On Mon, Jul 11, 2016 at 03:46:57AM +0000, pgb205 wrote: > I have successfully established trust and am able to obtain ticket granting > ticketkinit user@AD_DOMAIN.COMI can also do kinit admin@IPA_DOMAIN.COMssh > admin@IPA_DOMAIN.COM also works > however, ssh user@AD_DOMAIN.COM or user@ad_domain.com fails > I have checked that there are no hbac rules other then the default allow_all > rule > in sssd_ssh.log see > permission denied (6) error in sssd_ipa.domain.log file I see > pam_handler_callback 6 permission_denied > in sssd_nss.log Unable to get information from Data ProviderError: 3 Account > info lookup failedWill try to return what we have in cache > in /var/log/secure received for user user@AD_DOMAIN.COM: 6 (Permission > denied) > > I can provided full logs if necessary to diagnose the above problem.
Yes, full SSSD logs with debug_level=10 would be best. > ----------Additionally, I would like to be able to login as user not > user@AD_DOMAIN.COM > My understanding that only thing that I have to change to make this happen is > /etc/krb5.conffor line > [libdefaults] default_realm=AD_DOMAN.COM and then restarting ipa services. No, please do not change the default_realm. This is not related to the issues you are seeing. bye, Sumit > However, when I do this I get failure to restart Samba service > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project