Thanks Alexander that was it.

On Wed, Feb 14, 2018 at 6:06 AM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On ke, 14 helmi 2018, Alexandre Pitre via FreeIPA-users wrote:
>
>> Earlier this week, users reported they could no longer ssh to freeipa
>> joined servers using their AD login. After some inverstigation, it was
>> discovered if krb5_validate was set to false in the sssd.conf, AD ssh
>> login
>> would start working again.
>>
>> One of our IPA server is showing these errors in /var/log/messages:
>>
>> Feb 13 20:53:28 ipaserver ns-slapd: [13/Feb/2018:20:53:28.823685558
>> +0000]
>> - ERR - is_allowed_to_access_attr - [file ipa_pwd_extop.c, line 786]:
>> slapi_access_allowed does not allow READ to ipaProtectedOperation;read_key
>> s!
>> Feb 13 20:53:28 ipaserver ns-slapd: [13/Feb/2018:20:53:28.826357278
>> +0000]
>> - ERR - ipapwd_getkeytab - [file ipa_pwd_extop.c, line 1646]: Not allowed
>> to retrieve keytab on [IPA$@DOMAIN.COM] as user [fqdn=
>> ipaserver.ipa.domain.com,cn=computers,cn=accounts,dc=ipa,dc=
>> domain,dc=com]!
>> Feb 13 20:53:28 ipaserver sssd: Failed to parse result: Insufficient
>> access
>> rights
>> Feb 13 20:53:28 ipaserver sssd: Failed to get keytab
>>
>> I could paste the the debug logs from sssd but I'm pretty sure that error
>> in /var/log/messages is the root cause preventing AD ssh login. I did some
>> research and couldn't find anything revelant.
>>
>> Any ideas how to fix this ?
>>
> It looks like ipaserver.ipa.domain.com is not a trust agent. Remember
> that only trust agents and trust controllers can retrieve trusted domain
> object credentials to communicate to AD DCs.
>
> --
> / Alexander Bokovoy
>



-- 
Alexandre Pitre
alexandre.pi...@gmail.com
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to