Re: [Freeipa-users] Troubleshooting SSO

Mon, 30 Mar 2015 09:00:55 -0700 

On 03/30/2015 11:17 AM, Gould, Joshua wrote:

The include is there:
# head /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = UNIX.TEST.OSUWMC
  dns_lookup_realm = true

# ls -l /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
-rw-r--r--. 1 root root 118 Mar 30 08:46
/var/lib/sss/pubconf/krb5.include.d/localauth_plugin
# grep module  /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
   module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
#




Different write-ups had slightly different examples for this line. Would
this be the issue?

#  auth_to_local =
RULE:[1:$1@$0](^.*@TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/
   auth_to_local = RULE:[1:$1 $0](^ *
TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/

If you use the plugin then this RULE should not be needed.
Have you tried commenting it out and restarting SSSD?





On 3/30/15, 11:08 AM, "Jan Pazdziora" <[email protected]> wrote:


On Mon, Mar 30, 2015 at 11:04:58AM -0400, Gould, Joshua wrote:

We¹re trying SSO from the test domain conroller via ssh (putty) to the
test IPA server.

Unix.test.osuwmc is the IPA realm.  > Test.osuwmc is the AD realm.

IPA server is RHEL 7.1
Windows AD DC is Windows Server 2008 R2

They have a two way trust and we¹re mapping SID¹s. Since most of our
SID¹s
are in the 300,000, we chose to add 1M to each SID to make mapping them
easy.

Can you check that

        /etc/krb5.conf

contains line

        includedir /var/lib/sss/pubconf/krb5.include.d/

and that

        /var/lib/sss/pubconf/krb5.include.d/localauth_plugin

exists and configures

        module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so

?

--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat






--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to