I have created a FreeIPA solution using Red Hat’s IDM product.
FreeIPA version: 4.5.0
OS version: RHEL 7.4
I have successfully installed the server portion and can authenticate to it
using local IDM users, such as the ‘admin’ user. I have created a one-way trust
between the IPA realm and an AD realm successfully, as `ipa trust-show`
demonstrates, returning the SID of the domain. I have also created the local
POSIX and external groups and mapped them. `ipa group-show <extgroupname>`
returns the external member SID just fine.
However, I cannot authenticate in the server over SSH using one of those AD
users. I’ve checked the HBAC rules and they are fine. One thing I noticed when
monitoring the securelog when testing is that the IDM users make a call to
pam_sss, as expected, but the AD users do not. I have tried multiple ways of
passing the user and all are rejected -- user@netbios, user@domainfqdn,
netbios\user, and domainfqdn\user.
The user in question is in a single group in AD, and it has been tested with
the group being both Domain Local and Universal with the same results. There is
only one member of the group, the user that I am attempting login with.
Have I missed something?
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org