Good! Note that we plan to enhance SSSD to leverage the new Kerberos authlocal
API to avoid having to update krb5.conf on each system. This is the upstream
ticket:

https://fedorahosted.org/sssd/ticket/1835

Martin

On 02/05/2014 03:27 PM, Mark Gardner wrote:
> Thanks, That was what I missed.
> 
> 
> On Wed, Feb 5, 2014 at 2:39 AM, Alexander Bokovoy <aboko...@redhat.com>wrote:
> 
>> On Tue, 04 Feb 2014, Mark Gardner wrote:
>>
>>> I'm trying to configure our CentOS IPA Client for Single Sign On from our
>>> trusted AD domain.
>>> SSO works fine when I ssh to the IPA server, but not to the CentOS Client.
>>> It prompts for password which it accepts, so it's getting the
>>> authentication from the AD domain.
>>>
>>> Fedora 20 IPA Server
>>> CentOS 6.5 IPA Client
>>> Win 2012 AD Domain Server
>>>
>>> Setup as IPA as a subdomain of AD.
>>> AD Domain: test.local
>>> IPA Domain: hosted.test.local
>>>
>>> Anybody run into this?  Suggestions?
>>>
>> Each client needs to be configured to accept AD users' SSO.
>>
>> Check that /etc/krb5.conf contains auth_to_local rules mapping principals
>> from
>> AD to their names as returned by SSSD.
>>
>> SSH daemon is picky about principal/name mapping.
>> --
>> / Alexander Bokovoy
>>
> 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to