Freeipa: AD Trust two-way trust, Ubuntu clients don't login with AD credentials, but login on server CentOS 8

[jamespereira87]

Hi everyone.

I am using FreeIPA on a CentOS 8 server. All configuration of trust between domains is working. I can log in to the server with users from both domains (FreeIPA / AD).

I ask forum members to help identify what is preventing AD users from logging into an Ubuntu client. I would like to know if this forum is the most suitable or if I need to look in another forum for this solution.

I can provide the logs if needed to identify the problem.

[tony_down_under]

OK so firstly, where are the user accounts? freeIPA or AD?
Second, what configuration have you applied to the ubuntu client to integrate with the accounts server (AD?)?

I use CentOS7 and Microsoft AD. To make the integration as simple as possible, during the automated build process of the workstation it installs the PBIS Open package from BeyondTrust. It is in working great for us here. All it does is configure the config files for you. https://github.com/BeyondTrust/pbis-open

[jamespereira87]

Hi tony_down_under.

Answering your questions:
1. The user accounts are on FreeIPA. The FreeIPA realm and the AD domain have a trust relationship.
So, I created a external group (ad_admins_external) with AD accounts as external members.
On CentOS 8 as a FreeIPA server, the AD users can login successfully.

2. The configuration on Ubuntu client is default.
I use the tips on this link to set up my client: https://computingforgeeks.com/how-to-co ... tu-centos/

I will try PBIS Open package to make AD users login on Ubuntu.
Thanks for now, bye

[tony_down_under]

Thanks for the link. I took a look. Looks like you would have installed the "free-ipa-client" on the client machine and it is this machine that you are unable to log into with the network user account in the IPA server. It looks like the ip client is configuring those config files I mentioned for you.. So the application I mentioned will conflict with the ipa client. You wont be able to use both together. However, it wont hurt to try a fresh ubuntu system with the software i mentioned against your IPA. If that fails, then there may be a config issue with the IPA server.

To join the domain I use

Code: Select all

/opt/pbis/bin/domainjoin-cli join DOMAIN.COM admin-user@DOMAIN.COM <PASSWORD>

Note the capitals for the domain.
A DNS lookup is performed on DOMAIN.COM to get the AD servers... May I ask if your DNS for the domain is resolving to AD or the IPA or both?

[jamespereira87]

Hi tony_down_under.

I tested the API you indicated, but it didn't work correctly. I believe it works only for adding Linux clients in AD.
Answering your question, FreeIPA Server is the primary DNS server, and forwarders were directed to ADs.

In my tests, I can use the "kinit" command with AD users by logging in with the AD user password. It is the only functional test so far. I am having difficulty retrieving the login failure log to help fix this issue.

If you can help me with this, I thank you.