Hide Forgot
Description of problem: Can't login to RHEL ipa-client machine using an AD account after setting up an trust against an 2012 Active Directory domain controller. Version-Release number of selected component (if applicable): rpm -qa | grep ipa ipa-server-3.0.0-26.el6_4.2.x86_64 libipa_hbac-1.9.2-82.7.el6_4.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-3.0.0-26.el6_4.2.x86_64 ipa-server-selinux-3.0.0-26.el6_4.2.x86_64 ipa-server-trust-ad-3.0.0-26.el6_4.2.x86_64 ipa-admintools-3.0.0-26.el6_4.2.x86_64 ipa-client-3.0.0-26.el6_4.2.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.9.2-82.7.el6_4.x86_64 How reproducible: Always Steps to Reproduce: 1. Create a trust to an AD 2012 domain 2. Login to an ipa-client machine using an AD account Actual results: # ssh -l admpetgus ipa-server.example.com admpetgus@ipa-server.example.com's password: Permission denied, please try again. And in /var/log/secure on the ipa-client machine: Jul 2 11:14:59 ipa-server sshd[7785]: pam_sss(sshd:auth): system info: [KDC returned error string: HANDLE_AUTHDATA] Jul 2 11:14:59 ipa-server sshd[7785]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.65 user=admpetgus Jul 2 11:14:59 ipa-server sshd[7785]: pam_sss(sshd:auth): received for user admpetgus: 4 (System error) kvno host/$(hostname)@NIX.EXAMPLE.COM kvno: KDC returned error string: HANDLE_AUTHDATA while getting credentials for host/ipa-server.nix.example.com.COM # Expected results: ssh login should work. Additional info: Backport trac ticket is https://fedorahosted.org/freeipa/ticket/3289 to ipa 3.0 so an trust against an AD 2012 works. Br, Peter Gustafsson
The ticket 3289 is not really relevant here alone. What is relevant is its predecessor which actually adds support for Windows Server 2012.
(In reply to Alexander Bokovoy from comment #2) > The ticket 3289 is not really relevant here alone. What is relevant is its > predecessor which actually adds support for Windows Server 2012. yes, I gave them a test-build with the patch from https://fedorahosted.org/freeipa/ticket/3231 on top of the latest RHEL6 build and got the feedback that now everything is working as expected. I really think it is worth adding this patch in 6.5.
(In reply to Sumit Bose from comment #3) > (In reply to Alexander Bokovoy from comment #2) > > The ticket 3289 is not really relevant here alone. What is relevant is its > > predecessor which actually adds support for Windows Server 2012. > > yes, I gave them a test-build with the patch from > https://fedorahosted.org/freeipa/ticket/3231 on top of the latest RHEL6 > build and got the feedback that now everything is working as expected. I > really think it is worth adding this patch in 6.5. (In reply to Alexander Bokovoy from comment #2) > The ticket 3289 is not really relevant here alone. What is relevant is its > predecessor which actually adds support for Windows Server 2012. Yes with the test-build from Sumit everything is working as expected. Since Windows Server 2012 is becoming common nowadays i also really think it is worth adding this patch in 6.5.
The full scope of changes to support Windows Server 2012 in IdM is tracked in the bug 910453 for RHEL 7. However, the patch from FreeIPA upstream ticket https://fedorahosted.org/freeipa/ticket/3231 represents a minimal support with hard-coded configuration that is enough to support default Windows Server 2012 installs. So I'd suggest to include it into 6.5, given that engineering work is already performed as part of upstream activities and initial testing at a customer's environment gave positive result.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3768
This Bugzilla is solved by ticket 3231 (see Comment 3), not 3289. Updating Bugzilla title. I will move this to POST, as upstream bug is fixed: master: 32916d444b038e6d68348b62481a4e2871438568
Fixed one coverity issue, added 2 stabilization patches related to AD2012 backported code.
One more coverity fix -> ipa-3.0.0-33.el6.
[root@dhcp207-85 ~]# nmap -A ad12srv1.adtest.qe .... Host script results: |_nbstat: NetBIOS name: AD12SRV1, NetBIOS user: <unknown>, NetBIOS MAC: 52:54:00:a8:2d:d6 (QEMU Virtual NIC) |_smbv2-enabled: Server supports SMBv2 protocol | smb-os-discovery: | OS: Windows Server 2012 Standard 9200 (Windows Server 2012 Standard 6.2) | Name: ADTEST\AD12SRV1 |_ System time: 2013-09-23 19:50:32 UTC+5.5 [root@dhcp207-85 ~]# ipa trust-add --type=ad adtest.qe --admin Administrator --password Active directory domain administrator's password: -------------------------------------------------- Added Active Directory trust for realm "adtest.qe" -------------------------------------------------- Realm name: adtest.qe Domain NetBIOS name: ADTEST Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified [root@dhcp207-85 ~]# ipa idrange-find ---------------- 2 ranges matched ---------------- Range name: ADTEST.QE_id_range First Posix ID of the range: 1148400000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-1910160501-511572375-3625658879 Range type: Active Directory domain range Range name: TESTRELM.COM_id_range First Posix ID of the range: 1811200000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range ---------------------------- Number of entries returned 2 ---------------------------- [root@dhcp207-85 ~]# getent passwd user1 user1:*:1148401110:1148401110::/home/adtest.qe/user1: [root@dhcp207-85 ~]# ssh -l user1 dhcp207-85.testrelm.com user1@dhcp207-85.testrelm.com's password: Could not chdir to home directory /home/adtest.qe/user1: No such file or directory -sh-4.1$ logout Connection to dhcp207-85.testrelm.com closed. On IPA Client [root@dhcp207-25 ~]# ipa-client-install --domain testrelm.com Discovery was successful! Hostname: dhcp207-25.testrelm.com Realm: TESTRELM.COM DNS Domain: testrelm.com IPA Server: dhcp207-85.testrelm.com BaseDN: dc=testrelm,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Password for admin: Enrolled in IPA realm TESTRELM.COM Created /etc/ipa/default.conf New SSSD config will be created Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm TESTRELM.COM trying https://dhcp207-85.testrelm.com/ipa/xml Forwarding 'env' to server u'https://dhcp207-85.testrelm.com/ipa/xml' Hostname (dhcp207-25.testrelm.com) not found in DNS DNS server record set to: dhcp207-25.testrelm.com -> 10.65.207.25 Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Forwarding 'host_mod' to server u'https://dhcp207-85.testrelm.com/ipa/xml' SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. [root@dhcp207-25 ~]# getent passwd user1 user1:*:1148401110:1148401110::/home/adtest.qe/user1: [root@dhcp207-25 ~]# ssh -l user1 dhcp207-85.testrelm.com user1@dhcp207-85.testrelm.com's password: Last login: Mon Sep 23 19:59:19 2013 from dhcp207-85.testrelm.com Could not chdir to home directory /home/adtest.qe/user1: No such file or directory -sh-4.1$ logout Connection to dhcp207-85.testrelm.com closed. Without Password [root@dhcp207-25 ~]# vim /etc/krb5.conf [root@dhcp207-25 ~]# grep auth_to_local /etc/krb5.conf auth_to_local = RULE:[1:$1@$0](^.*@ADTEST.QE$)s/@ADTEST.QE/@adtest.qe/ auth_to_local = DEFAULT [root@dhcp207-25 ~]# service sssd restart Stopping sssd: [ OK ] Starting sssd: [ OK ] [root@dhcp207-25 ~]# kinit user1 Password for user1: [root@dhcp207-25 ~]# ssh -K -l user1 dhcp207-85.testrelm.com Last login: Tue Sep 24 15:33:38 2013 from dhcp207-85.testrelm.com Could not chdir to home directory /home/adtest.qe/user1: No such file or directory -sh-4.1$ logout Connection to dhcp207-85.testrelm.com closed.
Verified [root@dhcp207-85 ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.5 Beta (Santiago) [root@dhcp207-85 ~]# rpm -q ipa-server ipa-server-3.0.0-35.el6.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1651.html