On Fri, Nov 27, 2015 at 06:16:51PM +0100, Morgan Marodin wrote:
> Yes:
> ------
> # ls -l /var/lib/sss/pubconf/krb5.include.d/
> total 8
> -rw-r--r-- 1 root root 208 Nov 27 17:37 domain_realm_ipa_mydomain_com
> -rw-r--r-- 1 root root 118 Nov 27 17:37 localauth_plugin
> 
> So what could I try to do?

'getent passwd' should return the same entry for the user name you use
at the login prompt and the Kerberos principal (its the name shown by
klist in the 'Default principal:' line) e.g.:

# getent passwd tu1@ad.devel
tu1@ad.devel:*:1367201104:1367201104:t u:/home/ad.devel/tu1:/bin/sh
# getent passwd tu1@AD.DEVEL
tu1@ad.devel:*:1367201104:1367201104:t u:/home/ad.devel/tu1:/bin/sh

>From the logs I guess you used the name 'morgan.maro...@mydomain.com' at
the login prompt.

I assume you use ssh for the Kerberos/GSSAPI login. Please check on the
client with klist if you got a service ticket for your linux client
principal which should look like host/linux.client.name@IPA.DOMAIN. On
Windows there is klist for the cmd shell as well.

Additionally if there is a service ticket for the linux host sshd debug
logs from the linux host would be useful. For this please set LogLevel to
DEBUG3 in /etc/ssh/sshd_config (please note that the log might contain
confidential keys or passwords).

bye,
Sumit

> Thanks, Morgan
> 
> 2015-11-27 17:47 GMT+01:00 Sumit Bose <sb...@redhat.com>:
> 
> > On Fri, Nov 27, 2015 at 05:35:42PM +0100, Morgan Marodin wrote:
> > > Hi Sumit.
> > >
> > > I don't know why, but now kerberos ticket authentication is working on
> > 6.7
> > > clients.
> > > On 7.2 clients now password authetications with Active Directory
> > > credentials is working ... but not with kerberos ticket.
> >
> > This is most likely due to some issues while mapping the Kerberos
> > principal to the local user name.
> >
> > Do you have a 'includedir /var/lib/sss/pubconf/krb5.include.d/' line at
> > the beginning of you krb5.conf file? Does
> > /var/lib/sss/pubconf/krb5.include.d/localauth_plugin exists?
> >
> > bye,
> > Sumit
> >

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to