Thanks for the tip. I made the nsswitch.conf just like yours. I also look at the files on a CentOS7 client and make changes on the Ubuntu. But it is still no good. As more suggestion?
The test user ID are on the system, I can su to them. However I cant' ssh it. I also notice when I try `passwd dummy1`, I got passwd: Authentication token manipulation error passwd: password unchanged I can't run `sudo -l` either. It is something with passwd? (which is right login the CentOS 7 VM) root@test02:~# id -a dummy1 uid=352200001(dummy1) gid=352200001(dummy1) groups=352200001(dummy1) root@test02:~# su - dummy1 dummy1@ny4test02:~$ sudo -l dummy1 [sudo] password for dummy1: Sorry, try again. [sudo] password for dummy1: ############ 1) I made nsswitch just like yours 2) My ipa.default [global] basedn = dc=xxxxx,dc=local realm = XXXXX.LOCAL domain = xxxxx.local server = ipa1.xxxxx.local host = test02.xxxxx.local xmlrpc_uri = https://ipa1.xxxxx.local/ipa/xml enable_ra = True 3) my krb5.conf includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = XXXXX.LOCAL dns_lookup_realm = true dns_lookup_kdc = truee rdns = false dns_canonicalize_hostname = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] XXXXX.LOCAL = { kdc = ipa1.xxxxx.local:88 master_kdc = ipa1.xxxxx.local:88 admin_server = ipa1.xxxxx.local:749 kpasswd_server = ipa1.xxxxx.local:464 default_domain = xxxxx.local pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .xxxxx.local = XXXXX.LOCAL xxxxx.local = XXXXX.LOCAL test02.xxxxx.local = XXXXX.LOCAL 4) My ldap.conf TLS_CACERT /etc/ipa/ca.crt # modified by IPA URI ldaps://ipa1.xxxxx.local BASE dc=xxxxx,dc=local 5) My sssd.conf [sssd] services = nss, sudo, pam, ssh domains = xxxxx.local [domain/xxxxx.local] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = xxxxx.local id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = test02.xxxxx.local chpass_provider = ipa dyndns_update = True ipa_server = _srv_, ipa1.xxxxx.local dyndns_iface = ens3 ldap_tls_cacert = /etc/ipa/ca.crt [nss] homedir_substring = /home _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
