I'm trying to set up a trust relationship between IPA and our Active Directory 
environment so that our AD users can log in to our Linux machines. The two-way 
trust relationship appears to be set up correctly, with no errors reported, and 
everything looking normal in the GUI and the CLI. For example:


# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@csns.middlebury.edu

Valid starting     Expires            Service principal
03/02/15 10:13:40  03/03/15 10:13:10  
krbtgt/csns.middlebury....@csns.middlebury.edu
03/02/15 10:15:13  03/03/15 10:13:10  
host/ipa1.csns.middlebury....@csns.middlebury.edu
03/02/15 10:15:35  03/03/15 10:13:10  krbtgt/middlebury....@csns.middlebury.edu
03/02/15 10:15:46  03/02/15 20:15:46  host/ad1.middlebury....@middlebury.edu
03/02/15 10:56:55  03/03/15 10:13:10  
HTTP/ipa1.csns.middlebury....@csns.middlebury.edu

In this case, middlebury.edu is our AD domain, and csns.middlebury.edu is our 
new IPA domain, set up as a subdomain.


I have created IPA and AD groups for AD users, and set them up according the 
documentation:


ipa group-add --desc='AD users external map' ad_users_external --external

ipa group-add --desc='AD users' ad_users

ipa group-add-member ad_users_external --external "<AD DOMAIN>\IPA group"

ipa group-add-member ad_users --groups ad_users_external


So now the AD group "IPA group" is a member of the IPA group ad_users_external 
, which is in turn a member of ad_users.


I would expect that any AD users I put into the group "IPA group" should show 
up as valid users in IPA, but they don't. And when I try to add an AD user 
directly into the ad_users_external group, it is added without error (and the 
correct SID shows up), but the user still can't log in.

If the user tries to SSH in the logs show:
Mar  2 11:13:42 ipa1 sshd[31720]: Invalid user testuser from *.*.*.*
Mar  2 11:13:42 ipa1 sshd[31721]: input_userauth_request: invalid user testuser


And if root tries to su to the user, it also fails:

su: user testuser does not exist


I would expect the user to show up. What have I missed?


David Guertin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to