Have you set up the external group and internal group as required in IPA? The server you are trying to log into - you have added this to the IPA server using ipa-client-install?
When you are logged into the server that you want to login to as root (or local user), does `id user@ad_domain.com` give you the results you expected? (sorry to ask simple questions, but just in case....) cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 11 July 2016 at 13:46, pgb205 <pgb...@yahoo.com> wrote: > I have successfully established trust and am able to obtain ticket > granting ticket > kinit user@AD_DOMAIN.COM > I can also do kinit admin@IPA_DOMAIN.COM > ssh admin@IPA_DOMAIN.COM also works > > however, ssh user@AD_DOMAIN.COM or user@ad_domain.com fails > > I have checked that there are no hbac rules other then the default > allow_all rule > > in sssd_ssh.log see > permission denied (6) error > > in sssd_ipa.domain.log file I see > pam_handler_callback 6 permission_denied > > in sssd_nss.log > Unable to get information from Data Provider > Error: 3 Account info lookup failed > Will try to return what we have in cache > > in /var/log/secure > received for user user@AD_DOMAIN.COM: 6 (Permission denied) > > I can provided full logs if necessary to diagnose the above problem. > > ---------- > Additionally, I would like to be able to login as *user *not > *user@AD_DOMAIN.COM > <user@AD_DOMAIN.COM>* > My understanding that only thing that I have to change to make this happen > is /etc/krb5.conf > for line > [libdefaults] > default_realm=AD_DOMAN.COM > and then restarting ipa services. > > However, when I do this I get failure to restart Samba service > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
