The authentication indicator stuff was enabled after little more digging
through the documentation.
But I'd really appreciate if anybody could help me with the keytab issue.
Alternatively, should I look towards PKINIT for getting TGTs that are later
used for SSH, on non-IPA clients?
This additional bit from the logs indicates a failure to retireve a keytab:
(Thu Feb 11 15:45:13 2021) [sssd[be[ipa.domain.edu]]] [main] (0x0400): Backend
provider (ipa.domain.edu) started!
(Thu Feb 11 15:45:13 2021) [sssd[be[ipa.domain.edu]]] [sss_domain_get_state]
(0x1000): Domain
I know it's been a while but it took me a bit of testing and initially I
thought I did a good job but I just found out I had a small flaw in the logic.
You were right it's pam module issue not IPA or SSH. What happened is when
deploying our harden Ubuntu images we are appending pam_tally2 line
>
> What is ourserver.edu? In order to log in using Kerberos/GSSAPI then the
> machine acting as the server needs to be enrolled as an IPA client so it
> has a keytab.
> rob
OK I added a Fedora server as a client. From ipa host-show
client.ourserver.edu
Host name: client.ourserver.edu
I have a one-way trust configured to AD. It has been working for a long time
but has stopped and I can't track down what has happened.
`getent passwd user` works on users in IPA, but fails (nothing returned) on AD
users.
Contents of sssd.conf on client:
[domain/ipa.domain.edu]
On Wed, Feb 10, 2021 at 03:09:37PM -0500, Robert Kudyba via FreeIPA-users wrote:
> I tried this on another test server, and configured NIS for the users,
> which are different. Same issue. All the verbose output adds a lot of log
> noise but I'm hoping it provides a clue.
>
> ipactl status
>