some deployments where people modify userPrincipalName directly in AD LDAP and thus these name suffixes aren't visible through the trust topology discovery requests.
In 4.5.x I added a way to expand that information manually with 'ipa trust-mod'. You can do that yourself with an LDAP modify of the trust object for ipantadditionalsuffixes attribute.
Hi Alexander,
On 6 Jul 2017, at 4:55 pm, Alexander Bokovoy abokovoy@redhat.com wrote:
Can you show 'ipa trust-show staff.localdomain'? It should have list of additional name suffixes we derive from the AD forest trust. After releasing 4.4.x we found out that there are some deployments where people modify userPrincipalName directly in AD LDAP and thus these name suffixes aren't visible through the trust topology discovery requests.
Yes, I suspect we are in that category, as the affiliate domain is not visible through the trust:
# ipa trust-show staff.localdomain Realm name: staff.localdomain Domain NetBIOS name: STAFF Domain Security Identifier: S-1-5-21-2593845812-3993450118-3195856661 Trust direction: Trusting forest Trust type: Active Directory domain
In 4.5.x I added a way to expand that information manually with 'ipa trust-mod'. You can do that yourself with an LDAP modify of the trust object for ipantadditionalsuffixes attribute.
I see. So we can modify that attribute directly in 4.4.x as way forward with our current installation?
Regards,
Robert.
On to, 06 heinä 2017, Robert Sturrock wrote:
Hi Alexander,
On 6 Jul 2017, at 4:55 pm, Alexander Bokovoy abokovoy@redhat.com wrote:
Can you show 'ipa trust-show staff.localdomain'? It should have list of additional name suffixes we derive from the AD forest trust. After releasing 4.4.x we found out that there are some deployments where people modify userPrincipalName directly in AD LDAP and thus these name suffixes aren't visible through the trust topology discovery requests.
Yes, I suspect we are in that category, as the affiliate domain is not visible through the trust:
# ipa trust-show staff.localdomain Realm name: staff.localdomain Domain NetBIOS name: STAFF Domain Security Identifier: S-1-5-21-2593845812-3993450118-3195856661 Trust direction: Trusting forest Trust type: Active Directory domain
In 4.5.x I added a way to expand that information manually with 'ipa trust-mod'. You can do that yourself with an LDAP modify of the trust object for ipantadditionalsuffixes attribute.
I see. So we can modify that attribute directly in 4.4.x as way forward with our current installation?
Yes. Let me know how it goes. You'd probably want to restart krb5kdc after the change.
On 2017-07-06 08:25, Robert Sturrock via FreeIPA-users wrote:
[...] We have a test IPA server with HBAC allow_all and we can ssh to it reliably as a regular user, but when we try to ssh as ‘first name.lastname@affiliate’ we see the following exceptions in /var/log/sssd/krb5_child.log: [...]
I had a very similar problem in my environment. I had to add the UPN suffix manually and there is a bug in SSSD related to this: https://bugzilla.redhat.com/show_bug.cgi?id=1441077
This bug might affect you. Sumit Bose would know for sure if it does.
Regards, Ronald Wimmer
On Thu, Jul 06, 2017 at 09:55:46AM +0200, Ronald Wimmer wrote:
On 2017-07-06 08:25, Robert Sturrock via FreeIPA-users wrote:
[...] We have a test IPA server with HBAC allow_all and we can ssh to it reliably as a regular user, but when we try to ssh as ‘first name.lastname@affiliate’ we see the following exceptions in /var/log/sssd/krb5_child.log: [...]
I had a very similar problem in my environment. I had to add the UPN suffix manually and there is a bug in SSSD related to this: https://bugzilla.redhat.com/show_bug.cgi?id=1441077
This might causes issues later but currently, according to Alexander's analysis, the UPN suffixes are missing on the server because they are not announced by AD.
bye, Sumit
This bug might affect you. Sumit Bose would know for sure if it does.
Regards, Ronald Wimmer
freeipa-users@lists.fedorahosted.org