Bug 1299924

Summary: Active Directory trust corrupted centos 7 ipa 4.2.0
Product: [Fedora] Fedora Reporter: Testino <dima.krasnikov>
Component: freeipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 22CC: abokovoy, dima.krasnikov, ipa-maint, jhrozek, mkosek, pviktori, pvoborni, rcritten, ssorce
Target Milestone: ---Flags: dima.krasnikov: needinfo-
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-18 11:28:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
debug level 100
none
debug level 100
none
debug level 100
none
debug level 100
none
debug level 100
none
debug level 100
none
debug level 100 none

Description Testino 2016-01-19 14:53:07 UTC 
Description of problem:
Can't login use Active Directory account to linux with freeipa
alway recive error 4 (system error)
-----------------
Jan 19 07:38:11 ipa1 sshd[21179]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.253 user=Administrator
Jan 19 07:38:11 ipa1 sshd[21179]: pam_sss(sshd:auth): received for user Administrator: 4 (System error)
Jan 19 07:38:11 ipa1 sshd[21179]: Failed password for Administrator from 10.10.10.253 port 58075 ssh2
Jan 19 07:38:12 ipa1 sshd[21179]: Connection closed by 10.10.10.253 [preauth]
-----------------
Version-Release number of selected component (if applicable):
ipa-admintools-4.2.0-15.el7.centos.3.x86_64
sssd-ipa-1.13.0-40.el7_2.1.x86_64
ipa-client-4.2.0-15.el7.centos.3.x86_64
ipa-server-trust-ad-4.2.0-15.el7.centos.3.x86_64
libipa_hbac-1.13.0-40.el7_2.1.x86_64
python-libipa_hbac-1.13.0-40.el7_2.1.x86_64
ipa-python-4.2.0-15.el7.centos.3.x86_64
ipa-server-4.2.0-15.el7.centos.3.x86_64
ipa-server-dns-4.2.0-15.el7.centos.3.x86_64

How reproducible:


Steps to Reproduce:
0. Install Windows 2012r2 with ad
1. Install fresh OS like CentOS Linux release 7.2.1511 (Core)
2. Add Ipa repo https://copr.fedoraproject.org/coprs/mkosek/freeipa/
3. Use setup steps from http://www.freeipa.org/page/Active_Directory_trust_setup

Actual results:
[root@ipa1 ~]# ipa trustdomain-find "ad.domain"
  Domain name: ad.domain
  Domain NetBIOS name: AD
  Domain Security Identifier: S-1-5-21-332875919-1006289667-2800693926
  Domain enabled: True
----------------------------
Number of entries returned 1
----------------------------

[root@ipa1 ~]# getent passwd Administrator
administrator:*:464400500:464400500:Administrator:/home/ad.domain/administrator:

ssh ipa.server -l Administrator
cut from secure log

Jan 19 07:38:11 ipa1 sshd[21179]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.253 user=Administrator
Jan 19 07:38:11 ipa1 sshd[21179]: pam_sss(sshd:auth): received for user Administrator: 4 (System error)
Jan 19 07:38:11 ipa1 sshd[21179]: Failed password for Administrator from 10.10.10.253 port 58075 ssh2
Jan 19 07:38:12 ipa1 sshd[21179]: Connection closed by 10.10.10.253 [preauth]

Expected results:


Additional info:
Comment 1 Jakub Hrozek 2016-01-19 15:15:50 UTC 
This looks more like an SSSD issue, can you attach sssd logs? See https://fedorahosted.org/sssd/wiki/Troubleshooting

btw CentOS bugs shouldn't be filed against the Fedora product I guess :-)
Comment 2 Testino 2016-01-19 17:21:07 UTC 
Created attachment 1116280 [details]
debug level 100

1) service sssd stoped
2) old log cleaned
3) service started
4) Try ssh
5) service stoped.
Comment 3 Testino 2016-01-19 17:21:30 UTC 
Created attachment 1116281 [details]
debug level 100

1) service sssd stoped
2) old log cleaned
3) service started
4) Try ssh
5) service stoped.
Comment 4 Testino 2016-01-19 17:21:55 UTC 
Created attachment 1116282 [details]
debug level 100

1) service sssd stoped
2) old log cleaned
3) service started
4) Try ssh
5) service stoped.
Comment 5 Alexander Bokovoy 2016-01-19 17:26:19 UTC 
You have typo in your login:

(Tue Jan 19 12:14:35 2016) [sssd[be[local.office]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=Administrator:U]

your AD forest root domain is network.buhta but you specified Administrator.
Comment 6 Testino 2016-01-19 17:50:15 UTC 
Created attachment 1116287 [details]
debug level 100
Comment 7 Testino 2016-01-19 17:50:32 UTC 
Created attachment 1116288 [details]
debug level 100
Comment 8 Testino 2016-01-19 17:50:51 UTC 
Created attachment 1116290 [details]
debug level 100
Comment 9 Testino 2016-01-19 17:51:08 UTC 
Created attachment 1116292 [details]
debug level 100
Comment 10 Testino 2016-01-19 17:51:48 UTC 
(In reply to Alexander Bokovoy from comment #5)
> You have typo in your login:
> 
> (Tue Jan 19 12:14:35 2016) [sssd[be[local.office]]] [be_get_account_info]
> (0x0200): Got request for [0x1001][1][name=Administrator:U]
> 
> your AD forest root domain is network.buhta but you specified
> Administrator.

oh, i will upload new logs
Comment 11 Tomas Babej 2016-01-26 13:15:56 UTC 
I see "Ticket not yet valid" in the SSSD logs. Maybe the issue is that the time between IPA server and the Active Directory is not synchronized?
Comment 12 Petr Vobornik 2016-05-18 11:28:20 UTC 
closing due to lack of information and activity