On Mon, 02 Mar 2015, Guertin, David S. wrote:
I'm trying to set up a trust relationship between IPA and our Active
Directory environment so that our AD users can log in to our Linux
machines. The two-way trust relationship appears to be set up
correctly, with no errors reported, and everything looking normal in
the GUI and the CLI. For example:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@csns.middlebury.edu
Valid starting Expires Service principal
03/02/15 10:13:40 03/03/15 10:13:10
03/02/15 10:15:13 03/03/15 10:13:10
03/02/15 10:15:35 03/03/15 10:13:10 krbtgt/middlebury....@csns.middlebury.edu
03/02/15 10:15:46 03/02/15 20:15:46 host/ad1.middlebury....@middlebury.edu
03/02/15 10:56:55 03/03/15 10:13:10
In this case, middlebury.edu is our AD domain, and csns.middlebury.edu
is our new IPA domain, set up as a subdomain.
I have created IPA and AD groups for AD users, and set them up
according the documentation:
ipa group-add --desc='AD users external map' ad_users_external --external
ipa group-add --desc='AD users' ad_users
ipa group-add-member ad_users_external --external "<AD DOMAIN>\IPA group"
ipa group-add-member ad_users --groups ad_users_external
So now the AD group "IPA group" is a member of the IPA group
ad_users_external , which is in turn a member of ad_users.
I would expect that any AD users I put into the group "IPA group"
should show up as valid users in IPA, but they don't. And when I try to
add an AD user directly into the ad_users_external group, it is added
without error (and the correct SID shows up), but the user still can't
Lets separate issues.
1. Adding AD user to "IPA group" in AD.
Did you re-login as that user on Windows side and then tried to logon
to IPA server?
2. What do SSSD logs say about the login attempt? You need to set
debug_level = 10 in [domain/..], [nss] and [pam] sections of
/etc/sssd/sssd.conf and restart sssd.
And if root tries to su to the user, it also fails:
su: user testuser does not exist
I would expect the user to show up. What have I missed?
If 'su' says that user does not exist, it means SSSD does not see the
user as existing. There may be multiple reasons for that, sssd logs
should tell exactly what has happened. You can try 'id testuser' to
reduce use case for sssd logs.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project