On ti, 13 marras 2018, Mustafa Karci via FreeIPA-users wrote:
>Dear Alexander,
>
>The main intention is to setup a freeipa-server with a trust domain to
>a Windows 2019 AD server. So for all windows env we would like to use
>Windows 2019AD server and for all our Linux based server we would like
>to use FreeIPA-server.
>
>From this point we have setup a basic Windows2019 AD domain with the
>following realm ad.srv.world And the FreeIPA server has the following
>realm ipa.srv.world
>
>The Windowd 2019 server also acts as the DNS server, where the
>freeipa-server has his own dns rules and forwarding rule enabled to
>zone ad.srv.world (windows 2019 DNS server).
>
>
>From the ipa-server run the following command
>
>ipa-server-install --realm=AD.SRV.WORLD --domain=ad.srv.domain --ssh-trust-dns --setup-dns --forwarder=xxx.xxx.xxx.xxx
>
>All seems working ok on the ipa-server. But when trying to add the
>freeipa server to a windows 2019 AD im getting the following error:
>
>ipa trust-add --type=ad ad.srv.world --admin Administrator --password
>Active Directory domain administrator's password:
>ipa: ERROR: Insufficient access: CIFS server dlp.ipa.srv.world denied your credentials
>
>Already tried to change permission on the AD site, but group policy
>domain admin should be enough to setup a trused domain between these
>two.
No, this is not (at least not yet) an AD side. You need to look into
Samba logs. Your excerpts from the logs below show that Samba is capable
to authenticate the connection from IPA framework properly and
understands that this is a constrained delegation use (HTTP/...
service principal acts on behalf of 'admin' user principal). However, it
is not able to validate that 'admin' user has enough permissions to
perform what is needed:
>Successfully validated Kerberos PAC
> pac_data: struct PAC_DATA
> num_buffers : 0x00000005 (5)
> version : 0x00000000 (0)
> buffers: ARRAY(5)
> buffers: struct PAC_BUFFER
> type : PAC_TYPE_LOGON_INFO (1)
> _ndr_size : 0x000001a8 (424)
> info : *
> info : union PAC_INFO(case 1)
> logon_info: struct PAC_LOGON_INFO_CTR
> info : *
> info: struct PAC_LOGON_INFO
> info3: struct netr_SamInfo3
> base: struct netr_SamBaseInfo
> logon_time : NTTIME(0)
> logoff_time : Thu Jan 1 01:00:00 AM 1970 CET
> kickoff_time : Thu Jan 1 01:00:00 AM 1970 CET
> last_password_change : Fri Nov 2 04:41:05 PM 2018 CET
> allow_password_change : NTTIME(0)
> force_password_change : Thu Jan 1 01:00:00 AM 1970 CET
> account_name: struct lsa_String
> length : 0x000a (10)
> size : 0x000a (10)
> string : *
> string : 'admin'
> full_name: struct lsa_String
> length : 0x001a (26)
> size : 0x001a (26)
> string : *
> string : 'Administrator'
> logon_script: struct lsa_String
> length : 0x0000 (0)
> size : 0x0000 (0)
> string : *
> string : ''
> profile_path: struct lsa_String
> length : 0x0000 (0)
> size : 0x0000 (0)
> string : *
> string : ''
> home_directory: struct lsa_String
> length : 0x0000 (0)
> size : 0x0000 (0)
> string : *
> string : ''
> home_drive: struct lsa_String
> length : 0x0000 (0)
> size : 0x0000 (0)
> string : *
> string : ''
> logon_count : 0x0000 (0)
> bad_password_count : 0x0000 (0)
> rid : 0x000001f4 (500)
> primary_gid : 0x00000200 (512)
> groups: struct samr_RidWithAttributeArray
> count : 0x00000000 (0)
> rids : *
> rids: ARRAY(0)
> user_flags : 0x00000000 (0)
> 0: NETLOGON_GUEST
> 0: NETLOGON_NOENCRYPTION
> 0: NETLOGON_CACHED_ACCOUNT
> 0: NETLOGON_USED_LM_PASSWORD
> 0: NETLOGON_EXTRA_SIDS
> 0: NETLOGON_SUBAUTH_SESSION_KEY
> 0: NETLOGON_SERVER_TRUST_ACCOUNT
> 0: NETLOGON_NTLMV2_ENABLED
> 0: NETLOGON_RESOURCE_GROUPS
> 0: NETLOGON_PROFILE_PATH_RETURNED
> 0: NETLOGON_GRACE_LOGON
> key: struct netr_UserSessionKey
> key: ARRAY(16): <REDACTED SECRET VALUES>
> logon_server: struct lsa_StringLarge
> length : 0x0006 (6)
> size : 0x0008 (8)
> string : *
> string : 'DLP'
> logon_domain: struct lsa_StringLarge
>
>
>
> buffers: struct PAC_BUFFER
> type : PAC_TYPE_LOGON_NAME (10)
> _ndr_size : 0x00000014 (20)
> info : *
> info : union PAC_INFO(case 10)
> logon_name: struct PAC_LOGON_NAME
> logon_time : Mon Nov 12 04:01:01 PM 2018 CET
> size : 0x000a (10)
> account_name : 'admin'
> _pad : 0x00000000 (0)
> buffers: struct PAC_BUFFER
> type : PAC_TYPE_CONSTRAINED_DELEGATION (11)
> _ndr_size : 0x000000d8 (216)
> info : *
> info : union PAC_INFO(case 11)
> constrained_delegation: struct PAC_CONSTRAINED_DELEGATION_CTR
> info : *
> info: struct PAC_CONSTRAINED_DELEGATION
> proxy_target: struct lsa_String
> length : 0x0048 (72)
> size : 0x0048 (72)
> string : *
> string : 'HTTP/dlp.ipa.srv.world(a)IPA.SRV.WORLD'
> num_transited_services : 0x00000001 (1)
> transited_services : *
> transited_services: ARRAY(1)
> transited_services: struct lsa_String
> length : 0x0048 (72)
> size : 0x0048 (72)
> string : *
> string : 'cifs/dlp.ipa.srv.world(a)IPA.SRV.WORLD'
> _pad : 0x00000000 (0)
> buffers: struct PAC_BUFFER
> type : PAC_TYPE_SRV_CHECKSUM (6)
> _ndr_size : 0x00000010 (16)
> info : *
> info : union PAC_INFO(case 6)
> srv_cksum: struct PAC_SIGNATURE_DATA
> type : 0x00000010 (16)
> signature : DATA_BLOB length=12
> [0000] 39 30 31 38 5E 6B 2C 47 9B 75 B8 50 9018^k,G .u.P
> _pad : 0x00000000 (0)
> buffers: struct PAC_BUFFER
> type : PAC_TYPE_KDC_CHECKSUM (7)
> _ndr_size : 0x00000010 (16)
> info : *
> info : union PAC_INFO(case 7)
> kdc_cksum: struct PAC_SIGNATURE_DATA
> type : 0x00000010 (16)
> signature : DATA_BLOB length=12
>
>
>im a bit stuck with this issue.
Can I see logs after this place? Smbd/winbindd should go on to resolve
'admin' user using a system and then build a local NT token for it. That
one should have a RID 512 in it, like MS-PAC record above.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland