On Tue, Nov 10, 2020 at 03:56:48PM -0000, kotelnikova9314--- via FreeIPA-users wrote: > Hello all, > sorry if this question was already several times discussed, nevertheless, i > am stuck with setting up a trust between FreeIPA and AD. > To be more precise, the one way Trus is setup and i can log in into Freeipa > server with AD credentials. > I have also a bunch of servers with ipa-client configured and i am able to > login to them with Freeipa accounts, but not ADs. > > 1) Did i understood correctly, that clients should "somehow" authenticate to > AD via Freeipa? Or do they need to contact directly AD?
The client will get user and group information from the FreeIPA server but for authentication (Kerberos) they will talk with AD DCs directly. > > 2) If the clients should be configured to talk to AD, which configurations > are needed? For a start no specific configuration is needed, ipa-client-install should set all needed options. > > 3) The way i am trying to login is as follows: > > ssh -v -l ad_user@ad_domain hostname > > 4) In logs i have such errors during authentication: > sshd[11294]: pam_sss(sshd:auth): authentication failure; logname= uid=0 > euid=0 tty=ssh ruser= rhost=10.45.33.1 user=ad_user@ad_domain > sshd[11294]: pam_sss(sshd:auth): received for user ad_user@ad_domain: 6 > (Permission denied) > sshd[11290]: error: PAM: Authentication failure for ad_user@ad_domain from > 10.45.33.1 > sshd[11290]: Connection closed by authenticating user user_ad@ad_domain > 10.45.33.1 port 40108 [preauth] Please add 'debug_level = 9' to the [pam] and [domain/...] section in sssd.conf, restart SSSD, try to authenticate again and send the logs. bye, Sumit > > Thanks in advance! > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
