What is wrong with my FreeIPA configuration

So you have oddjob-mkhomedir properly running?

I have it running.. What is Properly running ? On the serve and on the client.. So what should i check

Check /var/log/secure, it should tell if something goes amiss in user login.
Basically mkhomedir should be in pam.d/system-auth somewhere around detecting if username and/or password is correct. Like next line after sssd module or so. Almost all pam modules take debug parameter to spit long details in same secure log. Try them one by one from beginning (no damage since it does not work anyway, though keep root session open and original system-auth at hand "just in case")

As i said above in my first post /var/log/secure:

Feb 17 08:21:55 ipbclient sshd[30089]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.13.40.233 user=wintest@SCHKRAT.LOCAL
Feb 17 08:21:55 ipbclient sshd[30089]: pam_sss(sshd:account): Access denied for user wintest@SCHKRAT.LOCAL: 6 (Permission denied)
Feb 17 08:21:55 ipbclient sshd[30089]: Failed password for wintest@SCHKRAT.LOCAL from 10.13.40.233 port 34733 ssh2
Feb 17 08:21:55 ipbclient sshd[30091]: fatal: Access denied for user wintest@SCHKRAT.LOCAL by PAM account configuration

and this is my system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

this is the latest secure log with hbac rule enabled for pariculare group:

Mar 20 14:19:04 node1 sshd[10180]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.13.40.233  user=wintest@SCHKRAT.LOCAL
Mar 20 14:19:04 node1 sshd[10180]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.13.40.233 user=wintest@SCHKRAT.LOCAL
Mar 20 14:19:04 node1 sshd[10180]: pam_sss(sshd:auth): received for user wintest@SCHKRAT.LOCAL: 4 (System error)
Mar 20 14:19:06 node1 sshd[10180]: Failed password for wintest@SCHKRAT.LOCAL from 10.13.40.233 port 42614 ssh2


and this is id of my wintest user:
[root@ipbclient ~]#  id wintest
uid=969800021(wintest) gid=969800021(wintest) groups=969800021(wintest)
[root@ipbclient ~]#  id wintest@schkrat.ipa
uid=969800021(wintest) gid=969800021(wintest) groups=969800021(wintest)
[root@ipbclient ~]#  id wintest@SCHKRAT.LOCAL
uid=1968601105(wintest@schkrat.local) gid=1968601105(wintest@schkrat.local) groups=1968601105(wintest@schkrat.local),969800013(ad_admins)

pam_sss wrongly denies authentication (account section works as seen by id command)
read "man pam_sss" and if it lets you add "debug" parameter to authentication section...
it will give you screenful of information (dont post it, parts are sensitive, like password text user supplied, encoded etc)
ask windows admin for security log originating from your machine around time you test... They may help you a lot.

thank you.. will try that and let you know the result.. might be a late response because tomorrow i am out of office.. Will post as soon as i get some info

Dont worry... Just take care to disable debug output after as it makes logs sensitive data

Sorry it takes so long.. Will post some new results today..

Hello again..

Nothing specific about raising loglevel.. But i also added higher loglevel to the pam section:

(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [wintest@schkrat.local]
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pd_set_primary_name] (0x0400): User's primary name is wintest@schkrat.local
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [wintest@schkrat.local] added to PAM initgroup cache
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data:
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: schkrat.local
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): user: wintest@schkrat.local
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: 10.13.40.233
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Thu Mar 26 16:14:14 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 2633

.. ruser: not set ?

in domain section i have:
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [switch_creds] (0x0200): Switch user to [1968601105][1968601105].
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired.
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [switch_creds] (0x0200): Switch user to [0][0].
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [krb5_auth_send] (0x4000): Ccache_file is [FILE:/tmp/krb5cc_1968601105_zBp5HR] and is not active and TGT is  valid.
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [get_port_status] (0x1000): Port status of port 0 for server '(no name)' is 'not working'
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [get_port_status] (0x0100): Reseting the status of port 0 for server '(no name)'
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [resolve_srv_send] (0x0200): The status of SRV lookup is not resolved
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [fo_set_port_status] (0x0100): Marking port 0 of server '(no name)' as 'not working'
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (5)
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [be_resolve_server_process] (0x1000): Trying with the next one!
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [get_server_status] (0x1000): Status of server 'ipaserver.schkrat.ipa' is 'name resolved'
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [get_port_status] (0x1000): Port status of port 0 for server 'ipaserver.schkrat.ipa' is 'not working'
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [get_port_status] (0x0100): Reseting the status of port 0 for server 'ipaserver.schkrat.ipa'
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [get_server_status] (0x1000): Status of server 'ipaserver.schkrat.ipa' is 'name resolved'
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [be_resolve_server_process] (0x1000): Saving the first resolved server
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [be_resolve_server_process] (0x0200): Found address for server ipaserver.schkrat.ipa: [10.13.40.234] TTL 3600
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://ipaserver.schkrat.ipa'
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [krb5_auth_resolve_done] (0x4000): Preparing for offline operation.
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [krb5_auth_resolve_done] (0x4000): Valid TGT available or ccache file is already in use.
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [be_pam_handler_callback] (0x0100): Backend returned: (1, 9, <NULL>) [Provider is Offline (Authentication service cannot retrieve authentication info)]
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [be_pam_handler_callback] (0x0100): Sending result [9][schkrat.local]
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [be_pam_handler_callback] (0x0100): Sent result [9][schkrat.local]
(Thu Mar 26 16:53:42 2015) [sssd[be[schkrat.ipa]]] [sbus_dispatch] (0x4000): dbus conn: 0xfa3bc0
(Thu Mar 26 16:53:42 2015) [sssd[be[schkrat.ipa]]] [sbus_dispatch] (0x4000): Dispatching.
(Thu Mar 26 16:53:42 2015) [sssd[be[schkrat.ipa]]] [sbus_message_handler] (0x4000): Received SBUS method [ping]
(Thu Mar 26 16:53:42 2015) [sssd[be[schkrat.ipa]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Thu Mar 26 16:53:42 2015) [sssd[be[schkrat.ipa]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping]

You should use AD controller as DNS server in resolv.conf
Currently your IPA cannot connect AD

from client:
[root@node1 sssd]# nslookup freeipaad.schkrat.local
Server:            10.13.40.240
Address:      10.13.40.240#53

Name:      freeipaad.schkrat.local
Address: 10.13.40.240


from ipaserver:
[root@ipaserver ~]# nslookup freeipaad.schkrat.local
Server:            10.13.40.240
Address:      10.13.40.240#53

Name:      freeipaad.schkrat.local
Address: 10.13.40.240

?

resolving works 10.13.40.240 (is the ad server)

Something is strange. It generates kerberos ticket, then does not authenticate to LDAp.

Each host mentioned (kerberos and ldap) should be resolvable using shortest and longest names and in reverse.
e.g
/etc/hosts
10.0.10.2 PDC.domain.home PDC
10.0.10.3 LINUX.domain.home LINUX

$ hostname
LINUX.pdc.local

etc etc.

(kerberos is picky about it)

It seems that the dns and all of that is doing just fine.. I can resolve long/short names from server, client..

This means that somehow it detected presence of kerberos ticket and right after could not use it.
Do you have disk space in /tmp ?

(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [krb5_auth_resolve_done] (0x4000): Valid TGT available or ccache file is already in use.
(Thu Mar 26 16:53:33 2015) [sssd[be[schkrat.ipa]]] [be_pam_handler_callback] (0x0100): Backend returned: (1, 9, <NULL>) [Provider is Offline (Authentication service cannot retrieve authentication info)]

Yes enough space is there.. the ticket is created no problem after i try to connect:


-rw-------. 1 wintest@schkrat.local wintest@schkrat.local  171 Apr  1 10:19 krb5cc_1968601105_bp8dfz

Looks fine for me...
Permissions on /tmp ?
ls -ld /tmp
drwxrwxrwt. 133 root root 2960 Apr  1 10:04 /tmp
aka
# chmod 01777 /tmp
# chown root.root /tmp

If that turns up fine me out of ideas, use request attention link on top of question to get more experts in...

The permission is ok, but id does not work.. Will go back to the drawing board..

Thank you for your help..

It is not about drawing board.
you can try authconfig in place of IPA in the meantime.

How do you mean that ?

All set up correctly according to IPA but not working.
It means that you can easily use more generic approach with winbind joining domain (available since 2000 or so) by using authconfig utility (available since RHEL4)

Ok.. Thank you..


Will do that..

Ok..

I have joined client "node1.schkrat.ipa" to windows domain:

samba conf:
[global]
        security = ads
        realm = schkrat.local
        password server = freeipaad.schkrat.local
        workgroup = schkrat
#       winbind separator = +
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        winbind use default domain = yes
        restrict anonymous = 2
        domain master = no
        local master = no
        preferred master = no
        os level = 0


[root@node1 ~]# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- SCHKRAT
Joined 'NODE1' to dns domain 'schkrat.local'


[root@node1 ~]# wbinfo -t
checking the trust secret for domain SCHKRAT via RPC calls succeeded
[root@node1 ~]# wbinfo -u
administrator
guest
krbtgt
wintest
schkraipa$
synctest
habac
grega
gg

Now configure PAM:
# authconfig --help
Usage: authconfig [options] {--update|--updateall|--test|--probe|--restorebackup <name>|--savebackup <name>|--restorelastbackup}

# authconfig --enablewinbind --enablewinbindauth --enablemkhomedir --test

replace test with updateall to do the damage (keep root console intact while you reach it again)
it may require restart of winbind and oddjob-mkhomedir/messagebus services before logging in

EXTRA: This adds feature that allows smbclient -k //server/share when set in smb.conf:
winbind refresh tickets = yes

Ok..

Now i can connect.. But i guess thru  winbind and not IPA ?

[root@node1 ~]# authconfig --enablewinbind --enablewinbindauth --enablemkhomedir --updateall
Starting oddjobd:                                          [  OK  ]
Starting Winbind services:                           [  OK  ]

10.13.40.239 is the ipaclient host (node1):
[schkrat@schkrat ~]$ ssh wintest@SCHKRAT.LOCAL@10.13.40.239
wintest@SCHKRAT.LOCAL@10.13.40.239's password:
Last login: Wed Mar 18 15:02:33 2015 from 10.13.40.233
-sh-4.1$

Yessir. Winbindsir. If you had RedHat support entitlement you could ask them for hotfix with your name on it... CentOS is just copy machine.

You can login, IPA does not work. Is it satisfactory solution to your initial problem?

Sorry but no..

Must go thru IPA..

Try downgrades of IPA, samba and kerberos until succesful. It was easier if you could afford support as it looks like software bug, not fault of yours:
Red Hat Enterprise Linux for Desktops or Workstations
Support Levels | Product Information
Desktop
Self-support Subscription (1 year) $49 USD

Just an idea - if you can initialize IPA with authconfig command line?

I tried:
authconfig --update \
  --enablesssd --enablesssdauth \
  --enableldap --enablerfc2307bis \
  --ldapserver=ldap://ipaserver.schkrat.ipa \
  --ldapbasedn=dc=schkrat,dc=ipa \
  --enablekrb5 \
  --krb5kdc=ipaserver.schkrat.ipa \
  --krb5adminserver=ipaserver.schkrat.ipa \
  --krb5realm=schkrat.ipa

but no luck..

i think the main problem lies in the user..

..because it works if i dont have hbac rule, butwhen i define user access in hbac system does not know how to react..

There is also different user id for uer wintest, that exist in the AD, throi i connected as wintest@SCHKRAT.LOCAL, but when the user was transfered to ipa (automatic update), the user is just wintest..

if is su as user on the ipa server i get:
[root@ipaserver ~]# su - wintest@SCHKRAT.LOCAL
-sh-4.1$ id
uid=1968601105(wintest@schkrat.local) gid=1968601105(wintest@schkrat.local) groups=1968601105(wintest@schkrat.local) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.1$ exit
logout
[root@ipaserver ~]# su - wintest
[wintest@ipaserver ~]$ id
uid=969800021(wintest) gid=969800021(wintest) groups=969800021(wintest) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

..so now i am confused..

Remember?
# authconfig --enablewinbind --enablewinbindauth

su uses first, sudo and login uses second.

Hello.. Again..

So here it goes..

Installed new client, used winbind and samba to join domain, installed freeipa client, changed some conf files to use also winbind and now the thing works somehow.. I cant use just winbind,, because HBAC rules are not applied. Winbind must be in combination with pam_sss, even if i get errors in secure log. I am not happy that i must use two additional services (samba, winbind) instead of just freeipa configuration. But it works !

So this is it..

You can require group or IP in pam.d/system-auth
Internet is full of guides.

Another way is to use hosts.allow/deny etc.

Will look into it.

There is some recent krb5 update that may or may not help.

Will try with new version.

Am trying with new os version..

Good luck..

Ok.. Tried on CentOS Linux release 7.1.1503 (Core) and used FreeIPA 4.1.0.. and it works with minor configuration..

So thank you for all your help..

Many thank.. Sometimes one needs "one" to talk to.