[Pkg-freeipa-devel] [Freeipa-users] IPA AD Trust - The attempted logon is invalid. This is either due to a bad username or authentication information.

Tue Dec 24 11:51:58 GMT 2019

Hi Alexander,

Thanks for your input. Indeed, Debian still compiles against Heimdal.
I've added both devel MLs for Debian, maybe someone can give some
input whats needed to get "freeipa-server-trust-ad" working.

@Debian Team:
If there is something I can test, please let me know!
I know Sid is not for production but I would like to see FreeIPA in Bullseye.

Ref.: https://packages.debian.org/en/sid/freeipa-server-trust-ad

Fedora 31:
HAVE_LIBKADM5SRV_MIT
SAMBA_USES_MITKDC

Debian Sid:
SAMBA4_USES_HEIMDAL

I will try Fedora 31 / CentOS 8 then.

Kind regards
Kevin

Am Di., 24. Dez. 2019 um 08:57 Uhr schrieb Alexander Bokovoy
<abokovoy at redhat.com>:
>
> On ti, 24 joulu 2019, Kevin Olbrich via FreeIPA-users wrote:
> >Hi!
> >
> >This is my first FreeIPA setup that needs to be trusted against AD.
> >I spent some hours to debug my issue but I need some help:
> >
> >root at auth1 ~ # ipa trust-add --two-way=true --type=ad intra.example.com
> >--admin administrator --password
> >Active Directory domain administrator's password:
> >ipa: ERROR: CIFS server communication error: code "3221225581", message
> >"The attempted logon is invalid. This is either due to a bad username or
> >authentication information." (both may be "None")
> >
> >I've also tried "administrator at intra.example.com" as well as another
> >administrative account with domain admin privileges.
> >The password is 100% fine and works for ldapadmin (windows tool) as well as
> >windows logons.
> >
> >DNS is also fine: I set up forwarding of "intra.example.com" from IPA to
> >the AD domain and reverse "auth.example.com" from AD to IPA.
> >
> >WORKS:
> >ldapsearch -H ldap://192.168.80.1:389 -x -W -D "
> >administrator at intra.example.com" -b "dc=intra,dc=example,dc=com" -d8
> >
> >Environment: Debian Sid, FreeIPA 4.7.2
> >
> >Did I miss something? What am I doing wrong here?
>
> Do not use Debian/Ubuntu for IPA master with trust controller role.
> Samba in Debian/Ubuntu is built against Heimdal Kerberos implementation
> while 'ipasam' component of FreeIPA (a plugin to Samba) can only be
> compiled against MIT Kerberos. The two implementations cannot be mixed
> in the same address space when 'smbd' or 'winbindd' processes are
> operating, thus it is not possible to use IPA master with trust
> controller role on Debian/Ubuntu distributions right now.
>
> This might change when Samba upstream will fully switch to MIT Kerberos
> and Debian/Ubuntu would stop building against Heimdal, but this is not
> going to happen any time soon for technical reasons as there are few
> important fixes that need to be developed in both MIT Kerberos and
> Samba first. This work is ongoing and even though it all affects the
> configuration of Samba that FreeIPA is not using, distributions
> generally do not ship two different versions of Samba (each built
> against own Kerberos implementation), so the end result is that
> Debian/Ubuntu version of Samba is not suitable for FreeIPA integration.
>
> An older bug https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1552249
> was used to track it in Ubuntu but the actual work is happening Samba
> and MIT Kerberos upstream, not downstream. Thus, you wouldn't get any
> move on Ubuntu or Debian side here.
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>