>The 5.x ipa-client should work fine. What isn't working?

I cannot SSH in as an AD user. (Sorry, I should have mentioned that in my 
original post.) The client installs without errors, and I can get a Kerberos 
ticket for the admin user. But when I try to SSH in as an AD domain user, the 
login fails:

$ ssh -l 'MIDD\juser' yakko.ipa
Red Hat Enterprise Linux Server release 5.11 (Tikanga)
Kernel 2.6.18-402.el5 on an x86_64

Password: 
Password: 
Password: 
MIDD\ju...@yakko.ipa's password: 
Received disconnect from 140.233.1.100: 2: Too many authentication failures for 
MIDD\\juser

And on the client, with debug_level = 10 for sssd, /var/log/sssd/sssd_nss.log 
shows:

(Wed Apr  1 14:24:03 2015) [sssd[nss]] [sss_ncache_set_str] (6): Adding 
[NCE/USER/ipa.middlebury.edu/MIDD\juser] to negative cache
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): No 
results for getpwnam call
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [sss_dp_req_destructor] (8): Could not 
clear entry from request queue
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer 
re-set for client [0x1aeec870][17]
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer 
re-set for client [0x1aeec870][17]
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer 
re-set for client [0x1aeec870][17]
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info 
for [MIDD\juser] from [<ALL>]
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [sss_ncache_check_str] (8): Checking 
negative cache for [NCE/USER/ipa.middlebury.edu/MIDD\juser]
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): User 
[MIDD\juser] does not exist in [ipa.middlebury.edu]! (negative cache)
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): No 
matching domain found for [MIDD\juser], fail!

There's a trust relationship set up between the IPA domain and the AD domain, 
but it's like the RHEL 5 client doesn't know about it. Did I miss something?

David Guertin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to