[Pkg-samba-maint] [Freeipa-users] IPA AD Trust - The attempted logon is invalid. This is either due to a bad username or authentication information.
ko at sv01.de
Tue Dec 24 11:51:58 GMT 2019
Thanks for your input. Indeed, Debian still compiles against Heimdal.
I've added both devel MLs for Debian, maybe someone can give some
input whats needed to get "freeipa-server-trust-ad" working.
If there is something I can test, please let me know!
I know Sid is not for production but I would like to see FreeIPA in Bullseye.
I will try Fedora 31 / CentOS 8 then.
Am Di., 24. Dez. 2019 um 08:57 Uhr schrieb Alexander Bokovoy
<abokovoy at redhat.com>:
> On ti, 24 joulu 2019, Kevin Olbrich via FreeIPA-users wrote:
> >This is my first FreeIPA setup that needs to be trusted against AD.
> >I spent some hours to debug my issue but I need some help:
> >root at auth1 ~ # ipa trust-add --two-way=true --type=ad intra.example.com
> >--admin administrator --password
> >Active Directory domain administrator's password:
> >ipa: ERROR: CIFS server communication error: code "3221225581", message
> >"The attempted logon is invalid. This is either due to a bad username or
> >authentication information." (both may be "None")
> >I've also tried "administrator at intra.example.com" as well as another
> >administrative account with domain admin privileges.
> >The password is 100% fine and works for ldapadmin (windows tool) as well as
> >windows logons.
> >DNS is also fine: I set up forwarding of "intra.example.com" from IPA to
> >the AD domain and reverse "auth.example.com" from AD to IPA.
> >ldapsearch -H ldap://192.168.80.1:389 -x -W -D "
> >administrator at intra.example.com" -b "dc=intra,dc=example,dc=com" -d8
> >Environment: Debian Sid, FreeIPA 4.7.2
> >Did I miss something? What am I doing wrong here?
> Do not use Debian/Ubuntu for IPA master with trust controller role.
> Samba in Debian/Ubuntu is built against Heimdal Kerberos implementation
> while 'ipasam' component of FreeIPA (a plugin to Samba) can only be
> compiled against MIT Kerberos. The two implementations cannot be mixed
> in the same address space when 'smbd' or 'winbindd' processes are
> operating, thus it is not possible to use IPA master with trust
> controller role on Debian/Ubuntu distributions right now.
> This might change when Samba upstream will fully switch to MIT Kerberos
> and Debian/Ubuntu would stop building against Heimdal, but this is not
> going to happen any time soon for technical reasons as there are few
> important fixes that need to be developed in both MIT Kerberos and
> Samba first. This work is ongoing and even though it all affects the
> configuration of Samba that FreeIPA is not using, distributions
> generally do not ship two different versions of Samba (each built
> against own Kerberos implementation), so the end result is that
> Debian/Ubuntu version of Samba is not suitable for FreeIPA integration.
> An older bug https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1552249
> was used to track it in Ubuntu but the actual work is happening Samba
> and MIT Kerberos upstream, not downstream. Thus, you wouldn't get any
> move on Ubuntu or Debian side here.
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
More information about the Pkg-samba-maint