On Thu, Jul 09, 2015 at 08:59:11PM -0700, Angelo Pantano wrote:
> I have the exact same problem, have a windows AD that trusts IPA server and
> an IPA client that connect to the IPA server via sssd.If I try to ssh on
> the IPA client using an AD user it fails authentication. The same happens
> if I try to su - ADuser.
> Basically IPA server is not correctly proxying the requests to AD, I can
> pull the info with getent, so I know the trust is working,

Are you sure SSSD is not just returning records from cache? Do you have
full SSSD logs?

> but when I try
> to authenticate it's always failing.
> The relevant bits I found in the sssd logs suggests a problem contacting
> the AD subdomain via kerberos
> (Thu Jul  9 20:42:15 2015) [[sssd[krb5_child[12110]]]] [get_and_save_tgt]
> (0x0020): 996: [-1765328230][Cannot find KDC for realm "AD.LOCAL"]

The original poster had non-standard UPNs, so the users with those UPNs
were failing. Is that your case also or do all users fail like this?

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to