On Sun, May 15, 2016 at 11:11:27AM +1000, Lachlan Musicman wrote: > Hola, > > We successfully installed ipa-server, and then successfully joined an AD in > a one way trust. > All in IPA are Centos 7.2 latest updates. > > I can successfully get info from AD by using: $id username on the server. > > I can successfully *join* the new ipa server with a client using > ipa-client-install. (both on stdout and /var/log/ipaclient-install look > good). > > I have followed these instructions to add an external mapped group, an > internal group and a HBAC. > > http://www.freeipa.org/page/Active_Directory_trust_setup > > > But, for some reason I can't then login to that client using AD > credentials. > > In fact, on the client in question, all indicators are that the username > being used is "unknown". I see little to nothing in /var/log/sssd/*, a few > lines, late, in /var/log/dirsrv/slapd..../. Most of the live logging of > auth seems to be in /var/log/secure.
SSSD doesn't log anything except critical failures by default. Please follow https://fedorahosted.org/sssd/wiki/Troubleshooting to see what's going on on the client. > > My feeling is that the client successfully joins, but then isn't using sssd > as it's authentication system. > > Where should I start looking? The logs aren't showing me anything of note. > What should I test? How can I test? > > I have had this working previously on a test domain, but it's hard to know > what I've done differently due to time and how long it took to get it > working last time. > > Cheers > L. > > > > > ------ > The most dangerous phrase in the language is, "We've always done it this > way." > > - Grace Hopper > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
