On Wed, 01 Apr 2015, Guertin, David S. wrote:
The 5.x ipa-client should work fine. What isn't working?

I cannot SSH in as an AD user. (Sorry, I should have mentioned that in
my original post.) The client installs without errors, and I can get a
Kerberos ticket for the admin user. But when I try to SSH in as an AD
domain user, the login fails:

$ ssh -l 'MIDD\juser' yakko.ipa
Red Hat Enterprise Linux Server release 5.11 (Tikanga)
Kernel 2.6.18-402.el5 on an x86_64

MIDD\ju...@yakko.ipa's password:
Received disconnect from 2: Too many authentication failures for 

And on the client, with debug_level = 10 for sssd, /var/log/sssd/sssd_nss.log 

(Wed Apr  1 14:24:03 2015) [sssd[nss]] [sss_ncache_set_str] (6): Adding 
[NCE/USER/ipa.middlebury.edu/MIDD\juser] to negative cache
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): No 
results for getpwnam call
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [sss_dp_req_destructor] (8): Could not 
clear entry from request queue
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer 
re-set for client [0x1aeec870][17]
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer 
re-set for client [0x1aeec870][17]
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer 
re-set for client [0x1aeec870][17]
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for 
[MIDD\juser] from [<ALL>]
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [sss_ncache_check_str] (8): Checking 
negative cache for [NCE/USER/ipa.middlebury.edu/MIDD\juser]
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): User 
[MIDD\juser] does not exist in [ipa.middlebury.edu]! (negative cache)
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): No 
matching domain found for [MIDD\juser], fail!

There's a trust relationship set up between the IPA domain and the AD
domain, but it's like the RHEL 5 client doesn't know about it. Did I
miss something?
Show your sssd.conf.
Practically, in order to provide access to RHEL5 systems for AD users,
you need to configure sssd on RHEL5 against compat tree on IPA LDAP.
More to that, we had few bugs that prevented successful authentication
to complete from older clients against compat tree. These bugs are fixed
as part of RHEL7.1 update 1 cumulative release.

A typical RHEL5 configuration script can be obtained by running
'ipa-advise config-redhat-sssd-before-1-9' on IPA master.
/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to