Hi I am using trust between AD and IPA
AD domain: ad.corp.example.com IPA domain: ipa.corp.example.com I am able to login using SSH to the IPA server using the AD user, when I am trying to login using SSH to the Linux client which is a member of the IPA domain it does not work. Please find my /etc/krb5.conf in the client machine below [libdefaults] #default_realm = IPA.CORP.EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 # default_ccache_name = KEYRING:persistent:%{uid} [realms] IPA.CORP.EXAMPLE.COM = { kdc = ipa01.ipa.corp.example.com:88 master_kdc = ipa01.ipa.corp.example.com:88 admin_server = ipa01.ipa.corp.example.com:749 #default_domain = ipa.corp.example.com pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[1:$1@$0](^.*@AD.CORP.EXAMPLE.COM$)s/@ AD.CORP.EXAMPLE.COM/@ad.corp.example.com/ auth_to_local = DEFAULT } AD.CORP.EXAMPLE.COM = { kdc = ad01.ad.corp.example.com:88 master_kdc = ad01.ad.corp.example.com:88 } [domain_realm] .ipa.corp.example.com = IPA.CORP.EXAMPLE.COM ipa.corp.example.com = IPA.CORP.EXAMPLE.COM .ad.corp.example.com = AD.CORP.EXAMPLE.COM ad.corp.example.com = AD.CORP.EXAMPLE.COM Please find my SSD config below [sssd] config_file_version = 2 services = nss, sudo, pam, ssh domains = ipa.corp.exampl.com [nss] homedir_substring = /home [domain/ipa.corp.example.com] debug_level = 9 krb5_store_password_if_offline = True id_provider = ipa auth_provider = ipa access_provider = ipa cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.corp.example.com ipa_hostname = host01.ipa.corp.example.com ipa_server = _srv_, ipa01.ipa.corp.example.com chpass_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt dns_discovery_domain = ipa.corp.example.com [pam] [sudo] [autofs] [ssh] [pac] [ifp] Please find the krb5_child.log attached. Please help me to understand what I am missing here or what may be the issue. Thanks -- Warm Regards Supratik
krb5_child.log
Description: Binary data
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org