Sorry I mis-read your question! We’re trying SSO from the test domain conroller via ssh (putty) to the test IPA server.
Unix.test.osuwmc is the IPA realm. Test.osuwmc is the AD realm. IPA server is RHEL 7.1 Windows AD DC is Windows Server 2008 R2 They have a two way trust and we’re mapping SID’s. Since most of our SID’s are in the 300,000, we chose to add 1M to each SID to make mapping them easy. Right now I have the allow-all rule configured to allow everyone in on every service to every host, just to rule that out. # ipa trust-show Realm name: TEST.OSUWMC Realm name: test.osuwmc Domain NetBIOS name: TEST Domain Security Identifier: S-1-5-21-226267946-722566613-1883572810 Trust direction: Two-way trust Trust type: Active Directory domain # ipa idrange-find --all ---------------- 2 ranges matched ---------------- dn: cn=TEST.OSUWMC_id_range,cn=ranges,cn=etc,dc=unix,dc=test,dc=osuwmc Range name: TEST.OSUWMC_id_range First Posix ID of the range: 1000000 Number of IDs in the range: 900000 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-226267946-722566613-1883572810 Range type: Active Directory domain range iparangetyperaw: ipa-ad-trust objectclass: ipatrustedaddomainrange, ipaIDrange dn: cn=UNIX.TEST.OSUWMC_id_range,cn=ranges,cn=etc,dc=unix,dc=test,dc=osuwmc Range name: UNIX.TEST.OSUWMC_id_range First Posix ID of the range: 233600000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range iparangetyperaw: ipa-local objectclass: top, ipaIDrange, ipaDomainIDRange ---------------------------- Number of entries returned 2 ---------------------------- # # id adm-faru03@test.osuwmc uid=1398410(adm-faru03@test.osuwmc) gid=1398410(adm-faru03@test.osuwmc) groups=1398410(adm-faru03@test.osuwmc), 233600008(citrix_users) # On 3/30/15, 10:55 AM, "Jan Pazdziora" <jpazdzi...@redhat.com> wrote: >On Mon, Mar 30, 2015 at 10:50:11AM -0400, Gould, Joshua wrote: >> It¹s actually my IPA server which is also a client, so both are 7.1. My >> memory is fuzzy as far as the client on the server. Isn¹t it setup >>already >> as part of the server install? > >So you are logging in from the server to the server? But you have > > Connection from 10.80.5.239 port 52982 on 10.127.26.73 port 22 > debug1: Client protocol version 2.0; client software version >PuTTY_Release_0.64 > >in the log -- different IP addresses, and the client looks like Putty, >which would mean you try to log in from a Windows machine ... > >So that test.osuwmc realm -- is that your IPA server's realm, or AD >realm? > >-- >Jan Pazdziora >Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
