[Pkg-freeipa-devel] [Freeipa-users] Re: IPA AD Trust - The attempted logon is invalid. This is either due to a bad username or authentication information.

Alexander Bokovoy abokovoy at redhat.com
Wed Dec 25 09:46:00 GMT 2019


On ti, 24 joulu 2019, Kevin Olbrich via FreeIPA-users wrote:
>Hi Alexander,
>
>Thanks for your input. Indeed, Debian still compiles against Heimdal.
>I've added both devel MLs for Debian, maybe someone can give some
>input whats needed to get "freeipa-server-trust-ad" working.
>
>@Debian Team:
>If there is something I can test, please let me know!
>I know Sid is not for production but I would like to see FreeIPA in Bullseye.
>
>Ref.: https://packages.debian.org/en/sid/freeipa-server-trust-ad

Debian makes Samba AD DC available, that's priority over FreeIPA. Once
we get MIT Kerberos to support all required features for Samba AD DC,
I'm sure Debian will consider unifying their build too.

>
>Fedora 31:
>HAVE_LIBKADM5SRV_MIT
>SAMBA_USES_MITKDC
>
>Debian Sid:
>SAMBA4_USES_HEIMDAL
>
>I will try Fedora 31 / CentOS 8 then.
>
>Kind regards
>Kevin
>
>
>Am Di., 24. Dez. 2019 um 08:57 Uhr schrieb Alexander Bokovoy
><abokovoy at redhat.com>:
>>
>> On ti, 24 joulu 2019, Kevin Olbrich via FreeIPA-users wrote:
>> >Hi!
>> >
>> >This is my first FreeIPA setup that needs to be trusted against AD.
>> >I spent some hours to debug my issue but I need some help:
>> >
>> >root at auth1 ~ # ipa trust-add --two-way=true --type=ad intra.example.com
>> >--admin administrator --password
>> >Active Directory domain administrator's password:
>> >ipa: ERROR: CIFS server communication error: code "3221225581", message
>> >"The attempted logon is invalid. This is either due to a bad username or
>> >authentication information." (both may be "None")
>> >
>> >I've also tried "administrator at intra.example.com" as well as another
>> >administrative account with domain admin privileges.
>> >The password is 100% fine and works for ldapadmin (windows tool) as well as
>> >windows logons.
>> >
>> >DNS is also fine: I set up forwarding of "intra.example.com" from IPA to
>> >the AD domain and reverse "auth.example.com" from AD to IPA.
>> >
>> >WORKS:
>> >ldapsearch -H ldap://192.168.80.1:389 -x -W -D "
>> >administrator at intra.example.com" -b "dc=intra,dc=example,dc=com" -d8
>> >
>> >Environment: Debian Sid, FreeIPA 4.7.2
>> >
>> >Did I miss something? What am I doing wrong here?
>>
>> Do not use Debian/Ubuntu for IPA master with trust controller role.
>> Samba in Debian/Ubuntu is built against Heimdal Kerberos implementation
>> while 'ipasam' component of FreeIPA (a plugin to Samba) can only be
>> compiled against MIT Kerberos. The two implementations cannot be mixed
>> in the same address space when 'smbd' or 'winbindd' processes are
>> operating, thus it is not possible to use IPA master with trust
>> controller role on Debian/Ubuntu distributions right now.
>>
>> This might change when Samba upstream will fully switch to MIT Kerberos
>> and Debian/Ubuntu would stop building against Heimdal, but this is not
>> going to happen any time soon for technical reasons as there are few
>> important fixes that need to be developed in both MIT Kerberos and
>> Samba first. This work is ongoing and even though it all affects the
>> configuration of Samba that FreeIPA is not using, distributions
>> generally do not ship two different versions of Samba (each built
>> against own Kerberos implementation), so the end result is that
>> Debian/Ubuntu version of Samba is not suitable for FreeIPA integration.
>>
>> An older bug https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1552249
>> was used to track it in Ubuntu but the actual work is happening Samba
>> and MIT Kerberos upstream, not downstream. Thus, you wouldn't get any
>> move on Ubuntu or Debian side here.
>>
>> --
>> / Alexander Bokovoy
>> Sr. Principal Software Engineer
>> Security / Identity Management Engineering
>> Red Hat Limited, Finland
>>
>_______________________________________________
>FreeIPA-users mailing list -- freeipa-users at lists.fedorahosted.org
>To unsubscribe send an email to freeipa-users-leave at lists.fedorahosted.org
>Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

-- 
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland




More information about the Pkg-freeipa-devel mailing list