0

I've installed IdM server and replica, both on RedHat9, with ansible-playbook. On IdM I've configured Trust to AD. I've checked getting information from cli on server/replica and it works fine for AD users:

# id myaccount
uid=UID(myaccount) gid=GID(...

# getent passwd myaccount
myaccount:*:UID:GID:myaccount:/home/myaccount:/bin/bash

But it does not work on client side. Currently I'm testing Centos7, because I have a lot of VMs with Centos7. They are waiting for migration to Redhat9.

# id myaccount
id: myaccount: no such user

# getent passwd myaccount
# returns nothing, or error code

Sometime is works after cleaning:

systemctl stop sssd.service; rm -f /var/lib/sss/db/*; systemctl start sssd.service

But not for all account from AD. I can check account from IdM on client side:

# id admin
uid=2400000(admin) gid=2400000(admins) groups=2400000(admins)

In addition kinit [email protected] works only from server/replica but not from client:

kinit: Cannot find KDC for realm "ad.domain.tld" while getting initial credentials

My hosts.ini:

[ipaserver]
idm-server.domain.tld

[ipaservers]
idm-server.domain.tld
idm-replica.domain.tld

[ipareplicas]
idm-replica.domain.tld ipareplica_servers=idm-server.domain.tld

[ipaclients]
node6 ansible_host=idm-client

# https://github.com/freeipa/ansible-freeipa/blob/master/roles/ipaclient/README.md
[ipaclients:vars]
ipaclient_domain=domain.tld
ipaclient_mkhomedir=true
ipaclient_force_join=true
ipaclient_no_ntp=no
ipaclient_ntp_servers=ntp.domain.tld

# https://github.com/freeipa/ansible-freeipa/blob/master/roles/ipaserver/README.md
[ipaserver:vars]
ipaserver_domain=domain.tld
ipaserver_realm=DOMAIN.TLD
ipaserver_setup_dns=no
ipaserver_external_ca=yes
ipaserver_install_packages=yes
# ipaserver_setup_firewalld=yes
# ipaserver_firewalld_zone=public
ipaserver_setup_adtrust=yes
ipaserver_dirsrv_cert_files=["/root/certs/idm.domain.tld.pem","/root/certs/idm.domain.tld.key"]
ipaserver_http_cert_files=["/root/certs/idm.domain.tld.pem","/root/certs/idm.domain.tld.key"]
ipaserver_no_pkinit=true
# https://github.com/freeipa/ansible-freeipa/issues/479 need to be executed in cli with -e ipaclient_no_ntp=no ensures it doesn't get overwritten.
ipaclient_no_ntp=no

# https://github.com/freeipa/ansible-freeipa/blob/master/roles/ipareplica/README.md
[ipareplicas:vars]
ipareplica_domain=domain.tld
ipaadmin_principal=admin
ipareplica_dirsrv_cert_files=["/root/certs/idm.domain.tld.pem","/root/certs/idm.domain.tld.key"]
ipareplica_http_cert_files=["/root/certs/idm.domain.tld.pem","/root/certs/idm.domain.tld.key"]
ipareplica_no_pkinit=true
ipareplica_setup_dns=no
ipareplica_setup_adtrust=yes
ipaclient_mkhomedir=true

Unfortunately I cannot run update-crypto-policies --set DEFAULT:AD-SUPPORT-LEGACY on centos7. What else can I check to see why I cannot retrieve user information from AD?

Edit:

DNS records:

ipa dns-update-system-records --dry-run
  IPA DNS records:
    _kerberos-master._tcp.domain.tld. 3600 IN SRV 0 100 88 idm-server.domain.tld.
    _kerberos-master._tcp.domain.tld. 3600 IN SRV 0 100 88 idm-replica.domain.tld.
    _kerberos-master._udp.domain.tld. 3600 IN SRV 0 100 88 idm-server.domain.tld.
    _kerberos-master._udp.domain.tld. 3600 IN SRV 0 100 88 idm-replica.domain.tld.
    _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.tld. 3600 IN SRV 0 100 88 idm-server.domain.tld.
    _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.tld. 3600 IN SRV 0 100 88 idm-replica.domain.tld.
    _kerberos._tcp.dc._msdcs.domain.tld. 3600 IN SRV 0 100 88 idm-server.domain.tld.
    _kerberos._tcp.dc._msdcs.domain.tld. 3600 IN SRV 0 100 88 idm-replica.domain.tld.
    _kerberos._tcp.domain.tld. 3600 IN SRV 0 100 88 idm-server.domain.tld.
    _kerberos._tcp.domain.tld. 3600 IN SRV 0 100 88 idm-replica.domain.tld.
    _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.domain.tld. 3600 IN SRV 0 100 88 idm-server.domain.tld.
    _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.domain.tld. 3600 IN SRV 0 100 88 idm-replica.domain.tld.
    _kerberos._udp.dc._msdcs.domain.tld. 3600 IN SRV 0 100 88 idm-server.domain.tld.
    _kerberos._udp.dc._msdcs.domain.tld. 3600 IN SRV 0 100 88 idm-replica.domain.tld.
    _kerberos._udp.domain.tld. 3600 IN SRV 0 100 88 idm-server.domain.tld.
    _kerberos._udp.domain.tld. 3600 IN SRV 0 100 88 idm-replica.domain.tld.
    _kerberos.domain.tld. 3600 IN TXT "DOMAIN.TLD"
    _kerberos.domain.tld. 3600 IN URI 0 100 "krb5srv:m:tcp:idm-server.domain.tld."
    _kerberos.domain.tld. 3600 IN URI 0 100 "krb5srv:m:tcp:idm-replica.domain.tld."
    _kerberos.domain.tld. 3600 IN URI 0 100 "krb5srv:m:udp:idm-server.domain.tld."
    _kerberos.domain.tld. 3600 IN URI 0 100 "krb5srv:m:udp:idm-replica.domain.tld."
    _kpasswd._tcp.domain.tld. 3600 IN SRV 0 100 464 idm-server.domain.tld.
    _kpasswd._tcp.domain.tld. 3600 IN SRV 0 100 464 idm-replica.domain.tld.
    _kpasswd._udp.domain.tld. 3600 IN SRV 0 100 464 idm-server.domain.tld.
    _kpasswd._udp.domain.tld. 3600 IN SRV 0 100 464 idm-replica.domain.tld.
    _kpasswd.domain.tld. 3600 IN URI 0 100 "krb5srv:m:tcp:idm-server.domain.tld."
    _kpasswd.domain.tld. 3600 IN URI 0 100 "krb5srv:m:tcp:idm-replica.domain.tld."
    _kpasswd.domain.tld. 3600 IN URI 0 100 "krb5srv:m:udp:idm-server.domain.tld."
    _kpasswd.domain.tld. 3600 IN URI 0 100 "krb5srv:m:udp:idm-replica.domain.tld."
    _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.tld. 3600 IN SRV 0 100 389 idm-server.domain.tld.
    _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.tld. 3600 IN SRV 0 100 389 idm-replica.domain.tld.
    _ldap._tcp.dc._msdcs.domain.tld. 3600 IN SRV 0 100 389 idm-server.domain.tld.
    _ldap._tcp.dc._msdcs.domain.tld. 3600 IN SRV 0 100 389 idm-replica.domain.tld.
    _ldap._tcp.domain.tld. 3600 IN SRV 0 100 389 idm-server.domain.tld.
    _ldap._tcp.domain.tld. 3600 IN SRV 0 100 389 idm-replica.domain.tld

# ipa config-show
  Maximum username length: 32
  Maximum hostname length: 64
  Home directory base: /u
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: domain.tld
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: True
  Certificate Subject base: O=DOMAIN.TLD
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash, KDC:Disable Last Success
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE
  Enable adding subids to new users: True
  IPA masters: idm-server.domain.tld, idm-replica.domain.tld
  Domain resolution order: ad.domain.tld:domain.tld

# ipa idrange-find
----------------
3 ranges matched
----------------
  Range name: DOMAIN.TLD_id_range
  First Posix ID of the range: 2400000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range

  Range name: DOMAIN.TLD_subid_range
  First Posix ID of the range: 2147483648
  Number of IDs in the range: 2147352576
  First RID of the corresponding RID range: 2147283648
  Domain SID of the trusted domain: S-1-5-21-738065-838566-3530079355
  Range type: Active Directory domain range

  Range name: AD.DOMAIN.TLD_id_range
  First Posix ID of the range: 1876600000
  Number of IDs in the range: 200000
  Domain SID of the trusted domain: S-1-5-21-3292370258-206829766-3718235287
  Range type: Active Directory trust range with POSIX attributes

2024-07-10

I've checked IDM account:

sssctl user-checks fake
user: fake
action: acct
service: system-auth

SSSD nss user lookup result:
 - user name: fake
 - user id: 2400013
 - group id: 2400013
 - gecos: Name Last
 - home directory: /u/fake
 - shell: /bin/sh

SSSD InfoPipe user lookup result:
 - name: fake
 - uidNumber: 2400013
 - gidNumber: 2400013
 - gecos: Name Last
 - homeDirectory: /u/fake
 - loginShell: /bin/sh

testing pam_acct_mgmt

pam_acct_mgmt: Success

PAM Environment:
 - no env -

but does not work for AD account:

# sssctl user-checks AD_account
user: AD_account
action: acct
service: system-auth

sss_getpwnam_r failed with [0].
User name lookup with [AD_account] failed.
Unable to get user objectInfoPipe User lookup with [AD_account] failed.
testing pam_acct_mgmt

pam_acct_mgmt: User not known to the underlying authentication module

PAM Environment:
 - no env

Domains:

# sssctl domain-list
domain.tld
ad_domain.tld

# sssctl domain-status ad_domain.tld
Online status: Online

Active servers:
IPA: ipa_replica.domain.tld

Discovered IPA servers:
- ipa_server.domain.tld
- ipa_replica.domain.tld
- ipa_server.domain.tld
- ipa_replica.domain.tld
Improve this question
6
  • 1
    Cannot find KDC for realm "ad.domain.tld" and? What is the IP address of the KDC? Can you ping it? Is the client using the KDC for DNS? If not, what DNS SRV records exist for the domain?
    – Greg Askew
    Commented Jul 8 at 18:10
  • KDC is idm-server.domain.tld, and DNS records have been updated in accordance with ipa dns-update-system-records --dry-run.
    – piecia
    Commented Jul 8 at 20:04
  • The client is looking for a KDC in domain "ad.domain.tld". Run nslookup on the client, set type=all, and query ad.domain.tld. What SRV records exist?
    – Greg Askew
    Commented Jul 8 at 22:10
  • Probably it's a problem with centos7. Because I've installed idm client on RHEL9 and it works. dig returns correct records. But there is difference in /etc/krb5.conf between centos7 and rhel9. After adjusting: kinit: KDC reply did not match expectations while getting initial credentials
    – piecia
    Commented Jul 10 at 13:15
  • I was wrong: "kinit also needs the realm respective the domain in upper case" Now it's OK This is strange beacuse the header of file /etc/krb5.conf is: #File modified by ipa-client-install
    – piecia
    Commented Jul 10 at 13:24

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .