OK, seems like I've found the cause. /etc/sssd/sssd.conf default_domain_suffix = zone.local
If I comment this out, I can login using password or publickey with ipa user and using password with AD user, but I need to specify the domain component. Found this thread: https://www.redhat.com/archives/freeipa-users/2015-February/msg00371.html
And this bug: https://fedorahosted.org/sssd/ticket/2569 Since it's fixed, it should appear in sssd 1.13 release? l...@avc.su писал 2015-07-03 18:29:
Hello. I've encountered an issue with ssh login to freeipa clients in trusted environment. getent/id commands working as expected, but password/publickey auth for user from ipa or AD domain does not work (gssapi works, by the way) Seems like sss_ssh_authorizedkeys not working properly in this case.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project