>Ah so you are using it with trust. Then you should change the configuration to >not use kerberos but rather LDAP instead. >More details are here. >http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf
Thanks. When I ran ipa-adtrust-install on the servers, I hadn't used the --enable-compat flag, so I re-ran "ipa-adtrust-install --enable-compat" on all three IPA servers. I then cleared the sssd cache on the RHEL 5 client and restarted sssd, but users still couldn't log in. Originally I had run "ipa-advise config-redhat-sssd-before-1-9" on the server, so I tried re-running that with "ipa-advise config-redhat-nss-ldap" instead, and ran the resulting script on the client. Still no success -- I'm still getting the same error. The current sssd.conf file on the client is: [sssd] services = nss, pam config_file_version = 2 domains = default re_expression = (?P<name>.+) [domain/default] cache_credentials = True id_provider = ldap auth_provider = ldap ldap_uri = ldap://genet.ipa.middlebury.edu ldap_search_base = cn=compat,dc=ipa,dc=middlebury,dc=edu ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt David Guertin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
