Sorry I mis-read your question!

We’re trying SSO from the test domain conroller via ssh (putty) to the
test IPA server.

Unix.test.osuwmc is the IPA realm.
Test.osuwmc is the AD realm.

IPA server is RHEL 7.1
Windows AD DC is Windows Server 2008 R2

They have a two way trust and we’re mapping SID’s. Since most of our SID’s
are in the 300,000, we chose to add 1M to each SID to make mapping them

Right now I have the allow-all rule configured to allow everyone in on
every service to every host, just to rule that out.

# ipa trust-show
Realm name: TEST.OSUWMC
  Realm name: test.osuwmc
  Domain NetBIOS name: TEST
  Domain Security Identifier: S-1-5-21-226267946-722566613-1883572810
  Trust direction: Two-way trust
  Trust type: Active Directory domain
# ipa idrange-find --all
2 ranges matched
  dn: cn=TEST.OSUWMC_id_range,cn=ranges,cn=etc,dc=unix,dc=test,dc=osuwmc
  Range name: TEST.OSUWMC_id_range
  First Posix ID of the range: 1000000
  Number of IDs in the range: 900000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-226267946-722566613-1883572810
  Range type: Active Directory domain range
  iparangetyperaw: ipa-ad-trust
  objectclass: ipatrustedaddomainrange, ipaIDrange

  Range name: UNIX.TEST.OSUWMC_id_range
  First Posix ID of the range: 233600000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
  iparangetyperaw: ipa-local
  objectclass: top, ipaIDrange, ipaDomainIDRange
Number of entries returned 2
# # id adm-faru03@test.osuwmc
uid=1398410(adm-faru03@test.osuwmc) gid=1398410(adm-faru03@test.osuwmc)
groups=1398410(adm-faru03@test.osuwmc), 233600008(citrix_users)

On 3/30/15, 10:55 AM, "Jan Pazdziora" <> wrote:

>On Mon, Mar 30, 2015 at 10:50:11AM -0400, Gould, Joshua wrote:
>> It¹s actually my IPA server which is also a client, so both are 7.1. My
>> memory is fuzzy as far as the client on the server. Isn¹t it setup
>> as part of the server install?
>So you are logging in from the server to the server? But you have
>       Connection from port 52982 on port 22
>       debug1: Client protocol version 2.0; client software version
>in the log -- different IP addresses, and the client looks like Putty,
>which would mean you try to log in from a Windows machine ...
>So that test.osuwmc realm -- is that your IPA server's realm, or AD
>Jan Pazdziora
>Principal Software Engineer, Identity Management Engineering, Red Hat

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to