#1595 Password authentication with users coming via AD trust
Closed: Fixed None Opened 7 years ago by jhrozek.

https://bugzilla.redhat.com/show_bug.cgi?id=869071 (Red Hat Enterprise Linux 6)

Description of problem:

I'm trying to setup an AD Trust and to allow AD users to log into IPA Clients.

For the most part, I followed this:

https://fedoraproject.org/wiki/QA:Testcase_freeipav3_ad_trust

[root@rhel6-1 ~]# vi /etc/krb5.conf
...
[realms]
 TESTRELM.COM = {
...
  auth_to_local =
RULE:[1:$1@$0](^.*@ADTESTDOM.COM$)s/@ADTESTDOM.COM/@adtestdom.com/
  auth_to_local = DEFAULT
}

[root@rhel6-1 ~]# vi /etc/sssd/sssd.conf
...
[domain/ipa.lan]
...
subdomains_provider = ipa
...
[sssd]
services = nss, pam, ssh, pac

[root@rhel6-1 ~]# service sssd restart
Stopping sssd:                                             [  OK  ]
Starting sssd:                                             [  OK  ]

[root@rhel6-1 samba]# ipa group-add --desc='adtestdom.com Domain users external
map' adtestdom_domain_users_external --external
---------------------------------------------
Added group "adtestdom_domain_users_external"
---------------------------------------------
  Group name: adtestdom_domain_users_external
  Description: adtestdom.com Domain users external map

[root@rhel6-1 samba]# ipa group-add --desc='adtestdom.com Domain users'
adtestdom_domain_users
------------------------------------
Added group "adtestdom_domain_users"
------------------------------------
  Group name: adtestdom_domain_users
  Description: adtestdom.com Domain users
  GID: 1277200028

Here I ran into a problem where wbinfo returned:
[root@rhel6-1 ~]# wbinfo --online-status
BUILTIN : online
TESTRELM : online
ADTESTDOM : offline
AD2TESTDOM : offline

[root@rhel6-1 ~]# wbinfo -n "ADTESTDOM\Domain Users"
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name ADTESTDOM\Domain Users

After some troubleshooting and rebooting AD server, I found that the time was
off on the AD server and saw this error in messages:

Oct 22 17:43:05 rhel6-1 winbindd[12089]:   kerberos_kinit_password
TESTRELM@ADTESTDOM.COM failed: Ticket is ineligible for postdating

Fixed time on AD server.  I think that fixed it.  wbinfo --online status still
showed offline but, the
rest seemed to work:

[root@rhel6-1 samba]# wbinfo -n "ADTESTDOM\Domain Users"
S-1-5-21-1246088475-3077293710-2580964704-513 SID_DOM_GROUP (2)

[root@rhel6-1 samba]# ipa group-add-member adtestdom_domain_users_external
--external S-1-5-21-1246088475-3077293710-2580964704-513
[member user]:
[member group]:
  Group name: adtestdom_domain_users_external
  Description: adtestdom.com Domain users external map
  External member: S-1-5-21-1246088475-3077293710-2580964704-513
-------------------------
Number of members added 1
-------------------------

[root@rhel6-1 samba]# ipa group-add-member adtestdom_domain_users --groups
adtestdom_domain_users_external
  Group name: adtestdom_domain_users
  Description: adtestdom.com Domain users
  GID: 1277200028
  Member groups: adtestdom_domain_users_external
-------------------------
Number of members added 1
-------------------------

Tailing the logs during ssh in shows this:



(Mon Oct 22 19:08:53 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000):
dbus conn: 74D180
(Mon Oct 22 19:08:53 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000):
Dispatching.
(Mon Oct 22 19:08:53 2012) [sssd[be[testrelm.com]]] [sbus_message_handler]
(0x4000): Received SBUS method [ping]

==> /var/log/secure <==
Oct 22 19:08:56 rhel6-1 sshd[14064]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.1
user=testuser1@adtestdom.com

==> /var/log/sssd/sssd_testrelm.com.log <==
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000):
dbus conn: 769C30
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000):
Dispatching.
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [sbus_message_handler]
(0x4000): Received SBUS method [getAccountInfo]
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [be_get_account_info]
(0x0100): Got request for [3][1][name=testuser1]
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]]
[ipa_get_subdomain_account_info_send] (0x0040): Invalid sub-domain request
type.
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [acctinfo_callback]
(0x0100): Request processed. Returned 3,22,User lookup failed
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000):
dbus conn: 769C30
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000):
Dispatching.
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [sbus_message_handler]
(0x4000): Received SBUS method [pamHandler]
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [be_pam_handler] (0x0100):
Got request with the following data
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100):
command: PAM_AUTHENTICATE
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100):
domain: adtestdom.com
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100):
user: testuser1
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100):
service: sshd
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100):
tty: ssh
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100):
ruser:
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100):
rhost: 192.168.122.1
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100):
authtok type: 1
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100):
authtok size: 9
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100):
newauthtok type: 0
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100):
newauthtok size: 0
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100):
priv: 1
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100):
cli_pid: 14064
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [ipa_auth] (0x0040): This
operation is not allowed for subdomains!
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [be_pam_handler_callback]
(0x0100): Backend returned: (3, 4, <NULL>) [Internal Error (System error)]
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [be_pam_handler_callback]
(0x0100): Sending result [4][adtestdom.com]
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [be_pam_handler_callback]
(0x0100): Sent result [4][adtestdom.com]

==> /var/log/secure <==
Oct 22 19:08:56 rhel6-1 sshd[14064]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.1
user=testuser1@adtestdom.com
Oct 22 19:08:56 rhel6-1 sshd[14064]: pam_sss(sshd:auth): received for user
testuser1@adtestdom.com: 4 (System error)
Oct 22 19:08:58 rhel6-1 sshd[14064]: Failed password for
testuser1@adtestdom.com from 192.168.122.1 port 54362 ssh2

==> /var/log/messages <==
Oct 22 19:09:02 rhel6-1 smbd[13657]: [2012/10/22 19:09:02.293018,  0]
../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Oct 22 19:09:02 rhel6-1 smbd[13657]:   dcesrv_interface_register: interface
'lsarpc' already registered on endpoint
Oct 22 19:09:02 rhel6-1 smbd[13657]: [2012/10/22 19:09:02.317630,  0]
../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Oct 22 19:09:02 rhel6-1 smbd[13657]:   dcesrv_interface_register: interface
'samr' already registered on endpoint
Oct 22 19:09:02 rhel6-1 smbd[13657]: [2012/10/22 19:09:02.318604,  0]
../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Oct 22 19:09:02 rhel6-1 smbd[13657]:   dcesrv_interface_register: interface
'netlogon' already registered on endpoint

==> /var/log/sssd/sssd_testrelm.com.log <==
(Mon Oct 22 19:09:03 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000):
dbus conn: 74D180
(Mon Oct 22 19:09:03 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000):
Dispatching.
(Mon Oct 22 19:09:03 2012) [sssd[be[testrelm.com]]] [sbus_message_handler]
(0x4000): Received SBUS method [ping]

Version-Release number of selected component (if applicable):


How reproducible:
unknown


Steps to Reproduce:
1.  Setup IPA server
2.  Setup AD server
3.  ipa-adtrust-install
4.  ipa trust-add --type=ad adtestdom.com --admin Administrator --password
5.  see above for following where this failed.

Actual results:


Expected results:


Additional info:

Sumit has patches on the list.

blockedby: =>
blocking: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
owner: somebody => sbose
patch: 0 => 1
testsupdated: => 0

Fields changed

summary: IPA client with AD Trust fails to authenticate AD user with sssd Internal Error => Password authentication with users coming via AD trust

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.3

master:

ac7a7ee Make sub-domains case-insensitive
bfc3b76 sss_parse_name_for_domains: always return the canonical domain name
7c4845b krb5_auth: update with correct UPN if needed
964628a Use find_or_guess_upn() where needed
29c0fdd Add new call find_or_guess_upn()
d3dca30 krb5_child: send back the client principal
cac29dc krb5_mod_ccname: replace wrong memory context
dca03a9 krb5_child: send PAC to PAC responder
916674f krb5_auth: send different_realm flag to krb5_child
83f2463 krb5_auth: check if principal belongs to a different realm
7219ef8 Add replacement for krb5_find_authdata()
28269b2 check_ccache_files: search sub-domains as well
73550e4 sysdb: add sysdb_base_dn()
d29e913 krb5_auth_send: check for sub-domains
d9137b1 pac responder: add user principal and name alias to cached user object
f578084 pac responder: use only lower case user name
0089408 sysdb: look for ranges in the parent tree
05ea6f6 pac responder: fix copy-and-paste error
4cf3bc3 subdomain-id: Generate homedir only for users not groups

sssd-1-9:

004968e Make sub-domains case-insensitive
fe41254 sss_parse_name_for_domains: always return the canonical domain name
541ba2d krb5_auth: update with correct UPN if needed
5fcdbf6 Use find_or_guess_upn() where needed
53e2d78 Add new call find_or_guess_upn()
f67ee4a krb5_child: send back the client principal
6caff4c krb5_mod_ccname: replace wrong memory context
b3435ea krb5_child: send PAC to PAC responder
2b61532 krb5_auth: send different_realm flag to krb5_child
ba772c9 krb5_auth: check if principal belongs to a different realm
95a386c Add replacement for krb5_find_authdata()
8af633c check_ccache_files: search sub-domains as well
aab727b sysdb: add sysdb_base_dn()
203663b krb5_auth_send: check for sub-domains
538db73 pac responder: add user principal and name alias to cached user object
8847542 pac responder: use only lower case user name
1a21292 sysdb: look for ranges in the parent tree
00e7269 pac responder: fix copy-and-paste error
4ecd8c5 subdomain-id: Generate homedir only for users not groups

resolution: => fixed
status: new => closed

Metadata Update from @jhrozek:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.9.3

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2637

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata