On Thu, Sep 14, 2017 at 11:08:54AM -0400, Rob Crittenden via FreeIPA-users 
wrote:
> Louis Abel via FreeIPA-users wrote:
> > I should probably mention that IPA users have started working. But not my 
> > AD users.
> > 
> > [root@rhn2 tmp]# ssh -l louis.ab...@ipa.example.com devu16 -q
> > Password:
> > Last login: Thu Sep 14 07:57:55 2017 from rhn2.example.com
> > Could not chdir to home directory /home/louis.abel2: No such file or 
> > directory
> > Oracle Corporation      SunOS 5.11      11.3    June 2017
> > -bash-4.4$ logout
> > [root@rhn2 tmp]# ssh -l louis.a...@ad.example.com devu16 -q
> > Password:
> > Password:
> > 
> > AD users seem to be suffering from the same errors:
> > 
> > libsldap: Status: 53 Mesg: openConnection: simple bind failed - DSA is 
> > unwilling to perform
> > libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid 
> > credentials
> >
> 
> Not sure why some users would work and some wouldn't but I'd suspect the
> bind password in your ldapclient config.

Another thing that bit me in the past was that since on the IPA server,
the password binds against AD users are intercepted and turned into a
PAM conversation against the system-auth service, HBAC must allow the
system-auth service on the IDM server itself.

(Check /var/log/secure on the IDM server for messages from pam-sss.so..)
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to