OK, seems like I've found the cause.

default_domain_suffix = zone.local

If I comment this out, I can login using password or publickey with ipa user and using password with AD user, but I need to specify the domain component. Found this thread: https://www.redhat.com/archives/freeipa-users/2015-February/msg00371.html
And this bug: https://fedorahosted.org/sssd/ticket/2569

Since it's fixed, it should appear in sssd 1.13 release?

l...@avc.su писал 2015-07-03 18:29:
I've encountered an issue with ssh login to freeipa clients in trusted
getent/id commands working as expected, but password/publickey auth
for user from ipa or AD domain does not work (gssapi works, by the
Seems like sss_ssh_authorizedkeys not working properly in this case.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to