I've installed IdM server and replica, both on RedHat9, with ansible-playbook. On IdM I've configured Trust to AD. I've checked getting information from cli on server/replica and it works fine for AD users:
# id myaccount
uid=UID(myaccount) gid=GID(...
# getent passwd myaccount
myaccount:*:UID:GID:myaccount:/home/myaccount:/bin/bash
But it does not work on client side. Currently I'm testing Centos7, because I have a lot of VMs with Centos7. They are waiting for migration to Redhat9.
# id myaccount
id: myaccount: no such user
# getent passwd myaccount
# returns nothing, or error code
Sometime is works after cleaning:
systemctl stop sssd.service; rm -f /var/lib/sss/db/*; systemctl start sssd.service
But not for all account from AD. I can check account from IdM on client side:
# id admin
uid=2400000(admin) gid=2400000(admins) groups=2400000(admins)
In addition kinit [email protected]
works only from server/replica but not from client:
kinit: Cannot find KDC for realm "ad.domain.tld" while getting initial credentials
My hosts.ini:
[ipaserver]
idm-server.domain.tld
[ipaservers]
idm-server.domain.tld
idm-replica.domain.tld
[ipareplicas]
idm-replica.domain.tld ipareplica_servers=idm-server.domain.tld
[ipaclients]
node6 ansible_host=idm-client
# https://github.com/freeipa/ansible-freeipa/blob/master/roles/ipaclient/README.md
[ipaclients:vars]
ipaclient_domain=domain.tld
ipaclient_mkhomedir=true
ipaclient_force_join=true
ipaclient_no_ntp=no
ipaclient_ntp_servers=ntp.domain.tld
# https://github.com/freeipa/ansible-freeipa/blob/master/roles/ipaserver/README.md
[ipaserver:vars]
ipaserver_domain=domain.tld
ipaserver_realm=DOMAIN.TLD
ipaserver_setup_dns=no
ipaserver_external_ca=yes
ipaserver_install_packages=yes
# ipaserver_setup_firewalld=yes
# ipaserver_firewalld_zone=public
ipaserver_setup_adtrust=yes
ipaserver_dirsrv_cert_files=["/root/certs/idm.domain.tld.pem","/root/certs/idm.domain.tld.key"]
ipaserver_http_cert_files=["/root/certs/idm.domain.tld.pem","/root/certs/idm.domain.tld.key"]
ipaserver_no_pkinit=true
# https://github.com/freeipa/ansible-freeipa/issues/479 need to be executed in cli with -e ipaclient_no_ntp=no ensures it doesn't get overwritten.
ipaclient_no_ntp=no
# https://github.com/freeipa/ansible-freeipa/blob/master/roles/ipareplica/README.md
[ipareplicas:vars]
ipareplica_domain=domain.tld
ipaadmin_principal=admin
ipareplica_dirsrv_cert_files=["/root/certs/idm.domain.tld.pem","/root/certs/idm.domain.tld.key"]
ipareplica_http_cert_files=["/root/certs/idm.domain.tld.pem","/root/certs/idm.domain.tld.key"]
ipareplica_no_pkinit=true
ipareplica_setup_dns=no
ipareplica_setup_adtrust=yes
ipaclient_mkhomedir=true
Unfortunately I cannot run update-crypto-policies --set DEFAULT:AD-SUPPORT-LEGACY
on centos7. What else can I check to see why I cannot retrieve user information from AD?
Edit:
DNS records:
ipa dns-update-system-records --dry-run
IPA DNS records:
_kerberos-master._tcp.domain.tld. 3600 IN SRV 0 100 88 idm-server.domain.tld.
_kerberos-master._tcp.domain.tld. 3600 IN SRV 0 100 88 idm-replica.domain.tld.
_kerberos-master._udp.domain.tld. 3600 IN SRV 0 100 88 idm-server.domain.tld.
_kerberos-master._udp.domain.tld. 3600 IN SRV 0 100 88 idm-replica.domain.tld.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.tld. 3600 IN SRV 0 100 88 idm-server.domain.tld.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.tld. 3600 IN SRV 0 100 88 idm-replica.domain.tld.
_kerberos._tcp.dc._msdcs.domain.tld. 3600 IN SRV 0 100 88 idm-server.domain.tld.
_kerberos._tcp.dc._msdcs.domain.tld. 3600 IN SRV 0 100 88 idm-replica.domain.tld.
_kerberos._tcp.domain.tld. 3600 IN SRV 0 100 88 idm-server.domain.tld.
_kerberos._tcp.domain.tld. 3600 IN SRV 0 100 88 idm-replica.domain.tld.
_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.domain.tld. 3600 IN SRV 0 100 88 idm-server.domain.tld.
_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.domain.tld. 3600 IN SRV 0 100 88 idm-replica.domain.tld.
_kerberos._udp.dc._msdcs.domain.tld. 3600 IN SRV 0 100 88 idm-server.domain.tld.
_kerberos._udp.dc._msdcs.domain.tld. 3600 IN SRV 0 100 88 idm-replica.domain.tld.
_kerberos._udp.domain.tld. 3600 IN SRV 0 100 88 idm-server.domain.tld.
_kerberos._udp.domain.tld. 3600 IN SRV 0 100 88 idm-replica.domain.tld.
_kerberos.domain.tld. 3600 IN TXT "DOMAIN.TLD"
_kerberos.domain.tld. 3600 IN URI 0 100 "krb5srv:m:tcp:idm-server.domain.tld."
_kerberos.domain.tld. 3600 IN URI 0 100 "krb5srv:m:tcp:idm-replica.domain.tld."
_kerberos.domain.tld. 3600 IN URI 0 100 "krb5srv:m:udp:idm-server.domain.tld."
_kerberos.domain.tld. 3600 IN URI 0 100 "krb5srv:m:udp:idm-replica.domain.tld."
_kpasswd._tcp.domain.tld. 3600 IN SRV 0 100 464 idm-server.domain.tld.
_kpasswd._tcp.domain.tld. 3600 IN SRV 0 100 464 idm-replica.domain.tld.
_kpasswd._udp.domain.tld. 3600 IN SRV 0 100 464 idm-server.domain.tld.
_kpasswd._udp.domain.tld. 3600 IN SRV 0 100 464 idm-replica.domain.tld.
_kpasswd.domain.tld. 3600 IN URI 0 100 "krb5srv:m:tcp:idm-server.domain.tld."
_kpasswd.domain.tld. 3600 IN URI 0 100 "krb5srv:m:tcp:idm-replica.domain.tld."
_kpasswd.domain.tld. 3600 IN URI 0 100 "krb5srv:m:udp:idm-server.domain.tld."
_kpasswd.domain.tld. 3600 IN URI 0 100 "krb5srv:m:udp:idm-replica.domain.tld."
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.tld. 3600 IN SRV 0 100 389 idm-server.domain.tld.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.tld. 3600 IN SRV 0 100 389 idm-replica.domain.tld.
_ldap._tcp.dc._msdcs.domain.tld. 3600 IN SRV 0 100 389 idm-server.domain.tld.
_ldap._tcp.dc._msdcs.domain.tld. 3600 IN SRV 0 100 389 idm-replica.domain.tld.
_ldap._tcp.domain.tld. 3600 IN SRV 0 100 389 idm-server.domain.tld.
_ldap._tcp.domain.tld. 3600 IN SRV 0 100 389 idm-replica.domain.tld
# ipa config-show
Maximum username length: 32
Maximum hostname length: 64
Home directory base: /u
Default shell: /bin/sh
Default users group: ipausers
Default e-mail domain: domain.tld
Search time limit: 2
Search size limit: 100
User search fields: uid,givenname,sn,telephonenumber,ou,title
Group search fields: cn,description
Enable migration mode: True
Certificate Subject base: O=DOMAIN.TLD
Password Expiration Notification (days): 4
Password plugin features: AllowNThash, KDC:Disable Last Success
SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
Default SELinux user: unconfined_u:s0-s0:c0.c1023
Default PAC types: MS-PAC, nfs:NONE
Enable adding subids to new users: True
IPA masters: idm-server.domain.tld, idm-replica.domain.tld
Domain resolution order: ad.domain.tld:domain.tld
# ipa idrange-find
----------------
3 ranges matched
----------------
Range name: DOMAIN.TLD_id_range
First Posix ID of the range: 2400000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
Range name: DOMAIN.TLD_subid_range
First Posix ID of the range: 2147483648
Number of IDs in the range: 2147352576
First RID of the corresponding RID range: 2147283648
Domain SID of the trusted domain: S-1-5-21-738065-838566-3530079355
Range type: Active Directory domain range
Range name: AD.DOMAIN.TLD_id_range
First Posix ID of the range: 1876600000
Number of IDs in the range: 200000
Domain SID of the trusted domain: S-1-5-21-3292370258-206829766-3718235287
Range type: Active Directory trust range with POSIX attributes
2024-07-10
I've checked IDM account:
sssctl user-checks fake
user: fake
action: acct
service: system-auth
SSSD nss user lookup result:
- user name: fake
- user id: 2400013
- group id: 2400013
- gecos: Name Last
- home directory: /u/fake
- shell: /bin/sh
SSSD InfoPipe user lookup result:
- name: fake
- uidNumber: 2400013
- gidNumber: 2400013
- gecos: Name Last
- homeDirectory: /u/fake
- loginShell: /bin/sh
testing pam_acct_mgmt
pam_acct_mgmt: Success
PAM Environment:
- no env -
but does not work for AD account:
# sssctl user-checks AD_account
user: AD_account
action: acct
service: system-auth
sss_getpwnam_r failed with [0].
User name lookup with [AD_account] failed.
Unable to get user objectInfoPipe User lookup with [AD_account] failed.
testing pam_acct_mgmt
pam_acct_mgmt: User not known to the underlying authentication module
PAM Environment:
- no env
Domains:
# sssctl domain-list
domain.tld
ad_domain.tld
# sssctl domain-status ad_domain.tld
Online status: Online
Active servers:
IPA: ipa_replica.domain.tld
Discovered IPA servers:
- ipa_server.domain.tld
- ipa_replica.domain.tld
- ipa_server.domain.tld
- ipa_replica.domain.tld
Cannot find KDC for realm "ad.domain.tld"
and? What is the IP address of the KDC? Can you ping it? Is the client using the KDC for DNS? If not, what DNS SRV records exist for the domain?ipa dns-update-system-records --dry-run
.