I have the exact same problem, have a windows AD that trusts IPA server and an IPA client that connect to the IPA server via sssd.If I try to ssh on the IPA client using an AD user it fails authentication. The same happens if I try to su - ADuser.
Basically IPA server is not correctly proxying the requests to AD, I can pull the info with getent, so I know the trust is working, but when I try to authenticate it's always failing. The relevant bits I found in the sssd logs suggests a problem contacting the AD subdomain via kerberos (Thu Jul 9 20:42:15 2015) [[sssd[krb5_child]]] [get_and_save_tgt] (0x0020): 996: [-1765328230][Cannot find KDC for realm "AD.LOCAL"] is there manual customization that I am missing that I need to put on krb5 or sssd.conf? Angelo > On 05/06/2015 12:14 AM, Nathan Peters wrote: >>> From this link : >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/active-directory-trust.html#comp-trust-krb >> >> >> The diagram in that section shows the client communicating with >> FreeIPA and FreeIPA contacting AD. >> >> So why are you saying the client authenticates with the AD DC directly? > > You are looking at the older documentation. It is for RHEL6. Please use > RHEL7.1 docs to get the latest info about 4.1 functionality. > Well according to the 7 docs here https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/active-directory-trust.html it still shows in section 18.104.22.168 of that page that the sssd sends the request on behalf of the client and the client never directly connects to the AD dc. Both the 6 and 7 docs show the exact same diagram.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project