I Setup FREEIPA based on the RHEL 8 IDM AD-Trust all the settings and went as planned. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-trust-between-idm-and-ad_installing-identity-management#supported-versions-of-windows-server_installing-trust-between-idm-and-ad When I ran
ipa trust-add --type=ad win.foo.lan --admin administrator --password --range-type=ipa-ad-trust --two-way=true
Active Directory domain administrator’s password:
ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue
I can see the trust in the IDM web console and able to run kinit administrator@WIN.FOO.LAN and that works.
But getting a service ticket fails
kvno -S host idm1.lnx.foo.lan
kvno: Ticket not yet valid while getting credentials for host/idm1.lnx.corp.lan@LNX.FOO.LAN
I removed the trust and tried again this time using the Web console and it worked. What I am not sure about is how to setup AD groups in IDM so AD users can login to Freeipa resources. Any help is appreciated.
I figured out the mapping.
ipa group-add --desc=‘ad_domain admins external map’ ad_test_external --external
ipa group-add --desc=‘ad_domain test’ ad_test
ipa group-add-member ad_admins_external --external ‘win\test’
How ever users in the test group are unable to login.
Here is what the logs show
Sep 16 11:19:09 idm1.lnx.lan login: pam_sss(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= email@example.com
Sep 16 11:19:09 idm1.lnx.lan login: pam_sss(login:auth): received for user firstname.lastname@example.org: 6 (Permission denied)
Sep 16 11:19:10 idm1.lnx.lan login: FAILED LOGIN SESSION FROM tty1 FOR email@example.com, Authentication failure
Sep 16 11:19:14 idm1.lnx.lan systemd: firstname.lastname@example.org: Succeeded.
Sep 16 11:19:14 idm1.lnx.lan systemd: email@example.com: Service has no hold-off time (RestartSec=0), scheduling restart.
Sep 16 11:19:14 idm1.lnx.lan systemd: firstname.lastname@example.org: Scheduled restart job, restart counter is at 10.
Sep 16 11:19:14 idm1.lnx.lan systemd: Stopped Getty on tty1.
You need to make sure your AD domain can properly see the IPA domain through srv records and firewall ports that IPA usually has open. Even if the IPA console says the trust is there, it does not mean it is working. Resolve this first before troubleshooting further.
Once you’ve resolved the above and you still cannot login with users, you will need to put sssd into debug mode to dig into your issue further. Troubleshooting Basics - sssd.io
Appears on my Windows server _kerberos._udp.dc._msdcs.win.corp.lan. is not working as expected. I disabled the firewall on my Windows server and Freeipa servers.
Not surprised, the dns record probably doesn’t exist, the PAC is too big for udp. See here: https://bugzilla.redhat.com/show_bug.cgi?id=1914618