I've set up a freeipa server on a centos 7 machine and have successfully configured a 2-way trust between it and our active directory domain controller. I've also installed ipa-client on an ubuntu 14.04 machine and have run ipa-client-install, which has apparently successfully joined the FreeIPA domain.
So far, I can successfully do the following: 1. Log into the FreeIPA machine with an AD user account. 2. Log into the Ubuntu machine with a FreeIPA account. 3. Run 'getent passwd <freeipa username>' on the Ubuntu machine and have it return the associated FreeIPA user account details (eg. "jackt:*:1131000005:1131000005:Jack Test:/home/ipa.bbg.net/jackt:/bin/bash") 4. Run 'getent passwd <ad username>' on the Ubuntu machine and have it return the associated AD user account details (eg. "[email protected]: *:1946801107:1946801107::/home/ad.bbg.net/bobt:/bin/bash") What I can't do is log into the Ubuntu machine with the AD user. I'm using the following SSH command from the command line on my mac: ssh -o [email protected] vm1.bbg.com It asks me for the password, I enter it and it says permissions denied, please try again. I set the debug level in SSSD on the ubuntu client to 5 and this is what shows up in the log during the login attempt: (Tue Aug 9 16:25:56 2016) [sssd[be[ipa.bbg.net]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=bobt] (Tue Aug 9 16:25:56 2016) [sssd[be[ipa.bbg.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,Account info lookup failed (Tue Aug 9 16:25:57 2016) [sssd[be[ipa.bbg.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [be_get_account_info] (0x0100): Got request for [3][1][name=bobt] (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,Account info lookup failed (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [be_pam_handler] (0x0100): Got request with the following data (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] (0x0100): domain: ad.bbg.net (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] (0x0100): user: [email protected] (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] (0x0100): service: sshd (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] (0x0100): tty: ssh (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] (0x0100): ruser: (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] (0x0100): rhost: 192.168.100.157 (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] (0x0100): authtok type: 1 (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] (0x0100): priv: 1 (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [pam_print_data] (0x0100): cli_pid: 16230 (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [krb5_auth_send] (0x0100): No ccache file for user [[email protected]] found. (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [be_resolve_server_process] (0x0200): Found address for server dc.ipa.bbg.net: [192.168.100.14] TTL 3600 (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [be_pam_handler_callback] (0x0100): Sending result [4][ad.bbg.net] (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [be_pam_handler_callback] (0x0100): Sent result [4][ad.bbg.net] (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net]]] [child_sig_handler] (0x0100): child [16313] finished successfully. Can anyone explain why it's saying account info lookup failed when it can get the account info fine via getent? Thanks, Guy
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
