Hi,
I have a IDM (v3.3) installed on a Redhat7.
I have a IDM realm connected to an AD via trust relationship.
In the IDM realm there are Redhat6 and Redhat5 clients.
My client ask to be able to connect to the Linux machine with their AD without
entering their domain (just username). On Redhat 6 there is an option for sssd
(default_domain_suffix=)
Seems to be exactly what I need, but I have a problem. If I use this option, I
can indeed login with my AD username with domain name, but I cannot login with
my Linux IDM username anymore, even if I use my fully qualified username@realm.
i.e. In the middle of the PAM authentication it seems to fails (when ssh to the
machine with ssh <server> -l admin@<realm>, I get Write failed: Broken pipe).
If needed I can send more logs.
I reproduce the problem in a more simple environment: just a Linux realm, and
default_domain_suffix set to a inexistant domain, and again I cannot ssh to my
server with my fully qualified username@realm
Here is my sssd.conf:
[domain/idm1]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = idm1
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = dc.idm1
chpass_provider = ipa
ipa_server = dc.idm1
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh
config_file_version = 2
domains = idm1
default_domain_suffix=toto.com
[nss]
[pam]
[sudo]
[autofs]
[ssh]
[pac]
Here is my krb5.conf:
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = IDM1
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
default_ccache_name = KEYRING:persistent:%{uid}
ignore_acceptor_hostname = true
[realms]
IDM1 = {
kdc = dc.idm1:88
master_kdc = dc.idm1:88
admin_server = dc.idm1:749
default_domain = idm1
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.idm1 = IDM1
idm1 = IDM1
[dbmodules]
IDM1 = {
db_library = ipadb.so
}
is there something to add to make it working?
Site note: also with Redhat5 which is configured following ipa-advise
sssd-before-1.9, the default_domain_suffix is not understood with sssd<1.9. Is
there a way to connect to force RHEL5 to let my windows user connect without
entering their domain. I don’t know if there is a way to tune the compatibility
tree return by the ldap server for example.
Or should I try to compile sssd 1.9 for RHEL5? (but I guess this is easier said
than done) or it doesn’t worth it? (incompatibility with kerberos, or with the
RHEL5 kernel…)
Regards,
Nicolas Zin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
