FreeIPA AD trust

dsexton18 · September 16, 2023, 11:29am

I Setup FREEIPA based on the RHEL 8 IDM AD-Trust all the settings and went as planned. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-trust-between-idm-and-ad_installing-identity-management#supported-versions-of-windows-server_installing-trust-between-idm-and-ad When I ran

ipa trust-add --type=ad win.foo.lan --admin administrator --password --range-type=ipa-ad-trust --two-way=true

Active Directory domain administrator’s password:

ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue

I can see the trust in the IDM web console and able to run kinit administrator@WIN.FOO.LAN and that works.

But getting a service ticket fails

kvno -S host idm1.lnx.foo.lan
kvno: Ticket not yet valid while getting credentials for host/idm1.lnx.corp.lan@LNX.FOO.LAN

dsexton18 · September 16, 2023, 1:33pm

I removed the trust and tried again this time using the Web console and it worked. What I am not sure about is how to setup AD groups in IDM so AD users can login to Freeipa resources. Any help is appreciated.

dsexton18 · September 16, 2023, 4:11pm

I figured out the mapping.
ipa group-add --desc=‘ad_domain admins external map’ ad_test_external --external
ipa group-add --desc=‘ad_domain test’ ad_test
ipa group-add-member ad_admins_external --external ‘win\test’

How ever users in the test group are unable to login.

dsexton18 · September 16, 2023, 4:21pm

Here is what the logs show

Sep 16 11:19:09 idm1.lnx.lan login[20719]: pam_sss(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=testuser@win.lan
Sep 16 11:19:09 idm1.lnx.lan login[20719]: pam_sss(login:auth): received for user testuser@win.lan: 6 (Permission denied)
Sep 16 11:19:10 idm1.lnx.lan login[20719]: FAILED LOGIN SESSION FROM tty1 FOR testuser@win.corp.lan, Authentication failure
Sep 16 11:19:14 idm1.lnx.lan systemd[1]: getty@tty1.service: Succeeded.
Sep 16 11:19:14 idm1.lnx.lan systemd[1]: getty@tty1.service: Service has no hold-off time (RestartSec=0), scheduling restart.
Sep 16 11:19:14 idm1.lnx.lan systemd[1]: getty@tty1.service: Scheduled restart job, restart counter is at 10.
Sep 16 11:19:14 idm1.lnx.lan systemd[1]: Stopped Getty on tty1.

nazunalika · September 16, 2023, 5:28pm

You need to make sure your AD domain can properly see the IPA domain through srv records and firewall ports that IPA usually has open. Even if the IPA console says the trust is there, it does not mean it is working. Resolve this first before troubleshooting further.

Once you’ve resolved the above and you still cannot login with users, you will need to put sssd into debug mode to dig into your issue further. Troubleshooting Basics - sssd.io

dsexton18 · September 18, 2023, 11:14pm

Appears on my Windows server _kerberos._udp.dc._msdcs.win.corp.lan. is not working as expected. I disabled the firewall on my Windows server and Freeipa servers.
Non-existent domain

hortimech · September 19, 2023, 7:06am

Not surprised, the dns record probably doesn’t exist, the PAC is too big for udp. See here: https://bugzilla.redhat.com/show_bug.cgi?id=1914618

system · November 18, 2023, 7:06am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Freeipa and active directory integration Rocky Linux General	2	1418	August 25, 2023
Rocky 8.9 Idm Server Problem Rocky Linux General	4	374	March 26, 2024
Use of IPA to control su access Rocky Linux General	3	417	August 25, 2023
How to get xrdp to work with ipa users Rocky Linux General	3	519	August 25, 2023
Install and configure FREEIPA client via ansible role Rocky Linux General	6	113	April 3, 2024

FreeIPA AD trust

Related Topics