On Mon, 02 Mar 2015, Guertin, David S. wrote:
I'm trying to set up a trust relationship between IPA and our Active
Directory environment so that our AD users can log in to our Linux
machines. The two-way trust relationship appears to be set up
correctly, with no errors reported, and everything looking normal in
the GUI and the CLI. For example:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@csns.middlebury.edu

Valid starting     Expires            Service principal
03/02/15 10:13:40  03/03/15 10:13:10  
03/02/15 10:15:13  03/03/15 10:13:10  
03/02/15 10:15:35  03/03/15 10:13:10  krbtgt/middlebury....@csns.middlebury.edu
03/02/15 10:15:46  03/02/15 20:15:46  host/ad1.middlebury....@middlebury.edu
03/02/15 10:56:55  03/03/15 10:13:10  

In this case, middlebury.edu is our AD domain, and csns.middlebury.edu
is our new IPA domain, set up as a subdomain.

I have created IPA and AD groups for AD users, and set them up
according the documentation:

ipa group-add --desc='AD users external map' ad_users_external --external

ipa group-add --desc='AD users' ad_users

ipa group-add-member ad_users_external --external "<AD DOMAIN>\IPA group"

ipa group-add-member ad_users --groups ad_users_external

So now the AD group "IPA group" is a member of the IPA group
ad_users_external , which is in turn a member of ad_users.

I would expect that any AD users I put into the group "IPA group"
should show up as valid users in IPA, but they don't. And when I try to
add an AD user directly into the ad_users_external group, it is added
without error (and the correct SID shows up), but the user still can't
log in.
Lets separate issues.

1. Adding AD user to "IPA group" in AD.
  Did you re-login as that user on Windows side and then tried to logon
  to IPA server?

2. What do SSSD logs say about the login attempt? You need to set
  debug_level = 10 in [domain/..], [nss] and [pam] sections of
/etc/sssd/sssd.conf and restart sssd.
And if root tries to su to the user, it also fails:

su: user testuser does not exist

I would expect the user to show up. What have I missed?
If 'su' says that user does not exist, it means SSSD does not see the
user as existing. There may be multiple reasons for that, sssd logs
should tell exactly what has happened. You can try 'id testuser' to
reduce use case for sssd logs.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to