Re: [Freeipa-users] ipa-client login as AD user in trusted domain

Tue, 09 Aug 2016 18:52:57 -0700 

Hello,
You may need to increase the debug level to 9 and look in the sssd_<ipadomain>.log for failures after the failed login attempt - i would look in between log messages 'Got request for bobt...' and 'Backend returned' messages 

https://fedorahosted.org/sssd/wiki/Troubleshooting

You can also send the debug logs here for review.


Make sure logins and lookups are working on the IPA server first before 
troubleshooting the IPA client.


Kind regards,

Justin Stephenson

On 08/09/2016 07:32 PM, Guy Knights wrote:

I've set up a freeipa server on a centos 7 machine and have 
successfully configured a 2-way trust between it and our active 
directory domain controller. I've also installed ipa-client on an 
ubuntu 14.04 machine and have run ipa-client-install, which has 
apparently successfully joined the FreeIPA domain.


So far, I can successfully do the following:

1. Log into the FreeIPA machine with an AD user account.
2. Log into the Ubuntu machine with a FreeIPA account.

3. Run 'getent passwd <freeipa username>' on the Ubuntu machine and 
have it return the associated FreeIPA user account details (eg. 
"jackt:*:1131000005:1131000005:Jack 
Test:/home/ipa.bbg.net/jackt:/bin/bash 
<http://ipa.bbg.net/jackt:/bin/bash>")
4. Run 'getent passwd <ad username>' on the Ubuntu machine and have it 
return the associated AD user account details (eg. 
"[email protected]:*:1946801107:1946801107::/home/ad.bbg.net/bobt:/bin/bash 
<http://ad.bbg.net/bobt:/bin/bash>")



What I can't do is log into the Ubuntu machine with the AD user. I'm 
using the following SSH command from the command line on my mac:



ssh -o [email protected] <mailto:[email protected]> vm1.bbg.com 
<http://vm1.bbg.com>



It asks me for the password, I enter it and it says permissions 
denied, please try again. I set the debug level in SSSD on the ubuntu 
client to 5 and this is what shows up in the log during the login attempt:



(Tue Aug  9 16:25:56 2016) [sssd[be[ipa.bbg.net 
<http://ipa.bbg.net>]]] [be_get_account_info] (0x0100): Got request 
for [4097][1][name=bobt]
(Tue Aug  9 16:25:56 2016) [sssd[be[ipa.bbg.net 
<http://ipa.bbg.net>]]] [acctinfo_callback] (0x0100): Request 
processed. Returned 3,95,Account info lookup failed
(Tue Aug  9 16:25:57 2016) [sssd[be[ipa.bbg.net 
<http://ipa.bbg.net>]]] [acctinfo_callback] (0x0100): Request 
processed. Returned 0,0,Success
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
<http://ipa.bbg.net>]]] [be_get_account_info] (0x0100): Got request 
for [3][1][name=bobt]
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
<http://ipa.bbg.net>]]] [acctinfo_callback] (0x0100): Request 
processed. Returned 3,95,Account info lookup failed
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
<http://ipa.bbg.net>]]] [be_pam_handler] (0x0100): Got request with 
the following data
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
<http://ipa.bbg.net>]]] [pam_print_data] (0x0100): command: 
PAM_AUTHENTICATE
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
<http://ipa.bbg.net>]]] [pam_print_data] (0x0100): domain: ad.bbg.net 
<http://ad.bbg.net>
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
<http://ipa.bbg.net>]]] [pam_print_data] (0x0100): user: 
[email protected] <mailto:[email protected]>
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
<http://ipa.bbg.net>]]] [pam_print_data] (0x0100): service: sshd
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
<http://ipa.bbg.net>]]] [pam_print_data] (0x0100): tty: ssh
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
<http://ipa.bbg.net>]]] [pam_print_data] (0x0100): ruser:
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
<http://ipa.bbg.net>]]] [pam_print_data] (0x0100): rhost: 192.168.100.157
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
<http://ipa.bbg.net>]]] [pam_print_data] (0x0100): authtok type: 1
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
<http://ipa.bbg.net>]]] [pam_print_data] (0x0100): newauthtok type: 0
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
<http://ipa.bbg.net>]]] [pam_print_data] (0x0100): priv: 1
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
<http://ipa.bbg.net>]]] [pam_print_data] (0x0100): cli_pid: 16230
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
<http://ipa.bbg.net>]]] [krb5_auth_send] (0x0100): No ccache file for 
user [[email protected] <mailto:[email protected]>] found.
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
<http://ipa.bbg.net>]]] [fo_resolve_service_send] (0x0100): Trying to 
resolve service 'IPA'
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
<http://ipa.bbg.net>]]] [be_resolve_server_process] (0x0200): Found 
address for server dc.ipa.bbg.net <http://dc.ipa.bbg.net>: 
[192.168.100.14] TTL 3600
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
<http://ipa.bbg.net>]]] [be_pam_handler_callback] (0x0100): Backend 
returned: (0, 4, <NULL>) [Success]
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
<http://ipa.bbg.net>]]] [be_pam_handler_callback] (0x0100): Sending 
result [4][ad.bbg.net <http://ad.bbg.net>]
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
<http://ipa.bbg.net>]]] [be_pam_handler_callback] (0x0100): Sent 
result [4][ad.bbg.net <http://ad.bbg.net>]
(Tue Aug  9 16:27:54 2016) [sssd[be[ipa.bbg.net 
<http://ipa.bbg.net>]]] [child_sig_handler] (0x0100): child [16313] 
finished successfully.



Can anyone explain why it's saying account info lookup failed when it 
can get the account info fine via getent?


Thanks,
Guy





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project





















					Reply via email to