On Tue, Dec 06, 2016 at 10:55:12AM -0500, List dedicated to discussions about use, configuration and deployment of the IPA server. wrote: > > Still trying to figure out why my AD users in various trusted forests can be > resolved and "su - <username>" but password checks via SSH logins fail.
Do you call 'su - <username>' as root or do you get a password prompt here as well. In case you do it as root, can you try if calling it as a user will accept the password or not? In the latter case it might be some general issue with password authentication and the krb5_child.log file with debug_level=10 in the [domain/...] section of sssd.conf might help to find the reason (maybe ticket validation?). bye, Sumit > > In the mean time I'm wondering if I should consider upgrading before I go > much further into the troubleshooting tunnel. It really does seem like there > has been a ton of action in the codebase specifically relating to AD trusts. > Maybe I should upgrade first and then keep troubleshooting on the updated > software. We are not yet in production. > > We have a standard CentOS 7 server running this software set: > > > ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64 > > ipa-server-dns-4.2.0-15.0.1.el7.centos.19.x86_64 > > python-iniparse-0.4-9.el7.noarch > > sssd-ipa-1.13.0-40.el7_2.12.x86_64 > > ipa-python-4.2.0-15.0.1.el7.centos.19.x86_64 > > ipa-client-4.2.0-15.0.1.el7.centos.19.x86_64 > > ipa-admintools-4.2.0-15.0.1.el7.centos.19.x86_64 > > ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.19.x86_64 > > python-libipa_hbac-1.13.0-40.el7_2.12.x86_64 > > libipa_hbac-1.13.0-40.el7_2.12.x86_64 > > Would people generally recommend stepping up to the stable 4.3 release on > CentOS 7? If so are there any repositories that would be a good source for > grabbing RPMs? Is 4.4 still not being recommended for production use? > > Thanks! > > Chris > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project