Hey guys, Quick question. Just running through a poc and ran into a question.
I have a simple AD DC (win2k8r2 box) with a trust setup to our IPA server. Trust and all is setup properly and I can see users on the client/ipa server and on the ipa server I can ssh into it with the AD user. I am finding that users are unable to log into the "client nodes" and are getting a "4: System Error" failure in the ssh log. When I dig into the sssd in debug mode I can see its failing to find KDC for the "realm". Makes sense so far. So I enable dns_lookup_kdc = true and now it is able to find the realm and login is successful. My question is, this "dns_lookup_kdc = true" required in any setup with AD/IPA trust + ssh into IPA client with AD users? I am wondering as there may be a use case where the AD server is in another network and IPA clients won't have direct access to AD. I was wondering if there is any model in which the client only ever talks to IPA server and all the AD/Kerbos communication is handled via the IPA server and if so how is this done? I have read a bit and this looks as though what I am doing here is a "legacy" setup. Just wondering if this is different in sssd 1.9 or if kdc = True is always required. I am not doing anything extra on the client other then the ipa-client install. No manual adjustment of sssd.conf or krb5.conf. If I am missing something please advise. Thanks guys Aly SW info: Server ipa-admintools-4.1.0-18.el7.centos.4.x86_64 ipa-python-4.1.0-18.el7.centos.4.x86_64 ipa-client-4.1.0-18.el7.centos.4.x86_64 ipa-server-trust-ad-4.1.0-18.el7.centos.4.x86_64 ipa-server-4.1.0-18.el7.centos.4.x86_64 el7 Client sssd-client-1.12.2-58.el7_1.17.x86_64 sssd-common-1.12.2-58.el7_1.17.x86_64 sssd-ad-1.12.2-58.el7_1.17.x86_64 sssd-proxy-1.12.2-58.el7_1.17.x86_64 sssd-krb5-1.12.2-58.el7_1.17.x86_64 ipa-python-4.1.0-18.el7.centos.4.x86_64 sssd-krb5-common-1.12.2-58.el7_1.17.x86_64 sssd-common-pac-1.12.2-58.el7_1.17.x86_64 sssd-ipa-1.12.2-58.el7_1.17.x86_64 sssd-ldap-1.12.2-58.el7_1.17.x86_64 sssd-1.12.2-58.el7_1.17.x86_64 ipa-client-4.1.0-18.el7.centos.4.x86_64 el6 client sssd-common-1.12.4-47.el6.x86_64 sssd-proxy-1.12.4-47.el6.x86_64 sssd-krb5-common-1.12.4-47.el6.x86_64 sssd-ad-1.12.4-47.el6.x86_64 sssd-1.12.4-47.el6.x86_64 ipa-python-3.0.0-47.el6.centos.x86_64 sssd-client-1.12.4-47.el6.x86_64 sssd-ipa-1.12.4-47.el6.x86_64 sssd-krb5-1.12.4-47.el6.x86_64 ipa-client-3.0.0-47.el6.centos.x86_64 sssd-common-pac-1.12.4-47.el6.x86_64 sssd-ldap-1.12.4-47.el6.x86_64
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project