cancel
Showing results for 
Search instead for 
Did you mean: 
Tamas
Mission Specialist
Mission Specialist
  • 12.8K Views

AD user not known for client via one way trust (via IdM)

Jump to solution

Hello.

I set up an AD & IdM test environment. The AD called winad.lab.infra; I have a one way trust between ipa.it.lab.infra & winad.lab.infra.. I have a test001 user on AD.

I have a client machine called client7.it.lab.infra & a user in IdM called ipauser001.

I can kinit on the client7 for test001@winad.lab.infra BUT I cannot do ssh to client7.it.lab.infra with the test001@winad.lab.infra..

This is what I get from secure log:

May 21 16:20:33 client7 sshd[3560]: Invalid user test001@lab.infra from 192.168.122.1 port 33862
May 21 16:20:33 client7 sshd[3560]: input_userauth_request: invalid user test001@lab.infra [preauth]
May 21 16:20:33 client7 sshd[3560]: Postponed keyboard-interactive for invalid user test001@lab.infra from 192.168.122.1 port 33862 ssh2 [preauth]
May 21 16:20:45 client7 sshd[3562]: pam_unix(sshd:auth): check pass; user unknown
May 21 16:20:45 client7 sshd[3562]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=gateway

This is how my krb5.conf looks like on krb5.conf

includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
default_realm = LAB.INFRA
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}


[realms]
IT.LAB.INFRA = {
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem

kdc = ipa.it.lab.infra
admin_server = ipa.it.lab.infra
}
LAB.INFRA = {
kdc = winad.lab.infra
admin_server = winad.lab.infra
default_domain = lab.infra
}


[domain_realm]
client7.it.lab.infra = IPA.IT.LAB.INFRA

it.lab.infra = IT.LAB.INFRA
.it.lab.infra = IT.LAB.INFRA
lab.infra = LAB.INFRA
.lab.infra = LAB.INFRA

I also enabled Kerberos authentication via authconfig-tui, kdc & admin server is pointing to the IdM server, the REALM is IT.LAB.INFRA.. The reason I set this because IPA shows that the trust exist between the two entity.

Could you please pin-point me what did I do brutally wrong & why my AD user is an unknown user for the IdM client machine?

Thanks in advance.

Tamas

0 Kudos
1 Solution

Accepted Solutions
Tamas
Mission Specialist
Mission Specialist
  • 12.7K Views

The issue was that in AD there were no uid, gid possix accounts assigned manually. I can't even add to the external users without having UID/GID in AD user properties.. Weird. Is this something expected?

I try also make it work in Windows Server 2019 where the IDM extension is deprecated & in advanced view I had to edit attribute for the test user..

This is me building stuff from scratch (and learn the hard way)...

View solution in original post

0 Kudos
3 Replies
PeterTselios
Starfighter Starfighter
Starfighter
  • 12.7K Views

Why are you manually change the configuration files? 

Don't you use ipa-client? If so, ipa-client configures everything for you. 

In any case, the reason could be anything. From timeouts to misconfigured SSSD. What I would recommend is to check the following: 

  1. Check if the id <username>@ad works
  2. Check the getent password <username>@ad

If those two are not working: 

  1. Clear SSSD cache and check again
  2. If again is not working , enable debug logs in SSSD and check for the authentication attempt
  3. Uninstall ipa-client and install it again. 

 

0 Kudos
Tamas
Mission Specialist
Mission Specialist
  • 12.7K Views

hello,

thanks for your answer. I tried what you said & still doens't work. Nothing in SSSD logs even after turning debug mode on but I saw in secure logs:

error: PAM: User not known to the underlying authentication module for illegal user test001@LAB.INFRA from gateway

Do I need to tune manually the pam config files?

My LDAP does work with the IPA users but not the Kerberos cross-realm / AD part..

[root@client7 ~]# getent passwd ipauser001
ipauser001:*:866000004:866000004:Ipa User:/home/ipauser001:/bin/sh
[root@client7 ~]# id ipauser001
uid=866000004(ipauser001) gid=866000004(ipauser001) groups=866000004(ipauser001)

Thanks for your reply.

0 Kudos
Tamas
Mission Specialist
Mission Specialist
  • 12.7K Views

The issue was that in AD there were no uid, gid possix accounts assigned manually. I can't even add to the external users without having UID/GID in AD user properties.. Weird. Is this something expected?

I try also make it work in Windows Server 2019 where the IDM extension is deprecated & in advanced view I had to edit attribute for the test user..

This is me building stuff from scratch (and learn the hard way)...

0 Kudos
Join the discussion
You must log in to join this conversation.