On Wed, 01 Apr 2015, Guertin, David S. wrote:
The 5.x ipa-client should work fine. What isn't working?
I cannot SSH in as an AD user. (Sorry, I should have mentioned that in
my original post.) The client installs without errors, and I can get a
Kerberos ticket for the admin user. But when I try to SSH in as an AD
domain user, the login fails:
$ ssh -l 'MIDD\juser' yakko.ipa
Red Hat Enterprise Linux Server release 5.11 (Tikanga)
Kernel 2.6.18-402.el5 on an x86_64
Password:
Password:
Password:
MIDD\ju...@yakko.ipa's password:
Received disconnect from 140.233.1.100: 2: Too many authentication failures for
MIDD\\juser
And on the client, with debug_level = 10 for sssd, /var/log/sssd/sssd_nss.log
shows:
(Wed Apr 1 14:24:03 2015) [sssd[nss]] [sss_ncache_set_str] (6): Adding
[NCE/USER/ipa.middlebury.edu/MIDD\juser] to negative cache
(Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): No
results for getpwnam call
(Wed Apr 1 14:24:03 2015) [sssd[nss]] [sss_dp_req_destructor] (8): Could not
clear entry from request queue
(Wed Apr 1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer
re-set for client [0x1aeec870][17]
(Wed Apr 1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer
re-set for client [0x1aeec870][17]
(Wed Apr 1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer
re-set for client [0x1aeec870][17]
(Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for
[MIDD\juser] from [<ALL>]
(Wed Apr 1 14:24:03 2015) [sssd[nss]] [sss_ncache_check_str] (8): Checking
negative cache for [NCE/USER/ipa.middlebury.edu/MIDD\juser]
(Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): User
[MIDD\juser] does not exist in [ipa.middlebury.edu]! (negative cache)
(Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): No
matching domain found for [MIDD\juser], fail!
There's a trust relationship set up between the IPA domain and the AD
domain, but it's like the RHEL 5 client doesn't know about it. Did I
miss something?
Show your sssd.conf.
Practically, in order to provide access to RHEL5 systems for AD users,
you need to configure sssd on RHEL5 against compat tree on IPA LDAP.
More to that, we had few bugs that prevented successful authentication
to complete from older clients against compat tree. These bugs are fixed
as part of RHEL7.1 update 1 cumulative release.
A typical RHEL5 configuration script can be obtained by running
'ipa-advise config-redhat-sssd-before-1-9' on IPA master.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project