Quick question. Just running through a poc and ran into a question.
I have a simple AD DC (win2k8r2 box) with a trust setup to our IPA server.
Trust and all is setup properly and I can see users on the client/ipa
server and on the ipa server I can ssh into it with the AD user.
I am finding that users are unable to log into the "client nodes" and are
getting a "4: System Error" failure in the ssh log. When I dig into the
sssd in debug mode I can see its failing to find KDC for the "realm". Makes
sense so far. So I enable dns_lookup_kdc = true and now it is able to find
the realm and login is successful.
My question is, this "dns_lookup_kdc = true" required in any setup with
AD/IPA trust + ssh into IPA client with AD users?
I am wondering as there may be a use case where the AD server is in another
network and IPA clients won't have direct access to AD. I was wondering if
there is any model in which the client only ever talks to IPA server and
all the AD/Kerbos communication is handled via the IPA server and if so how
is this done?
I have read a bit and this looks as though what I am doing here is a
"legacy" setup. Just wondering if this is different in sssd 1.9 or if kdc =
True is always required.
I am not doing anything extra on the client other then the ipa-client
No manual adjustment of sssd.conf or krb5.conf. If I am missing something
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project