1299924 – Active Directory trust corrupted centos 7 ipa 4.2.0

Bug 1299924 - Active Directory trust corrupted centos 7 ipa 4.2.0

Summary: Active Directory trust corrupted centos 7 ipa 4.2.0

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	freeipa
Sub Component:
Version:	22
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	IPA Maintainers
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-01-19 14:53 UTC by Testino
Modified:	2019-10-23 11:24 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-05-18 11:28:20 UTC
Type:	Bug
Dependent Products:
Flags:	dima.krasnikov: needinfo-

Attachments	(Terms of Use)
debug level 100 (8.71 KB, text/plain) 2016-01-19 17:21 UTC, Testino	no flags	Details
debug level 100 (27.60 KB, text/plain) 2016-01-19 17:21 UTC, Testino	no flags	Details
debug level 100 (177.14 KB, text/plain) 2016-01-19 17:21 UTC, Testino	no flags	Details
debug level 100 (54.87 KB, text/plain) 2016-01-19 17:50 UTC, Testino	no flags	Details
debug level 100 (29.76 KB, text/plain) 2016-01-19 17:50 UTC, Testino	no flags	Details
debug level 100 (33.25 KB, text/plain) 2016-01-19 17:50 UTC, Testino	no flags	Details
debug level 100 (368.53 KB, text/plain) 2016-01-19 17:51 UTC, Testino	no flags	Details
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Description Testino 2016-01-19 14:53:07 UTC

Description of problem:
Can't login use Active Directory account to linux with freeipa
alway recive error 4 (system error)
-----------------
Jan 19 07:38:11 ipa1 sshd[21179]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.253 user=Administrator
Jan 19 07:38:11 ipa1 sshd[21179]: pam_sss(sshd:auth): received for user Administrator: 4 (System error)
Jan 19 07:38:11 ipa1 sshd[21179]: Failed password for Administrator from 10.10.10.253 port 58075 ssh2
Jan 19 07:38:12 ipa1 sshd[21179]: Connection closed by 10.10.10.253 [preauth]
-----------------
Version-Release number of selected component (if applicable):
ipa-admintools-4.2.0-15.el7.centos.3.x86_64
sssd-ipa-1.13.0-40.el7_2.1.x86_64
ipa-client-4.2.0-15.el7.centos.3.x86_64
ipa-server-trust-ad-4.2.0-15.el7.centos.3.x86_64
libipa_hbac-1.13.0-40.el7_2.1.x86_64
python-libipa_hbac-1.13.0-40.el7_2.1.x86_64
ipa-python-4.2.0-15.el7.centos.3.x86_64
ipa-server-4.2.0-15.el7.centos.3.x86_64
ipa-server-dns-4.2.0-15.el7.centos.3.x86_64

How reproducible:


Steps to Reproduce:
0. Install Windows 2012r2 with ad
1. Install fresh OS like CentOS Linux release 7.2.1511 (Core)
2. Add Ipa repo https://copr.fedoraproject.org/coprs/mkosek/freeipa/
3. Use setup steps from http://www.freeipa.org/page/Active_Directory_trust_setup

Actual results:
[root@ipa1 ~]# ipa trustdomain-find "ad.domain"
  Domain name: ad.domain
  Domain NetBIOS name: AD
  Domain Security Identifier: S-1-5-21-332875919-1006289667-2800693926
  Domain enabled: True
----------------------------
Number of entries returned 1
----------------------------

[root@ipa1 ~]# getent passwd Administrator
administrator:*:464400500:464400500:Administrator:/home/ad.domain/administrator:

ssh ipa.server -l Administrator
cut from secure log

Jan 19 07:38:11 ipa1 sshd[21179]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.253 user=Administrator
Jan 19 07:38:11 ipa1 sshd[21179]: pam_sss(sshd:auth): received for user Administrator: 4 (System error)
Jan 19 07:38:11 ipa1 sshd[21179]: Failed password for Administrator from 10.10.10.253 port 58075 ssh2
Jan 19 07:38:12 ipa1 sshd[21179]: Connection closed by 10.10.10.253 [preauth]

Expected results:


Additional info:

Comment 1 Jakub Hrozek 2016-01-19 15:15:50 UTC

This looks more like an SSSD issue, can you attach sssd logs? See https://fedorahosted.org/sssd/wiki/Troubleshooting

btw CentOS bugs shouldn't be filed against the Fedora product I guess :-)

Comment 2 Testino 2016-01-19 17:21:07 UTC

Created attachment 1116280 [details]
debug level 100

1) service sssd stoped
2) old log cleaned
3) service started
4) Try ssh
5) service stoped.

Comment 3 Testino 2016-01-19 17:21:30 UTC

Created attachment 1116281 [details]
debug level 100

1) service sssd stoped
2) old log cleaned
3) service started
4) Try ssh
5) service stoped.

Comment 4 Testino 2016-01-19 17:21:55 UTC

Created attachment 1116282 [details]
debug level 100

1) service sssd stoped
2) old log cleaned
3) service started
4) Try ssh
5) service stoped.

Comment 5 Alexander Bokovoy 2016-01-19 17:26:19 UTC

You have typo in your login:

(Tue Jan 19 12:14:35 2016) [sssd[be[local.office]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=Administrator:U]

your AD forest root domain is network.buhta but you specified Administrator.

Comment 6 Testino 2016-01-19 17:50:15 UTC

Created attachment 1116287 [details]
debug level 100

Comment 7 Testino 2016-01-19 17:50:32 UTC

Created attachment 1116288 [details]
debug level 100

Comment 8 Testino 2016-01-19 17:50:51 UTC

Created attachment 1116290 [details]
debug level 100

Comment 9 Testino 2016-01-19 17:51:08 UTC

Created attachment 1116292 [details]
debug level 100

Comment 10 Testino 2016-01-19 17:51:48 UTC

(In reply to Alexander Bokovoy from comment #5)
> You have typo in your login:
> 
> (Tue Jan 19 12:14:35 2016) [sssd[be[local.office]]] [be_get_account_info]
> (0x0200): Got request for [0x1001][1][name=Administrator:U]
> 
> your AD forest root domain is network.buhta but you specified
> Administrator.

oh, i will upload new logs

Comment 11 Tomas Babej 2016-01-26 13:15:56 UTC

I see "Ticket not yet valid" in the SSSD logs. Maybe the issue is that the time between IPA server and the Active Directory is not synchronized?

Comment 12 Petr Vobornik 2016-05-18 11:28:20 UTC

closing due to lack of information and activity

Note You need to log in before you can comment on or make changes to this bug.