On Wed, Oct 15, 2014 at 04:31:55PM +0200, crony wrote: > Alex, > thank you. Now it works, but not completely: > > 1. > > [leszek@ipa1 ~]$ ssh ipatst03.linux.acme.example.com -l > us...@acme.example.com > Password: > Last login: Wed Oct 15 16:11:27 2014 > > -sh-4.1$ id > uid=127283727(us...@acme.example.com) gid=127283727(us...@acme.example.com) > grupy=127283727(us...@acme.example.com),127292838( > linuxgr...@acme.example.com) > > I can't see all my groups. User1 is a member of 15 different groups at AD > side, not one as above: linuxgr...@acme.example.com
What type/scope do the AD groups have? If they are 'Domain Local' groups they will not be available in the IPA domain. HTH bye, Sumit > > Could it be related? I can see all these membership groups at IPA Server > (id us...@acme.example.com) > > 2. After login ssh ipatst03.linux.acme.example.com -l us...@acme.example.com > > -sh-4.1$ klist > klist: Included profile file could not be read while initializing krb5 > > Even kinit not works: > > -sh-4.1$ kinit us...@acme.example.com > kinit: Included profile file could not be read while initializing Kerberos > 5 library > > What about that? I didn't see this error before. Related? > > I have another, but related question, If you don't mind: What if I would > like to connect RHEL5 IPA client to my IPA Server AD Trust Setup? Do you > think it is real and could it work? > > Thank you in advanced > > > > 2014-10-15 15:50 GMT+02:00 Alexander Bokovoy <aboko...@redhat.com>: > > > On Wed, 15 Oct 2014, crony wrote: > > > >> Hi, > >> I've been following the AD integration guide for IPAv3: > >> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup > >> > >> My setup is: > >> • 5 domain controllers with Windows 2008 R2 AD DC -> example.com as > >> Forest > >> Root Domain and acme.example.com as transitive child domain > >> • RHEL7 as IPA server with domain: linux.acme.example.com > >> • RHEL6.5 as IPA client server ipatst03.linux.acme.example.com > >> > >> Everything works correctly around IPA Server, but the problem is within > >> IPA > >> Client. > >> > >> I can not login by SSH or by su -: > >> > >> [leszek@ipatst03 ~]$ su - us...@acme.example.com > >> Password: > >> su: incorrect password > >> > >> I found this error in /var/log/sssd/krb5_child.log : > >> > >> (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [validate_tgt] > >> (0x0020): TGT failed verification using key for [host/ > >> ipatst03.linux.acme.example....@linux.acme.example.com]. > >> (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [get_and_save_tgt] > >> (0x0020): 988: [-1765328341][Illegal cross-realm ticket] > >> (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [map_krb5_error] > >> (0x0020): 1043: [-1765328341][Illegal cross-realm ticket] > >> (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [k5c_send_data] > >> (0x0200): Received error code 1432158209 > >> (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] > >> [pack_response_packet] (0x2000): response packet size: [20] > >> (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [k5c_send_data] > >> (0x4000): Response sent. > >> (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [main] (0x0400): > >> krb5_child completed successfully > >> > > Yes, this is known issue for transitive trusts. MIT Kerberos requires > > for non-hierarchical trusts that [capaths] section contains proper map > > of relationships between the realms. We've got an API to manage this map > > from IPA KDC driver and we also write it down on the IPA masters with > > the help of SSSD for KDC to use but on IPA clients it is not generated > > as we hoped that receiving referrals from KDC would be enough. > > > > You can see that this is the issue by copying > > /var/lib/sss/pubconf/krb5conf.d/domain_realm_linux_acme_example_com to > > your client and placing it as > > /var/lib/sss/pubconf/krb5conf.d/domain_realm_linux_acme_ > > example_com_capaths > > > > On next authentication attempt things will work. > > > > -- > > / Alexander Bokovoy > > > > > > -- > Pozdrawiam Leszek Miś > www: http://cronylab.pl > www: http://emerge.pl > Nothing is secure, paranoia is your friend. > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project