On 04/01/2015 02:28 PM, Guertin, David S. wrote:
The 5.x ipa-client should work fine. What isn't working?
I cannot SSH in as an AD user. (Sorry, I should have mentioned that in my 
original post.) The client installs without errors, and I can get a Kerberos 
ticket for the admin user. But when I try to SSH in as an AD domain user, the 
login fails:

$ ssh -l 'MIDD\juser' yakko.ipa
Red Hat Enterprise Linux Server release 5.11 (Tikanga)
Kernel 2.6.18-402.el5 on an x86_64

Password:
Password:
Password:
MIDD\ju...@yakko.ipa's password:
Received disconnect from 140.233.1.100: 2: Too many authentication failures for 
MIDD\\juser

And on the client, with debug_level = 10 for sssd, /var/log/sssd/sssd_nss.log 
shows:

(Wed Apr  1 14:24:03 2015) [sssd[nss]] [sss_ncache_set_str] (6): Adding 
[NCE/USER/ipa.middlebury.edu/MIDD\juser] to negative cache
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): No 
results for getpwnam call
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [sss_dp_req_destructor] (8): Could not 
clear entry from request queue
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer 
re-set for client [0x1aeec870][17]
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer 
re-set for client [0x1aeec870][17]
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer 
re-set for client [0x1aeec870][17]
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for 
[MIDD\juser] from [<ALL>]
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [sss_ncache_check_str] (8): Checking 
negative cache for [NCE/USER/ipa.middlebury.edu/MIDD\juser]
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): User 
[MIDD\juser] does not exist in [ipa.middlebury.edu]! (negative cache)
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): No 
matching domain found for [MIDD\juser], fail!

There's a trust relationship set up between the IPA domain and the AD domain, 
but it's like the RHEL 5 client doesn't know about it. Did I miss something?

David Guertin

Ah so you are using it with trust. Then you should change the configuration to not use kerberos but rather LDAP instead.
More details are here.
http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to