On Sat, 13 Sep 2014, Traiano Welcome wrote:
On Sat, Sep 13, 2014 at 7:03 PM, Alexander Bokovoy <aboko...@redhat.com>

On Sat, 13 Sep 2014, Traiano Welcome wrote:


I've managed to get trusts working with CentOS 7 as an IdM server,
AD DC and CentOS6.5 as a client, using the exact same series of steps as
the documentation. Attached is the process I used.

You got one step wrong:
8. Modify /etc/krb5.conf

 kdc = idm003.engeneon.local:88
 master_kdc = idm003.engeneon.local:88
 admin_server = idm003.engeneon.local:749
 default_domain = engeneon.local
 pkinit_anchors = FILE:/etc/ipa/ca.crt
 auth_to_local = RULE:[1:$1@$0](^.*@AD_DOMAIN$)s/@AD_DOMAIN/@ad_domain/
 auth_to_local = DEFAULT

Here you have to substitute AD_DOMAIN and ad_domain by your actual
AD domain name. This change has to be done currently on every IPA
machine where you are expecting AD users to log in.

Doh! ok, fixed. Although, I didn't notice any login failures testing with a
bunch of users. Is it possible this behavior is already being adapted
around in either one of PAM, OpenSSH or KRB5?
This affects single sign-on logins, i.e. when you try to logon with
Kerberos ticket.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to