On Wed, Sep 21, 2016 at 05:43:29PM +0500, Alexander K wrote: > Hello, > > I'm having troubles with AD users authentication on IPA client. > I have 3 VMs in my test inveronment: > win-dc.windc.local 10.1.97.122 - AD DC server 2012R2 > fedora-dc.demo.loc 10.1.97.120 - fedora 24 + FreeIPA > wks.demo.loc 10.1.97.121 - IPA client > > I have done IPA AD trust setup > https://www.freeipa.org/page/Active_Directory_trust_setup > > AD user can access IPA server: > login as: [email protected] > [email protected]@10.1.97.120's password: > Last login: Wed Sep 21 13:59:36 2016 from 192.168.70.26 > Could not chdir to home directory /home/windc.local/administrator: No such > file or directory > -sh-4.3$ > > IPA user can login IPA client: > login as: admin > [email protected]'s password: > Last login: Wed Sep 21 16:12:31 2016 from 192.168.70.26 > [admin@wks ~]$ > > > But AD user can't access IPA client: > login as: [email protected] > [email protected]@10.1.97.121's password: > Access denied > > On another hand, ID works correct for AD users: > [root@wks ~]# id [email protected] > uid=429000500([email protected]) > gid=429000500([email protected]) > groups=429000500([email protected]),429000520(group policy creator > [email protected]),429000519(enterprise [email protected]),429000513(domain > [email protected]),429000518(schema [email protected]),429000512(domain > [email protected]) > > I have attached logs > (Last login time is 17:29-17:30)
The domain logs say the authentication takes too long, it might be due to processing the PAC. Try increasing the authentication timeout (krb5_auth_timeout). > > > Any help would be appreciated! > > > -- > Best regards, > Alexander K > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
