> On 8 Aug 2017, at 16:58, Eddleman, David via FreeIPA-users 
> <freeipa-users@lists.fedorahosted.org> wrote:
> 
> Hello,
>  
> I have created a FreeIPA solution using Red Hat’s IDM product.
> FreeIPA version: 4.5.0
> OS version: RHEL 7.4
>  
> I have successfully installed the server portion and can authenticate to it 
> using local IDM users, such as the ‘admin’ user. I have created a one-way 
> trust between the IPA realm and an AD realm successfully, as `ipa trust-show` 
> demonstrates, returning the SID of the domain. I have also created the local 
> POSIX and external groups and mapped them. `ipa group-show <extgroupname>` 
> returns the external member SID just fine.
>  
> However, I cannot authenticate in the server over SSH using one of those AD 
> users. I’ve checked the HBAC rules and they are fine. One thing I noticed 
> when monitoring the securelog when testing is that the IDM users make a call 
> to pam_sss, as expected, but the AD users do not.

This probably means the user can’t be resolved at all, so the authentication 
process doesn’t even make it to the PAM phase. Does ‘getent passwd 
user@domainfqdn’ work?

Are you testing on the IDM server itself or on one of the clients? I would 
suggest to make the IDM server work first.

Either way, you’ll want to enable the SSSD debug logs and take a look there.

> I have tried multiple ways of passing the user and all are rejected -- 
> user@netbios, user@domainfqdn, netbios\user, and domainfqdn\user.

Either netbios\user or user@domainfqdn work, the others do not.

>  
> The user in question is in a single group in AD, and it has been tested with 
> the group being both Domain Local and Universal with the same results. There 
> is only one member of the group, the user that I am attempting login with.

Don’t use domain-local groups. Domain-local groups can only be assigned to a 
cross-forest group membership by accident, IPA needs to be fixed to disallow 
that.

Domain-local groups are just that, local to the domain they are defined in and 
during login, the membership to a domain local group from a non-local domain is 
stripped from the PAC and would remove the group membership of the user in that 
group during login.

>  
> Have I missed something?
>  
> David Eddleman
>  
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org 
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org 
> <mailto:freeipa-users-le...@lists.fedorahosted.org>

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to