On Tue, 16 Feb 2016, Nathan Peters wrote:
I have created a trust between my FreeIPA domain and an active
directory domain. I can get a kerberos ticket properly from the other
domain at the command line on the IPA server. I have also created sudo
and HBAC rules to allow my AD users to logon to the IPA domain
controller using the recommended nested external group setup.
However, I can not actually login to the machines.
I should note that our AD domain is office.mydomain.net, but we use
alternative UPN suffixes so the usernames are u...@mydomain.net.
I read the patch notes and apparently support for client referrals that
will allow alternate UPN suffixes in trusted domains was added in
Is there anything special I need to do to configure it beyond the
creation of the original trust? Do I need to set special options in
krb5.conf or sssd.conf to get it to work?
Not sure what are you trying to achieve. In the output of your 'kinit'
call you are not talking to IPA KDC. Instead, you are talking directly
to your AD DCs. You can verify it by setting KRB5_TRACE=/dev/stderr in
the environment where you would run 'kinit user@AD'. How is IPA KDC
Feb 16 14:10:23 dc1-ipa-dev-nvan sshd: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.8.134.154
Feb 16 14:10:23 dc1-ipa-dev-nvan sshd: pam_sss(sshd:auth): received for
user nathan.pet...@mydomain.net: 4 (System error)
Feb 16 14:10:23 dc1-ipa-dev-nvan sshd: Failed password for
nathan.pet...@mydomain.net from 10.8.134.154 port 9577 ssh2
Feb 16 14:10:25 dc1-ipa-dev-nvan sshd: error: Received disconnect from
10.8.134.154: 13: Unable to authenticate [preauth]
Feb 16 14:10:25 dc1-ipa-dev-nvan sshd: Disconnected from 10.8.134.154
Use https://fedorahosted.org/sssd/wiki/Troubleshooting to produce sssd
logs that can be analyzed. The logs above are mostly useless, they don't
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project