Discussion:
[Freeipa-users] Trying To Debug AD Trust Quirks
Jason B. Nance
2017-03-28 16:59:27 UTC
Permalink
Hello,

I'm using AD trusts with FreeIPA 4.4.0 and am having a heck of a time with strange behavior. Some examples include:

- Trust user's home directory sporadically getting set to '/' instead of /home/domain/user
- Trust user losing HBAC privileges (granted via group membership)
- Trust user losing sudo privileges (granted via group membership)
- OS logging that trust user's account has expired when it hasn't

I'm currently unable to predict/reproduce occurrences of these issues. I can say that they aren't tied to a specific user or host. For example, a user will login to a host without any issues and then later that same user's home directory (as reported by getent) will suddenly be set to / instead of /home/...

My first step, of course, is to gather logs. Should I be focusing on the SSSD on the client or on the IPA servers? I'm not entirely clear how/where lots of this data get assigned/queried.

My other question is if there is a way to pin down a client to [temporarily] use a specific IPA server and specific AD server (even if it means a firewall rule that only allows the host to communicate with one IPA and one AD host).

Thanks,

j
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Jakub Hrozek
2017-03-29 07:41:52 UTC
Permalink
Post by Jason B. Nance
Hello,
- Trust user's home directory sporadically getting set to '/' instead of /home/domain/user
- Trust user losing HBAC privileges (granted via group membership)
- Trust user losing sudo privileges (granted via group membership)
- OS logging that trust user's account has expired when it hasn't
I'm currently unable to predict/reproduce occurrences of these issues. I can say that they aren't tied to a specific user or host. For example, a user will login to a host without any issues and then later that same user's home directory (as reported by getent) will suddenly be set to / instead of /home/...
My first step, of course, is to gather logs. Should I be focusing on the SSSD on the client or on the IPA servers? I'm not entirely clear how/where lots of this data get assigned/queried.
My other question is if there is a way to pin down a client to [temporarily] use a specific IPA server and specific AD server (even if it means a firewall rule that only allows the host to communicate with one IPA and one AD host).
Normally time-correlated logs from both the server's domain and nss sections
of sssd.conf and the client's domain section are a good start.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Jakub Hrozek
2017-03-29 07:45:12 UTC
Permalink
Post by Jason B. Nance
My other question is if there is a way to pin down a client to
[temporarily] use a specific IPA server
using the ipa_server directive in sssd.conf
Post by Jason B. Nance
and specific AD server (even if
it means a firewall rule that only allows the host to communicate with
one IPA and one AD host).
the clients don't talk to ADs to resolve user information, only the
servers do. The clients only talk to AD DCs for authentication (to make
this a bit more complex, the authentication also involves parsing a
Kerberos PAC blob by the authentication helper in SSSD which also
includes the group memberships).

And unfortunately until RHEL-7.4 and SSSD 1.15 are out, then pinning the
SSSD on the IDM servers to a specific AD DC is only possible by
modifying the DNS SRV records or creating an AD site for the IDM server.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...