On to, 14 syys 2017, Jakub Hrozek via FreeIPA-users wrote:
On Thu, Sep 14, 2017 at 11:08:54AM -0400, Rob Crittenden via FreeIPA-users 
wrote:
Louis Abel via FreeIPA-users wrote:
> I should probably mention that IPA users have started working. But not my AD 
users.
>
> [root@rhn2 tmp]# ssh -l louis.ab...@ipa.example.com devu16 -q
> Password:
> Last login: Thu Sep 14 07:57:55 2017 from rhn2.example.com
> Could not chdir to home directory /home/louis.abel2: No such file or directory
> Oracle Corporation      SunOS 5.11      11.3    June 2017
> -bash-4.4$ logout
> [root@rhn2 tmp]# ssh -l louis.a...@ad.example.com devu16 -q
> Password:
> Password:
>
> AD users seem to be suffering from the same errors:
>
> libsldap: Status: 53 Mesg: openConnection: simple bind failed - DSA is 
unwilling to perform
> libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid 
credentials
>

Not sure why some users would work and some wouldn't but I'd suspect the
bind password in your ldapclient config.

Another thing that bit me in the past was that since on the IPA server,
the password binds against AD users are intercepted and turned into a
PAM conversation against the system-auth service, HBAC must allow the
system-auth service on the IDM server itself.

(Check /var/log/secure on the IDM server for messages from pam-sss.so..)
This one as well. It is documented in both slapi-nis and overall IPA
documentation.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-legacy.html

5.4.1:
----
If the host-based access control (HBAC) allow_all rule is disabled,
enable the system-auth service on the IdM server, which allows
authentication of the AD users.
----


--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to