I am using sssd and from ipa clients the authentication is not working (works fine if I ssh on the ipa-server). I thought it could be due to the external groups being empty and not mapping the AD users.
Anyway this is the krb5.conf on the ipa client: #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = IPA.TWEEK dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] IPA.TWEEK = { kdc = centos.ipa.tweek:88 master_kdc = centos.ipa.tweek:88 admin_server = centos.ipa.tweek:749 default_domain = ipa.tweek pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[1:$1@$0](^.*@AD.TWEEK$)s/@AD.TWEEK/@ad.tweek/ auth_to_local = DEFAULT } AD.TWEEK = { kdc = centos.ipa.tweek:88 pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .ipa.tweek = IPA.TWEEK ipa.tweek = IPA.TWEEK .ad.tweek = AD.TWEEK ad.tweek = AD.TWEEK and this is the error I see in krb5_child.log (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [main] (0x0400): Will perform online auth (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [AD.TWEEK] (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [get_and_save_tgt] (0x0020): 996: [-1765328378][Client 'freeipa@AD.TWEEK' not found in Kerberos database] (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235]]]] [map_krb5_error] (0x0020): 1065: [-1765328378][Client 'freeipa@AD.TWEEK' not found in Kerberos database] also # kinit freeipa@AD.TWEEK kinit: Cannot find KDC for realm "AD.TWEEK" while getting initial credentials any idea what's the problem? It seems kerberos cannot find users in the AD subdomain this is my sssd.conf [domain/ipa.tweek] debug_level = 6 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.tweek id_provider = ipa auth_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = someaddress_here chpass_provider = ipa ipa_server = _srv_, centos.ipa.tweek dns_discovery_domain = ipa.tweek cn=ad_admins_external,cn=groups,cn=accounts,dc=ipa,dc=tweek subdomains_provider = ipa [sssd] services = nss, pam, pac, ssh config_file_version = 2 debud_level = 6 domains = ipa.tweek On Fri, Jul 10, 2015 at 12:29 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Fri, 10 Jul 2015, Angelo Pantano wrote: > >> I have a freeipa server trusting an active directory domain, if I ssh to >> the ipa server everything works, but if I try to ssh on an ipa client the >> authentication fails. >> >> I noticed on the server that the wbinfo -n 'AD\Domain Users' is failing: >> >> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND >> >> Also in the logs I see: >> >> log.winbindd-dc-connect: get_sorted_dc_list: attempting lookup for name >> ad.local (sitename NULL) >> >> everything else works though, I can getent users and group just fine. >> >> Can you please help me? >> > We don't use wbinfo and don't recommend it with FreeIPA AD trusts -- at > least with Fedora 18+ and RHEL7+. When your FreeIPA server is deployed > on those platforms, SSSD is used to resolve users, not winbindd. > Winbindd is only used to manage forest topology. > > > > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project