>Ah so you are using it with trust. Then you should change the configuration to
>not use kerberos but rather LDAP instead.
>More details are here.
>http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf

Thanks. When I ran ipa-adtrust-install on the servers, I hadn't used the 
--enable-compat flag, so I re-ran "ipa-adtrust-install --enable-compat" on all 
three IPA servers. I then cleared the sssd cache on the RHEL 5 client and 
restarted sssd, but users still couldn't log in. Originally I had run 
"ipa-advise config-redhat-sssd-before-1-9" on the server, so I tried re-running 
that with "ipa-advise config-redhat-nss-ldap" instead, and ran the resulting 
script on the client. Still no success -- I'm still getting the same error.

The current sssd.conf file on the client is:

[sssd]
services = nss, pam
config_file_version = 2
domains = default
re_expression = (?P<name>.+)

[domain/default]
cache_credentials = True
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://genet.ipa.middlebury.edu
ldap_search_base = cn=compat,dc=ipa,dc=middlebury,dc=edu
ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt

David Guertin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to