The include is there: # head /etc/krb5.conf includedir /var/lib/sss/pubconf/krb5.include.d/
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = UNIX.TEST.OSUWMC dns_lookup_realm = true # ls -l /var/lib/sss/pubconf/krb5.include.d/localauth_plugin -rw-r--r--. 1 root root 118 Mar 30 08:46 /var/lib/sss/pubconf/krb5.include.d/localauth_plugin # grep module /var/lib/sss/pubconf/krb5.include.d/localauth_plugin module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so # Different write-ups had slightly different examples for this line. Would this be the issue? # auth_to_local = RULE:[1:$1@$0](^.*@TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/ auth_to_local = RULE:[1:$1 $0](^ * TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/ On 3/30/15, 11:08 AM, "Jan Pazdziora" <jpazdzi...@redhat.com> wrote: >On Mon, Mar 30, 2015 at 11:04:58AM -0400, Gould, Joshua wrote: >> >> We¹re trying SSO from the test domain conroller via ssh (putty) to the >> test IPA server. >> >> Unix.test.osuwmc is the IPA realm. > Test.osuwmc is the AD realm. >> >> IPA server is RHEL 7.1 >> Windows AD DC is Windows Server 2008 R2 >> >> They have a two way trust and we¹re mapping SID¹s. Since most of our >>SID¹s >> are in the 300,000, we chose to add 1M to each SID to make mapping them >> easy. > >Can you check that > > /etc/krb5.conf > >contains line > > includedir /var/lib/sss/pubconf/krb5.include.d/ > >and that > > /var/lib/sss/pubconf/krb5.include.d/localauth_plugin > >exists and configures > > module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so > >? > >-- >Jan Pazdziora >Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project