Sorry I mis-read your question!
We’re trying SSO from the test domain conroller via ssh (putty) to the
test IPA server.
Unix.test.osuwmc is the IPA realm.
Test.osuwmc is the AD realm.
IPA server is RHEL 7.1
Windows AD DC is Windows Server 2008 R2
They have a two way trust and we’re mapping SID’s. Since most of our SID’s
are in the 300,000, we chose to add 1M to each SID to make mapping them
Right now I have the allow-all rule configured to allow everyone in on
every service to every host, just to rule that out.
# ipa trust-show
Realm name: TEST.OSUWMC
Realm name: test.osuwmc
Domain NetBIOS name: TEST
Domain Security Identifier: S-1-5-21-226267946-722566613-1883572810
Trust direction: Two-way trust
Trust type: Active Directory domain
# ipa idrange-find --all
2 ranges matched
Range name: TEST.OSUWMC_id_range
First Posix ID of the range: 1000000
Number of IDs in the range: 900000
First RID of the corresponding RID range: 0
Domain SID of the trusted domain: S-1-5-21-226267946-722566613-1883572810
Range type: Active Directory domain range
objectclass: ipatrustedaddomainrange, ipaIDrange
Range name: UNIX.TEST.OSUWMC_id_range
First Posix ID of the range: 233600000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
objectclass: top, ipaIDrange, ipaDomainIDRange
Number of entries returned 2
# # id firstname.lastname@example.org
On 3/30/15, 10:55 AM, "Jan Pazdziora" <jpazdzi...@redhat.com> wrote:
>On Mon, Mar 30, 2015 at 10:50:11AM -0400, Gould, Joshua wrote:
>> It¹s actually my IPA server which is also a client, so both are 7.1. My
>> memory is fuzzy as far as the client on the server. Isn¹t it setup
>> as part of the server install?
>So you are logging in from the server to the server? But you have
> Connection from 10.80.5.239 port 52982 on 10.127.26.73 port 22
> debug1: Client protocol version 2.0; client software version
>in the log -- different IP addresses, and the client looks like Putty,
>which would mean you try to log in from a Windows machine ...
>So that test.osuwmc realm -- is that your IPA server's realm, or AD
>Principal Software Engineer, Identity Management Engineering, Red Hat
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project