Hi Sumit,
thank you for the comprehensive answer.
> On Tue, Nov 10, 2020 at 03:56:48PM -0000, kotelnikova9314--- via
> FreeIPA-users wrote:
>
> The client will get user and group information from the FreeIPA server
> but for authentication (Kerberos) they will talk with AD DCs directly.
Ok, i see, thank you for the explanation.
> For a start no specific configuration is needed, ipa-client-install
> should set all needed options.
Found my mistake. My clients were configured without trust, thus the krb5.conf
had such configurations in [realm] section.
kdc = ipaserver.ipadomain.com:88
master_kdc = ipaserver.ipadomain.com:88
admin_server = ipaserver.ipadomain.com:749
kpasswd_server = ipaserver.ipadomain.com:464
default_domain = ipadomain.com
After re-installing clients with ipa-client-install, when the trust was
established, these lines were removed and authentication for AD users
succeeded.
Without reinstalling, the definition of AD trust domain in [realm] sections
also helped:
AD.DOMAIN = {
kdc = ad-controlled.ad.domain:88
}
> Please add 'debug_level = 9' to the [pam] and [domain/...] section in
> sssd.conf, restart SSSD, try to authenticate again and send the logs.
No need, i found already, that the problem was in SSSD cache, i had to wait a
bit or remove the cache in order to the updated HBAC rules were applied.
> bye,
> Sumit
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
