On 11/12/2014 08:44 AM, Jonathan Bradford wrote:
This is my first post on the IPA mailing list. Hey guys :)
I've successfully walked through the IdM Red Hat document on "Integrating with Active Directory Through Cross-Realm Kerberos Trusts" using separate DNS domains. I've reached the part where you test the trust using SSH via PuTTY, and I have noticed a problem. If I add a user in Active Directory (group mapping is on), the user cannot immediately SSH to an IPA host. In fact, it never allows me to login until I first login to a Windows machine with the account and then repair the trust via AD. To repair the trust, I have to go to AD Domains and Trusts > Properties > Trusts> and Validate the incoming and outgoing connections. When I do this, it gives me an error message about the RPC server not running, but if I proceed, it eventually tells me that the connection has been repaired. Only after doing this can I successfully SSH with a new user. Do you have any idea why this might be happening? I have followed Red Hat's documentation exactly, so I am not sure why I am having issues. If you have any thoughts or ideas, I would greatly appreciate them. Thanks!

HI Jonathan,

I would leave to Alexander to drill down into the details when he is back online tomorrow however if the trust is not validated then it is not fully established the first time. Something when wrong and it would be nice to look at the logs on the IPA and AD side to be able to determine the cause.
Do you need to repair the trust for every single user or just once?

What it is your AD domain topology? Are you establishing trust with the primary domain controller?
What version of IPA and AD are you using?


Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to