Good! Note that we plan to enhance SSSD to leverage the new Kerberos authlocal API to avoid having to update krb5.conf on each system. This is the upstream ticket:
https://fedorahosted.org/sssd/ticket/1835 Martin On 02/05/2014 03:27 PM, Mark Gardner wrote: > Thanks, That was what I missed. > > > On Wed, Feb 5, 2014 at 2:39 AM, Alexander Bokovoy <[email protected]>wrote: > >> On Tue, 04 Feb 2014, Mark Gardner wrote: >> >>> I'm trying to configure our CentOS IPA Client for Single Sign On from our >>> trusted AD domain. >>> SSO works fine when I ssh to the IPA server, but not to the CentOS Client. >>> It prompts for password which it accepts, so it's getting the >>> authentication from the AD domain. >>> >>> Fedora 20 IPA Server >>> CentOS 6.5 IPA Client >>> Win 2012 AD Domain Server >>> >>> Setup as IPA as a subdomain of AD. >>> AD Domain: test.local >>> IPA Domain: hosted.test.local >>> >>> Anybody run into this? Suggestions? >>> >> Each client needs to be configured to accept AD users' SSO. >> >> Check that /etc/krb5.conf contains auth_to_local rules mapping principals >> from >> AD to their names as returned by SSSD. >> >> SSH daemon is picky about principal/name mapping. >> -- >> / Alexander Bokovoy >> > > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
