IPA - AD Trust Troubleshooting

Updated 6 Jun 2022

This article is not meant as a replacement for official Red Hat Documentation, it is intended to provide troubleshooting suggestions for Active Directory Trust issues on RHEL7 Identity Management Server implementations

General recommendations

Update to the latest available IPA server and SSSD packages
```
  $ yum update ipa-server sssd
```
Perform testing on IPA Servers before moving on to testing IPA clients, this will reduce the number of variables to simplify troubleshooting
Double-check the AD Trust Requirements
For all replicas expected to perform identity lookups against AD domain controllers, make sure that they are either trust controllers or trust agents. Trust controller is the replica where ipa-adtrust-install was run. Trust agent is a replica which was marked as an agent by running ipa-adtrust-install --add-agents on a trust controller.
If creating the AD trust using the Shared Secret method, the AD Trust Type must be Forest Trust in Windows UI.

Failures when attempting to add the trust with 'ipa trust-add'

Upstream Content from www.freeipa.org is not included.Debugging trust documentation contains the debugging steps for ipa trust-add problems which also applies to RHEL7
Capturing debug logs : How to capture debug logs to troubleshoot IPA AD trust issues.

Issues after the trust is created

IPA clients perform their identity lookups of AD users and groups through IPA masters. Thus, always start with a Trust agent or a Trust controller first. Make sure these IPA masters are able to resolve AD users or allow to login as AD users.

Unable to resolve or login as AD users
- Enable SSSD debugging by adding debug_level = 7 to the [domain/IDMDOMAIN]and [nss] sections of sssd.conf
- Check /var/log/sssd/sssd_idmdomain.log and /var/log/sssd/krb5_child.log for errors, the following log message will show the starting point of a user request triggering the sssd IPA backend
```
  [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][1][name=trustuser1@jstephen.local]
```
- Validate the range type for each ID range is set as expected, if range type is set to Active Directory trust range with POSIX attributes then lookups will fail to resolve objects with no uidNumber or gidNumber attributes assigned in Active Directory or no ID override exists in the 'Default Trust View' ID view in IdM.
```
  $ ipa idrange-find | grep 'Range'
```
If IPA Client lookups fail with log messages similar to the below then it is recommended to investigate logs on the IPA server at the same timeframe. These ipa_s2n_* functions perform client-specific operations to retrieve information from the IPA server.
```
  [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: Operations error(1), Failed to handle the request
  [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
```
If logins fail with the following messages evident in SSSD's krb5_child.log then the option krb5_validate can be used to temporary disable TGT validation - WARNING: setting this option to false exposes security risks, check the Solution IDM - AD Trust user logins fail due to failed TGT validation to determine how to address this problem keeping validation enabled.
```
  [validate_tgt] (0x0020): TGT failed verification using key for [host/idmserver.idm.local@IDM.LOCAL]
  [get_and_save_tgt] (0x0020): 1304: [-1765328377][Server host/idmserver.idm.local@IDM.LOCAL not found in Kerberos database]
  [map_krb5_error] (0x0020): 1365: [-1765328377][Server host/idmserver.idm.local@IDM.LOCAL not found in Kerberos database]
```
Slowness with AD trust user/group resolution or login
- RHEL 7.3 introduced several performance improvements in IPA server and SSSD code, updating to SSSD 1.14 and IPA Server 4.4 version is the first recommended troubleshooting step to address performance concerns
- Other tuning alternatives include mounting the SSSD cache into tmpfs and/or adding the ignore_group_members option into 'sssd.conf'. More details about these options are available here - Content from jhrozek.wordpress.com is not included.Performance tuning SSSD for large IPA-AD trust deployments
SSH Kerberos Single-Sign-On is not working
- Confirm that the following line entry exists at the top of /etc/krb5.conf to enable the SSSD localauth plugin
```
  includedir /var/lib/sss/pubconf/krb5.include.d/
```
- Be aware of additional requirements involved when IPA clients use AD DNS names - ⁠IdM clients in an Active Directory DNS Domain

Sudo/HBAC rules are not working as expected

Sudo and HBAC rules should be associated with the IDM POSIX group which resolves to the AD user/group objects through the external group memberships

Double check that the group creation and nesting was done correctly

AD user/group objects are listed as members(External member) of the IDM external group

  $ ipa group-find --external
  ----------------
  1 group matched
  ----------------
    Group name: ad_users_external
    Description: AD users external map
    External member: S-1-5-21-2918668694-4162105039-186639090-47047, S-1-5-21-2918668694-4162105039-186639090-47031

IDM external group is a member(Member of groups) of the IDM POSIX group

  $ ipa group-find ad_users_external --all
  ---------------
  1 group matched
  ---------------
    dn: cn=ad_users_external,cn=groups,cn=accounts,dc=example,dc=com
    Group name: ad_users_external
    Description: AD users external map
    External member: S-1-5-21-2918668694-4162105039-186639090-47047, S-1-5-21-2918668694-4162105039-186639090-47031
    Member of groups: ad_users
    Indirect Member of Sudo rule: adtrustsudo
    Indirect Member of HBAC rule: allow-AD-users
    ipauniqueid: bd069914-6997-11e6-ac2c-001a4a0c3412
    objectclass: ipaobject, top, nestedgroup, ipausergroup, groupofnames, ipaexternalgroup

HBAC rule chain can be validated on the command-line with ipa hbac-test

  $ ipa hbactest --user 'trustuser1@jstephen.local' --host $(hostname) --service sshd
  --------------------
  Access granted: True
  --------------------
    Matched rules: allow-AD-users
    Not matched rules: testrule1

Known Issues to be aware of

Content from fedorahosted.org is not included.UPN support - AD Users that have a non-standard userPrincipalName value may be having the issue stated in this Knowledge Solution. As of RHEL 7.3 IdM now supports logging in with alternative UPNs
Content from fedorahosted.org is not included.One-way Shared Secret Trust Add - workaround is to perform ipa trust-add with AD admin credentials or use two-way Shared Secret method
IPA client logins fail for AD users - If ipa-client-install is called with the --server argument then it requires additional changes to /etc/krb5.conf

Validating the trust

Validate Kerberos

Verify Kerberos configuration

Validate IPA server keytabs

One-way Trust use the trusted domain object credentials with a keytab automatically created inside /var/lib/sss/keytabs/

  $ klist -k /var/lib/sss/keytabs/jstephen.local.keytab
  Keytab name: FILE:/var/lib/sss/keytabs/jstephen.local.keytab
  KVNO Principal
  ---- --------------------------------------------------------------------------
     1 EXAMPLE$@JSTEPHEN.LOCAL
     1 EXAMPLE$@JSTEPHEN.LOCAL
     1 EXAMPLE$@JSTEPHEN.LOCAL

  $ kinit -kt /var/lib/sss/keytabs/jstephen.local.keytab 'EXAMPLE$@JSTEPHEN.LOCAL'

  $ kvno -S cifs justin-2k8r2.jstephen.local
  cifs/justin-2k8r2.jstephen.local@JSTEPHEN.LOCAL: kvno = 22

Two-way Trust uses the normal IdM master host principal in /etc/krb5.keytab

  kinit -k host/rhel7-ipa-server.example.com@EXAMPLE.COM

  kvno -S cifs justin-2k8r2.jstephen.local
  cifs/justin-2k8r2.jstephen.local@JSTEPHEN.LOCAL: kvno = 22

If the above commands fail, prefix the commands with KRB5_TRACE=/dev/stdout for Kerberos debugging information

Verify ID ranges were created automatically for AD domains and trusted AD domains

  $ ipa idrange-find
  ----------------
  3 ranges matched
  ----------------
    Range name: ADCORP.JSTEPHEN.LOCAL_id_range
    First Posix ID of the range: 481400000
    Number of IDs in the range: 200000
    First RID of the corresponding RID range: 0
    Domain SID of the trusted domain: S-1-5-21-2058409190-3331408712-3548322839
    Range type: Active Directory domain range

    Range name: EXAMPLE.COM_id_range
    First Posix ID of the range: 281400000
    Number of IDs in the range: 200000
    First RID of the corresponding RID range: 1000
    First RID of the secondary RID range: 100000000
    Range type: local domain range

    Range name: JSTEPHEN.LOCAL_id_range
    First Posix ID of the range: 489200000
    Number of IDs in the range: 200000
    First RID of the corresponding RID range: 0
    Domain SID of the trusted domain: S-1-5-21-2918668694-4162105039-186639090
    Range type: Active Directory domain range
  ----------------------------

Test NSS lookups

  $ getent passwd trustuser1@jstephen.local
  trustuser1@jstephen.local:*:489246991:489246991:trustuser1:/home/jstephen.local/trustuser1:

  $ id trustuser1@jstephen.local
  uid=489246991(trustuser1@jstephen.local) gid=489246991(trustuser1@jstephen.local) groups=489246991(trustuser1@jstephen.local),489200513(domain users@jstephen.local),489247047(adtrustgroup@jstephen.local),281400038(ad_users)

  $ getent group emptygroup@jstephen.local
  emptygroup@jstephen.local:*:489247108:

Test PAM login

  $ ssh trustuser1@jstephen.local@localhost
  trustuser1@jstephen.local@localhost's password:
  Last login: Thu Nov 10 11:19:33 2016 from localhost
  -sh-4.2$

SBR

Identity Management

Product(s)

Red Hat Identity Management

Category

Troubleshoot

Components

ipa
sssd

Tags

Article Type

General