We successfully installed ipa-server, and then successfully joined an AD in
a one way trust.
All in IPA are Centos 7.2 latest updates.

I can successfully get info from AD by using: $id username on the server.

I can successfully *join* the new ipa server with a client using
ipa-client-install. (both on stdout and /var/log/ipaclient-install look

I have followed these instructions to add an external mapped group, an
internal group and a HBAC.


But, for some reason I can't then login to that client using AD

In fact, on the client in question, all indicators are that the username
being used is "unknown". I see little to nothing in /var/log/sssd/*, a few
lines, late, in /var/log/dirsrv/slapd..../. Most of the live logging of
auth seems to be in /var/log/secure.

My feeling is that the client successfully joins, but then isn't using sssd
as it's authentication system.

Where should I start looking? The logs aren't showing me anything of note.
What should I test? How can I test?

I have had this working previously on a test domain, but it's hard to know
what I've done differently due to time and how long it took to get it
working last time.


The most dangerous phrase in the language is, "We've always done it this

- Grace Hopper
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to