Thank you, it works like a charm, especially the ipa-advise.
One last question: is there a way to login on the centos5 without entering the whole realm name, but just the netbios. Currently I can log on centos6 with "<adnetbios>\<user>", but on centos5 I need to provide ssh ipaCentos5 -l <user>@<domain.fully.qualified> I don't have tested yet with putty, from windows, maybe it doesn't matter. Regards, Nicolas Zin ----- Mail original ----- De: "Alexander Bokovoy" <aboko...@redhat.com> À: "Nicolas Zin" <nicolas....@savoirfairelinux.com> Cc: email@example.com Envoyé: Mardi 25 Novembre 2014 16:40:57 Objet: Re: [Freeipa-users] Centos5 - freeipa - AD trust On Tue, 25 Nov 2014, Nicolas Zin wrote: >Hi, > >I successfully create a trust relationship between a freeipa 3.3 realm (on >Centos 7) and a windows 2008 AD. >Now I add some machine clients to my IPA realm, and try to connect to them >with my AD credential: >- connecting to the 2 freeipa server: no problem >- connecting to a Centos6 machine: no problem >- connecting to a Centos5 machine: fail > >to say it differently: >- when connecting to the Centos5 with a Freeipa Realm user it works >- when connecting to the Centos5 with a AD Realm user, it fails > >I just want a confirmation: it fails because centos5 is packaged with >sssd < 1.9 and do not support cross realm? (and indeed, it cannot >works) or is it possible to make it working? and my error is somewhere >else? Right, RHEL5/CentOS5 cannot see AD users directly like other SSSD systems. If you enabled compat tree integration when running 'ipa-adtrust-install', you may try to configure CentOS5 machine to use compat tree. This has some limitations but it exposes both IPA and AD users and allows to authenticate AD users against LDAP in compat tree. See http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf for details. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project