On Tue, 16 Feb 2016, Nathan Peters wrote:
I have created a trust between my FreeIPA domain and an active
directory domain.  I can get a kerberos ticket properly from the other
domain at the command line on the IPA server.  I have also created sudo
and HBAC rules to allow my AD users to logon to the IPA domain
controller using the recommended nested external group setup.
However, I can not actually login to the machines.

I should note that our AD domain is office.mydomain.net, but we use
alternative UPN suffixes so the usernames are u...@mydomain.net.

I read the patch notes and apparently support for client referrals that
will allow alternate UPN suffixes in trusted domains was added in
FreeIPA 4.2.1.

Is there anything special I need to do to configure it beyond the
creation of the original trust?  Do I need to set special options in
krb5.conf or sssd.conf to get it to work?
Not sure what are you trying to achieve. In the output of your 'kinit'
call you are not talking to IPA KDC. Instead, you are talking directly
to your AD DCs.  You can verify it by setting KRB5_TRACE=/dev/stderr in
the environment where you would run 'kinit user@AD'. How is IPA KDC

Feb 16 14:10:23 dc1-ipa-dev-nvan sshd[2019]: pam_sss(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= 
Feb 16 14:10:23 dc1-ipa-dev-nvan sshd[2019]: pam_sss(sshd:auth): received for 
user nathan.pet...@mydomain.net: 4 (System error)
Feb 16 14:10:23 dc1-ipa-dev-nvan sshd[2019]: Failed password for 
nathan.pet...@mydomain.net from port 9577 ssh2
Feb 16 14:10:25 dc1-ipa-dev-nvan sshd[2019]: error: Received disconnect from 13: Unable to authenticate [preauth]
Feb 16 14:10:25 dc1-ipa-dev-nvan sshd[2019]: Disconnected from 
Use https://fedorahosted.org/sssd/wiki/Troubleshooting to produce sssd
logs that can be analyzed. The logs above are mostly useless, they don't
tell anything.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to