On 11/12/2014 08:44 AM, Jonathan Bradford wrote:
This is my first post on the IPA mailing list. Hey guys :)
I've successfully walked through the IdM Red Hat document on
"Integrating with Active Directory Through Cross-Realm Kerberos
Trusts" using separate DNS domains. I've reached the part where you
test the trust using SSH via PuTTY, and I have noticed a problem.
If I add a user in Active Directory (group mapping is on), the user
cannot immediately SSH to an IPA host. In fact, it never allows me to
login until I first login to a Windows machine with the account and
then repair the trust via AD.
To repair the trust, I have to go to AD Domains and Trusts >
Properties > Trusts> and Validate the incoming and outgoing
connections. When I do this, it gives me an error message about the
RPC server not running, but if I proceed, it eventually tells me that
the connection has been repaired. Only after doing this can I
successfully SSH with a new user.
Do you have any idea why this might be happening? I have followed Red
Hat's documentation exactly, so I am not sure why I am having issues.
If you have any thoughts or ideas, I would greatly appreciate them.
I would leave to Alexander to drill down into the details when he is
back online tomorrow however if the trust is not validated then it is
not fully established the first time. Something when wrong and it would
be nice to look at the logs on the IPA and AD side to be able to
determine the cause.
Do you need to repair the trust for every single user or just once?
What it is your AD domain topology? Are you establishing trust with the
primary domain controller?
What version of IPA and AD are you using?
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project