On Sun, May 15, 2016 at 11:11:27AM +1000, Lachlan Musicman wrote:
> Hola,
> 
> We successfully installed ipa-server, and then successfully joined an AD in
> a one way trust.
> All in IPA are Centos 7.2 latest updates.
> 
> I can successfully get info from AD by using: $id username on the server.
> 
> I can successfully *join* the new ipa server with a client using
> ipa-client-install. (both on stdout and /var/log/ipaclient-install look
> good).
> 
> I have followed these instructions to add an external mapped group, an
> internal group and a HBAC.
> 
> http://www.freeipa.org/page/Active_Directory_trust_setup
> 
> 
> But, for some reason I can't then login to that client using AD
> credentials.
> 
> In fact, on the client in question, all indicators are that the username
> being used is "unknown". I see little to nothing in /var/log/sssd/*, a few
> lines, late, in /var/log/dirsrv/slapd..../. Most of the live logging of
> auth seems to be in /var/log/secure.

SSSD doesn't log anything except critical failures by default. Please
follow https://fedorahosted.org/sssd/wiki/Troubleshooting to see what's
going on on the client.

> 
> My feeling is that the client successfully joins, but then isn't using sssd
> as it's authentication system.
> 
> Where should I start looking? The logs aren't showing me anything of note.
> What should I test? How can I test?
> 
> I have had this working previously on a test domain, but it's hard to know
> what I've done differently due to time and how long it took to get it
> working last time.
> 
> Cheers
> L.
> 
> 
> 
> 
> ------
> The most dangerous phrase in the language is, "We've always done it this
> way."
> 
> - Grace Hopper

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to