On Tue, Dec 06, 2016 at 10:55:12AM -0500, List dedicated to discussions about
use, configuration and deployment of the IPA server. wrote:
> Still trying to figure out why my AD users in various trusted forests can be
> resolved and "su - <username>" but password checks via SSH logins fail.
Do you call 'su - <username>' as root or do you get a password prompt
here as well. In case you do it as root, can you try if calling it as
a user will accept the password or not?
In the latter case it might be some general issue with password
authentication and the krb5_child.log file with debug_level=10 in the
[domain/...] section of sssd.conf might help to find the reason (maybe
> In the mean time I'm wondering if I should consider upgrading before I go
> much further into the troubleshooting tunnel. It really does seem like there
> has been a ton of action in the codebase specifically relating to AD trusts.
> Maybe I should upgrade first and then keep troubleshooting on the updated
> software. We are not yet in production.
> We have a standard CentOS 7 server running this software set:
> > ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
> > ipa-server-dns-4.2.0-15.0.1.el7.centos.19.x86_64
> > python-iniparse-0.4-9.el7.noarch
> > sssd-ipa-1.13.0-40.el7_2.12.x86_64
> > ipa-python-4.2.0-15.0.1.el7.centos.19.x86_64
> > ipa-client-4.2.0-15.0.1.el7.centos.19.x86_64
> > ipa-admintools-4.2.0-15.0.1.el7.centos.19.x86_64
> > ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.19.x86_64
> > python-libipa_hbac-1.13.0-40.el7_2.12.x86_64
> > libipa_hbac-1.13.0-40.el7_2.12.x86_64
> Would people generally recommend stepping up to the stable 4.3 release on
> CentOS 7? If so are there any repositories that would be a good source for
> grabbing RPMs? Is 4.4 still not being recommended for production use?
> Manage your subscription for the Freeipa-users mailing list:
> Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project