Ok, I increased the debug level as you recommended and it's given me a lot of useful info. Before I go any further trying to troubleshoot that mass of info on this mailing list though, I would like to double check something I came across. In the debug output I noticed this line:
"No ccache file for user [[email protected]] found." I then searched this error and found this thread in which the OP seems to have basically the same setup as me: https://lists.fedorahosted.org/pipermail/sssd-users/2013-January/000379.html I started playing with kinit on the ubuntu machine that I'm trying to log into, and got this error: "kinit: Cannot find KDC for realm "AD.BBG.NET" while getting initial credentials" After reading through some of the replies on the above thread, I saw a post that basically says that while the initial user info lookup is via FreeIPA, to actually authenticate a user the ipa client machine must connect directly to the AD controller. If this is true, it basically means the setup I was planning to use (FreeIPA in the cloud replicating/proxying local AD user accounts) is not going to work as I'd hoped. Could you confirm if this behaviour is in fact correct? Thanks, Guy On 9 August 2016 at 18:47, Justin Stephenson <[email protected]> wrote: > Hello, > > You may need to increase the debug level to 9 and look in the > sssd_<ipadomain>.log for failures after the failed login attempt - i would > look in between log messages 'Got request for bobt...' and 'Backend > returned' messages > > https://fedorahosted.org/sssd/wiki/Troubleshooting > > You can also send the debug logs here for review. > > Make sure logins and lookups are working on the IPA server first before > troubleshooting the IPA client. > > Kind regards, > > Justin Stephenson > On 08/09/2016 07:32 PM, Guy Knights wrote: > > I've set up a freeipa server on a centos 7 machine and have successfully > configured a 2-way trust between it and our active directory domain > controller. I've also installed ipa-client on an ubuntu 14.04 machine and > have run ipa-client-install, which has apparently successfully joined the > FreeIPA domain. > > So far, I can successfully do the following: > > 1. Log into the FreeIPA machine with an AD user account. > 2. Log into the Ubuntu machine with a FreeIPA account. > 3. Run 'getent passwd <freeipa username>' on the Ubuntu machine and have > it return the associated FreeIPA user account details (eg. > "jackt:*:1131000005:1131000005:Jack Test:/home/ipa.bbg.net/jackt:/bin/bash > ") > 4. Run 'getent passwd <ad username>' on the Ubuntu machine and have it > return the associated AD user account details (eg. " > [email protected]:*:1946801107:1946801107::/home/ad.bbg.net/bobt:/bin/bash") > > What I can't do is log into the Ubuntu machine with the AD user. I'm using > the following SSH command from the command line on my mac: > > ssh -o [email protected] vm1.bbg.com > > It asks me for the password, I enter it and it says permissions denied, > please try again. I set the debug level in SSSD on the ubuntu client to 5 > and this is what shows up in the log during the login attempt: > > (Tue Aug 9 16:25:56 2016) [sssd[be[ipa.bbg.net]]] [be_get_account_info] > (0x0100): Got request for [4097][1][name=bobt] > (Tue Aug 9 16:25:56 2016) [sssd[be[ipa.bbg.net]]] [acctinfo_callback] > (0x0100): Request processed. Returned 3,95,Account info lookup failed > (Tue Aug 9 16:25:57 2016) [sssd[be[ipa.bbg.net]]] [acctinfo_callback] > (0x0100): Request processed. Returned 0,0,Success > (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [be_get_account_info] > (0x0100): Got request for [3][1][name=bobt] > (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [acctinfo_callback] > (0x0100): Request processed. Returned 3,95,Account info lookup failed > (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [be_pam_handler] > (0x0100): Got request with the following data > (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] > (0x0100): command: PAM_AUTHENTICATE > (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] > (0x0100): domain: ad.bbg.net > (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] > (0x0100): user: [email protected] > (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] > (0x0100): service: sshd > (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] > (0x0100): tty: ssh > (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] > (0x0100): ruser: > (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] > (0x0100): rhost: 192.168.100.157 > (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] > (0x0100): authtok type: 1 > (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] > (0x0100): newauthtok type: 0 > (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] > (0x0100): priv: 1 > (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] > (0x0100): cli_pid: 16230 > (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [krb5_auth_send] > (0x0100): No ccache file for user [[email protected]] found. > (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' > (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] > [be_resolve_server_process] (0x0200): Found address for server > dc.ipa.bbg.net: [192.168.100.14] TTL 3600 > (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) > [Success] > (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] > [be_pam_handler_callback] (0x0100): Sending result [4][ad.bbg.net] > (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] > [be_pam_handler_callback] (0x0100): Sent result [4][ad.bbg.net] > (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [child_sig_handler] > (0x0100): child [16313] finished successfully. > > Can anyone explain why it's saying account info lookup failed when it can > get the account info fine via getent? > > Thanks, > Guy > > > > -- *Guy Knights* Senior Systems Engineer BlueBat Games Inc. Ph: 778-379-5120 Email: [email protected]
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
