#1595 Password authentication with users coming via AD trust
Closed: Fixed None Opened 6 years ago by jhrozek.

https://bugzilla.redhat.com/show_bug.cgi?id=869071 (Red Hat Enterprise Linux 6)

Description of problem:

I'm trying to setup an AD Trust and to allow AD users to log into IPA Clients.

For the most part, I followed this:

https://fedoraproject.org/wiki/QA:Testcase_freeipav3_ad_trust

[root@rhel6-1 ~]# vi /etc/krb5.conf
...
[realms]
 TESTRELM.COM = {
...
  auth_to_local =
RULE:[1:$1@$0](^.*@ADTESTDOM.COM$)s/@ADTESTDOM.COM/@adtestdom.com/
  auth_to_local = DEFAULT
}

[root@rhel6-1 ~]# vi /etc/sssd/sssd.conf
...
[domain/ipa.lan]
...
subdomains_provider = ipa
...
[sssd]
services = nss, pam, ssh, pac

[root@rhel6-1 ~]# service sssd restart
Stopping sssd:                                             [  OK  ]
Starting sssd:                                             [  OK  ]

[root@rhel6-1 samba]# ipa group-add --desc='adtestdom.com Domain users external
map' adtestdom_domain_users_external --external
---------------------------------------------
Added group "adtestdom_domain_users_external"
---------------------------------------------
  Group name: adtestdom_domain_users_external
  Description: adtestdom.com Domain users external map

[root@rhel6-1 samba]# ipa group-add --desc='adtestdom.com Domain users'
adtestdom_domain_users
------------------------------------
Added group "adtestdom_domain_users"
------------------------------------
  Group name: adtestdom_domain_users
  Description: adtestdom.com Domain users
  GID: 1277200028

Here I ran into a problem where wbinfo returned:
[root@rhel6-1 ~]# wbinfo --online-status
BUILTIN : online
TESTRELM : online
ADTESTDOM : offline
AD2TESTDOM : offline

[root@rhel6-1 ~]# wbinfo -n "ADTESTDOM\Domain Users"
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name ADTESTDOM\Domain Users

After some troubleshooting and rebooting AD server, I found that the time was
off on the AD server and saw this error in messages:

Oct 22 17:43:05 rhel6-1 winbindd[12089]:   kerberos_kinit_password
TESTRELM@ADTESTDOM.COM failed: Ticket is ineligible for postdating

Fixed time on AD server.  I think that fixed it.  wbinfo --online status still
showed offline but, the
rest seemed to work:

[root@rhel6-1 samba]# wbinfo -n "ADTESTDOM\Domain Users"
S-1-5-21-1246088475-3077293710-2580964704-513 SID_DOM_GROUP (2)

[root@rhel6-1 samba]# ipa group-add-member adtestdom_domain_users_external
--external S-1-5-21-1246088475-3077293710-2580964704-513
[member user]:
[member group]:
  Group name: adtestdom_domain_users_external
  Description: adtestdom.com Domain users external map
  External member: S-1-5-21-1246088475-3077293710-2580964704-513
-------------------------
Number of members added 1
-------------------------

[root@rhel6-1 samba]# ipa group-add-member adtestdom_domain_users --groups
adtestdom_domain_users_external
  Group name: adtestdom_domain_users
  Description: adtestdom.com Domain users
  GID: 1277200028
  Member groups: adtestdom_domain_users_external
-------------------------
Number of members added 1
-------------------------

Tailing the logs during ssh in shows this:



(Mon Oct 22 19:08:53 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000):
dbus conn: 74D180
(Mon Oct 22 19:08:53 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000):
Dispatching.
(Mon Oct 22 19:08:53 2012) [sssd[be[testrelm.com]]] [sbus_message_handler]
(0x4000): Received SBUS method [ping]

==> /var/log/secure <==
Oct 22 19:08:56 rhel6-1 sshd[14064]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.1
user=testuser1@adtestdom.com

==> /var/log/sssd/sssd_testrelm.com.log <==
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000):
dbus conn: 769C30
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000):
Dispatching.
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [sbus_message_handler]
(0x4000): Received SBUS method [getAccountInfo]
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [be_get_account_info]
(0x0100): Got request for [3][1][name=testuser1]
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]]
[ipa_get_subdomain_account_info_send] (0x0040): Invalid sub-domain request
type.
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [acctinfo_callback]
(0x0100): Request processed. Returned 3,22,User lookup failed
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000):
dbus conn: 769C30
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000):
Dispatching.
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [sbus_message_handler]
(0x4000): Received SBUS method [pamHandler]
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [be_pam_handler] (0x0100):
Got request with the following data
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100):
command: PAM_AUTHENTICATE
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100):
domain: adtestdom.com
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100):
user: testuser1
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100):
service: sshd
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100):
tty: ssh
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100):
ruser:
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100):
rhost: 192.168.122.1
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100):
authtok type: 1
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100):
authtok size: 9
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100):
newauthtok type: 0
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100):
newauthtok size: 0
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100):
priv: 1
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100):
cli_pid: 14064
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [ipa_auth] (0x0040): This
operation is not allowed for subdomains!
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [be_pam_handler_callback]
(0x0100): Backend returned: (3, 4, <NULL>) [Internal Error (System error)]
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [be_pam_handler_callback]
(0x0100): Sending result [4][adtestdom.com]
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [be_pam_handler_callback]
(0x0100): Sent result [4][adtestdom.com]

==> /var/log/secure <==
Oct 22 19:08:56 rhel6-1 sshd[14064]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.1
user=testuser1@adtestdom.com
Oct 22 19:08:56 rhel6-1 sshd[14064]: pam_sss(sshd:auth): received for user
testuser1@adtestdom.com: 4 (System error)
Oct 22 19:08:58 rhel6-1 sshd[14064]: Failed password for
testuser1@adtestdom.com from 192.168.122.1 port 54362 ssh2

==> /var/log/messages <==
Oct 22 19:09:02 rhel6-1 smbd[13657]: [2012/10/22 19:09:02.293018,  0]
../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Oct 22 19:09:02 rhel6-1 smbd[13657]:   dcesrv_interface_register: interface
'lsarpc' already registered on endpoint
Oct 22 19:09:02 rhel6-1 smbd[13657]: [2012/10/22 19:09:02.317630,  0]
../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Oct 22 19:09:02 rhel6-1 smbd[13657]:   dcesrv_interface_register: interface
'samr' already registered on endpoint
Oct 22 19:09:02 rhel6-1 smbd[13657]: [2012/10/22 19:09:02.318604,  0]
../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Oct 22 19:09:02 rhel6-1 smbd[13657]:   dcesrv_interface_register: interface
'netlogon' already registered on endpoint

==> /var/log/sssd/sssd_testrelm.com.log <==
(Mon Oct 22 19:09:03 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000):
dbus conn: 74D180
(Mon Oct 22 19:09:03 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000):
Dispatching.
(Mon Oct 22 19:09:03 2012) [sssd[be[testrelm.com]]] [sbus_message_handler]
(0x4000): Received SBUS method [ping]

Version-Release number of selected component (if applicable):


How reproducible:
unknown


Steps to Reproduce:
1.  Setup IPA server
2.  Setup AD server
3.  ipa-adtrust-install
4.  ipa trust-add --type=ad adtestdom.com --admin Administrator --password
5.  see above for following where this failed.

Actual results:


Expected results:


Additional info:

Sumit has patches on the list.

blockedby: =>
blocking: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
owner: somebody => sbose
patch: 0 => 1
testsupdated: => 0

Fields changed

summary: IPA client with AD Trust fails to authenticate AD user with sssd Internal Error => Password authentication with users coming via AD trust

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.3

master:

ac7a7ee Make sub-domains case-insensitive
bfc3b76 sss_parse_name_for_domains: always return the canonical domain name
7c4845b krb5_auth: update with correct UPN if needed
964628a Use find_or_guess_upn() where needed
29c0fdd Add new call find_or_guess_upn()
d3dca30 krb5_child: send back the client principal
cac29dc krb5_mod_ccname: replace wrong memory context
dca03a9 krb5_child: send PAC to PAC responder
916674f krb5_auth: send different_realm flag to krb5_child
83f2463 krb5_auth: check if principal belongs to a different realm
7219ef8 Add replacement for krb5_find_authdata()
28269b2 check_ccache_files: search sub-domains as well
73550e4 sysdb: add sysdb_base_dn()
d29e913 krb5_auth_send: check for sub-domains
d9137b1 pac responder: add user principal and name alias to cached user object
f578084 pac responder: use only lower case user name
0089408 sysdb: look for ranges in the parent tree
05ea6f6 pac responder: fix copy-and-paste error
4cf3bc3 subdomain-id: Generate homedir only for users not groups

sssd-1-9:

004968e Make sub-domains case-insensitive
fe41254 sss_parse_name_for_domains: always return the canonical domain name
541ba2d krb5_auth: update with correct UPN if needed
5fcdbf6 Use find_or_guess_upn() where needed
53e2d78 Add new call find_or_guess_upn()
f67ee4a krb5_child: send back the client principal
6caff4c krb5_mod_ccname: replace wrong memory context
b3435ea krb5_child: send PAC to PAC responder
2b61532 krb5_auth: send different_realm flag to krb5_child
ba772c9 krb5_auth: check if principal belongs to a different realm
95a386c Add replacement for krb5_find_authdata()
8af633c check_ccache_files: search sub-domains as well
aab727b sysdb: add sysdb_base_dn()
203663b krb5_auth_send: check for sub-domains
538db73 pac responder: add user principal and name alias to cached user object
8847542 pac responder: use only lower case user name
1a21292 sysdb: look for ranges in the parent tree
00e7269 pac responder: fix copy-and-paste error
4ecd8c5 subdomain-id: Generate homedir only for users not groups

resolution: => fixed
status: new => closed

Metadata Update from @jhrozek:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.9.3

2 years ago

Login to comment on this ticket.

Metadata