Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.
On Tue, Jan 07, 2014 at 12:00:56AM +0200, Genadi Postrilko wrote: sssd_example.com.log after changing the debug level: https://gist.github.com/anonymous/8290381#file-sssd_example-com-log This info from the log: (Mon Jan 6 13:23:11 2014) [sssd[be[example.com]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Operations error(1), (null) (Mon Jan 6 13:23:11 2014) [sssd[be[example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed Plus the wbinfo output below indicates that you are seeing a similar kind of error as the user in thread called AD - Freeipa trust confusion. Would you mind getting the same debug information on the IPA server? In short, set smbcontrol winbindd debug 10, run the testcase, then revert the debug level. Feel free to chek the other thread for some more details on debugging.. [genadi@ipaserver root]$ wbinfo -u (no output) [genadi@ipaserver root]$ wbinfo -g admins editors default smb group ad_users ad_admins [genadi@ipaserver root]$ wbinfo --trusted-domains BUILTIN EXAMPLE ADDC [genadi@ipaserver root]$ wbinfo -i Administrator failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user Administrator [genadi@ipaserver root]$ wbinfo --domain-info ADDC.COM Name : ADDC Alt_Name : addc.com SID : S-1-5-21-33789592-1708006097-2663368750 Active Directory : No Native: No Primary : No 2014/1/6 Jakub Hrozek jhro...@redhat.com On Fri, Jan 03, 2014 at 07:29:54PM +0200, Genadi Postrilko wrote: Here are the other logs as well (ldap_child.log, sssd_pac.log, sssd_ssh.log). https://gist.github.com/anonymous/8242061 I attempted to log in (as administra...@addc.com) at 9:04. Thanks for the help. You need the *domain* log. According to the logs, your domain is called example.com, do you need to put debug_level=6 (or higher, but 6 should be enough) to the section called [domain/example.com] in sssd.conf, restart sssd, attempt the login and then attach /var/log/sssd/sssd_example.com.log Given that SSSD is complaining about not being able to find the user, I suspect a similar problem as in the other thread, that is, Winbind on the server not being able to talk to the AD. Does wbinfo -u $user work on the server? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.
sssd_example.com.log after changing the debug level: https://gist.github.com/anonymous/8290381#file-sssd_example-com-log [genadi@ipaserver root]$ wbinfo -u (no output) [genadi@ipaserver root]$ wbinfo -g admins editors default smb group ad_users ad_admins [genadi@ipaserver root]$ wbinfo --trusted-domains BUILTIN EXAMPLE ADDC [genadi@ipaserver root]$ wbinfo -i Administrator failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user Administrator [genadi@ipaserver root]$ wbinfo --domain-info ADDC.COM Name : ADDC Alt_Name : addc.com SID : S-1-5-21-33789592-1708006097-2663368750 Active Directory : No Native: No Primary : No 2014/1/6 Jakub Hrozek jhro...@redhat.com On Fri, Jan 03, 2014 at 07:29:54PM +0200, Genadi Postrilko wrote: Here are the other logs as well (ldap_child.log, sssd_pac.log, sssd_ssh.log). https://gist.github.com/anonymous/8242061 I attempted to log in (as administra...@addc.com) at 9:04. Thanks for the help. You need the *domain* log. According to the logs, your domain is called example.com, do you need to put debug_level=6 (or higher, but 6 should be enough) to the section called [domain/example.com] in sssd.conf, restart sssd, attempt the login and then attach /var/log/sssd/sssd_example.com.log Given that SSSD is complaining about not being able to find the user, I suspect a similar problem as in the other thread, that is, Winbind on the server not being able to talk to the AD. Does wbinfo -u $user work on the server? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.
What is content of the log when SSSD is doing auth? When i log in with IPA domain client, the output of the log is (anything non standard?): Jan 5 12:08:37 ipaserver sshd[24434]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.227.1 user= r...@example.com Jan 5 12:08:37 ipaserver sshd[24434]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.227.1 user= r...@example.com Jan 5 12:08:37 ipaserver sshd[24434]: Accepted password for ron@EXAMPLE.COMfrom 192.168.227.1 port 57144 ssh2 Jan 5 12:08:37 ipaserver sshd[24434]: pam_unix(sshd:session): session opened for user r...@example.com by (uid=0) Here is the /etc/pam.d/system-auth file : https://gist.github.com/anonymous/8273507 it does contains pam_sss.so module. When i created the the environment, first i installed the IPA server, then joined the IPA clients and finally created the trust. 2014/1/5 Dmitri Pal d...@redhat.com On 01/04/2014 06:13 PM, Genadi Postrilko wrote: Output from /var/log/secure: Jan 4 15:03:02 ipaserver sshd[5958]: Invalid user Administrator@ADDC.COMfrom 192.168.227.1 Jan 4 15:03:02 ipaserver sshd[5959]: input_userauth_request: invalid user administra...@addc.com Jan 4 15:03:06 ipaserver sshd[5958]: pam_unix(sshd:auth): check pass; user unknown Jan 4 15:03:06 ipaserver sshd[5958]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.227.1 Jan 4 15:03:06 ipaserver sshd[5958]: pam_succeed_if(sshd:auth): error retrieving information about user administra...@addc.com Jan 4 15:03:08 ipaserver sshd[5958]: Failed password for invalid user administra...@addc.com from 192.168.227.1 port 53125 ssh2 I do not see SSSD doing auth. Is pam_sss configured for PAM for SSH? See more details here: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#installing-host-keys http://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf I do not see simple HowTo to configure SSH to use SSSD for cases when ipa-client-install is not used. May be we should provide one. The expectation is: You install IPA, create trust, join client to IPA using ipa-client-install and it configures everything you need. The order of last two steps can be reversed but the result should be the same. 2014/1/3 Genadi Postrilko genadip...@gmail.com Here are the other logs as well (ldap_child.log, sssd_pac.log, sssd_ssh.log). https://gist.github.com/anonymous/8242061 I attempted to log in (as administra...@addc.com) at 9:04. Thanks for the help. ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.
Output from /var/log/secure: Jan 4 15:03:02 ipaserver sshd[5958]: Invalid user Administrator@ADDC.COMfrom 192.168.227.1 Jan 4 15:03:02 ipaserver sshd[5959]: input_userauth_request: invalid user administra...@addc.com Jan 4 15:03:06 ipaserver sshd[5958]: pam_unix(sshd:auth): check pass; user unknown Jan 4 15:03:06 ipaserver sshd[5958]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.227.1 Jan 4 15:03:06 ipaserver sshd[5958]: pam_succeed_if(sshd:auth): error retrieving information about user administra...@addc.com Jan 4 15:03:08 ipaserver sshd[5958]: Failed password for invalid user administra...@addc.com from 192.168.227.1 port 53125 ssh2 2014/1/3 Genadi Postrilko genadip...@gmail.com Here are the other logs as well (ldap_child.log, sssd_pac.log, sssd_ssh.log). https://gist.github.com/anonymous/8242061 I attempted to log in (as administra...@addc.com) at 9:04. Thanks for the help. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.
On Fri, Jan 03, 2014 at 12:33:16AM +0200, Genadi Postrilko wrote: Here are the *sssd.log, **sssd_nss.log. *Other logs where empty of did not contain the output for the relevant log in. https://gist.github.com/anonymous/8228284 According to gist, you only provided the debug logs from the [sssd] and [nss] sections. Can you also paste the logs from the [domain/xxx] section ? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.
Here are the other logs as well (ldap_child.log, sssd_pac.log, sssd_ssh.log). https://gist.github.com/anonymous/8242061 I attempted to log in (as administra...@addc.com) at 9:04. Thanks for the help. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.
Hi all. I have a running IPA Server (3.0.0-37) on RHEL 6.2. I'm trying to create Trust between IPA server and AD (In different DNS domains). I followed the red hat guide https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/pdf/Identity_Management_Guide/Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US.pdf . When i completed the needed step to create the trust and retrieved a krb ticket from the AD server: [root@ipaserver ~]# kinit administra...@addc.com Password for administra...@addc.com: [root@ipaserver ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@addc.com Valid starting ExpiresService principal 01/02/14 12:20:30 01/02/14 22:20:34 krbtgt/addc@addc.com renew until 01/03/14 12:20:30 But when i try to connect to the IPA server via SHH (Putty) i get Access denied message: login as: administra...@addc.com administra...@addc.com@192.168.227.128's password: Access denied Any ideas on what i could have done wrong in the process of creating the trust? Thank you in advance. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.
Genadi Postrilko wrote: Hi all. I have a running IPA Server (3.0.0-37) on RHEL 6.2. I'm trying to create Trust between IPA server and AD (In different DNS domains). I followed the red hat guide https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/pdf/Identity_Management_Guide/Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US.pdf. When i completed the needed step to create the trust and retrieved a krb ticket from the AD server: [root@ipaserver ~]# kinit administra...@addc.com mailto:administra...@addc.com Password for administra...@addc.com mailto:administra...@addc.com: [root@ipaserver ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@addc.com mailto:administra...@addc.com Valid starting ExpiresService principal 01/02/14 12:20:30 01/02/14 22:20:34 krbtgt/addc@addc.com mailto:addc@addc.com renew until 01/03/14 12:20:30 But when i try to connect to the IPA server via SHH (Putty) i get Access denied message: login as: administra...@addc.com mailto:administra...@addc.com administra...@addc.com@192.168.227.128 http://192.168.227.128's password: Access denied Any ideas on what i could have done wrong in the process of creating the trust? I'd check the sssd logs and /var/log/secure. Do you have any HBAC rules? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.
Its a newly installed IPA Server, haven't added any Rules. The relevant output from /var/log/secure : Jan 2 13:36:24 ipaserver sshd[4864]: Invalid user from 192.168.227.100 Jan 2 13:36:24 ipaserver sshd[4865]: input_userauth_request: invalid user Jan 2 13:36:26 ipaserver sshd[4865]: Connection closed by 192.168.227.100 Jan 2 13:36:35 ipaserver sshd[4868]: Invalid user Administrator@ADDC.COMfrom 192.168.227.100 Jan 2 13:36:35 ipaserver sshd[4869]: input_userauth_request: invalid user administra...@addc.com Jan 2 13:36:44 ipaserver sshd[4868]: pam_unix(sshd:auth): check pass; user unknown Jan 2 13:36:44 ipaserver sshd[4868]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.227.100 Jan 2 13:36:44 ipaserver sshd[4868]: pam_succeed_if(sshd:auth): error retrieving information about user administra...@addc.com Jan 2 13:36:46 ipaserver sshd[4868]: Failed password for invalid user administra...@addc.com from 192.168.227.100 port 62484 ssh2 2014/1/2 Rob Crittenden rcrit...@redhat.com Genadi Postrilko wrote: Hi all. I have a running IPA Server (3.0.0-37) on RHEL 6.2. I'm trying to create Trust between IPA server and AD (In different DNS domains). I followed the red hat guide https://access.redhat.com/site/documentation/en-US/Red_ Hat_Enterprise_Linux/6/pdf/Identity_Management_Guide/Red_ Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US.pdf. When i completed the needed step to create the trust and retrieved a krb ticket from the AD server: [root@ipaserver ~]# kinit administra...@addc.com mailto:administra...@addc.com Password for administra...@addc.com mailto:administra...@addc.com: [root@ipaserver ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@addc.com mailto:administra...@addc.com Valid starting ExpiresService principal 01/02/14 12:20:30 01/02/14 22:20:34 krbtgt/addc@addc.com mailto:addc@addc.com renew until 01/03/14 12:20:30 But when i try to connect to the IPA server via SHH (Putty) i get Access denied message: login as: administra...@addc.com mailto:administra...@addc.com administra...@addc.com@192.168.227.128 http://192.168.227.128's password: Access denied Any ideas on what i could have done wrong in the process of creating the trust? I'd check the sssd logs and /var/log/secure. Do you have any HBAC rules? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.
On 01/02/2014 04:45 PM, Genadi Postrilko wrote: Its a newly installed IPA Server, haven't added any Rules. The relevant output from /var/log/secure : Jan 2 13:36:24 ipaserver sshd[4864]: Invalid user from 192.168.227.100 Jan 2 13:36:24 ipaserver sshd[4865]: input_userauth_request: invalid user Jan 2 13:36:26 ipaserver sshd[4865]: Connection closed by 192.168.227.100 Jan 2 13:36:35 ipaserver sshd[4868]: Invalid user administra...@addc.com mailto:administra...@addc.com from 192.168.227.100 Jan 2 13:36:35 ipaserver sshd[4869]: input_userauth_request: invalid user administra...@addc.com mailto:administra...@addc.com Jan 2 13:36:44 ipaserver sshd[4868]: pam_unix(sshd:auth): check pass; user unknown Jan 2 13:36:44 ipaserver sshd[4868]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.227.100 Jan 2 13:36:44 ipaserver sshd[4868]: pam_succeed_if(sshd:auth): error retrieving information about user administra...@addc.com mailto:administra...@addc.com Jan 2 13:36:46 ipaserver sshd[4868]: Failed password for invalid user administra...@addc.com mailto:administra...@addc.com from 192.168.227.100 port 62484 ssh2 2014/1/2 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com Genadi Postrilko wrote: Hi all. I have a running IPA Server (3.0.0-37) on RHEL 6.2. I'm trying to create Trust between IPA server and AD (In different DNS domains). I followed the red hat guide https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/pdf/Identity_Management_Guide/Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US.pdf. When i completed the needed step to create the trust and retrieved a krb ticket from the AD server: [root@ipaserver ~]# kinit administra...@addc.com mailto:administra...@addc.com mailto:administra...@addc.com mailto:administra...@addc.com Password for administra...@addc.com mailto:administra...@addc.com mailto:administra...@addc.com mailto:administra...@addc.com: [root@ipaserver ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@addc.com mailto:administra...@addc.com mailto:administra...@addc.com mailto:administra...@addc.com Valid starting ExpiresService principal 01/02/14 12:20:30 01/02/14 22:20:34 krbtgt/addc@addc.com mailto:addc@addc.com mailto:addc@addc.com mailto:addc@addc.com renew until 01/03/14 12:20:30 But when i try to connect to the IPA server via SHH (Putty) i get Access denied message: login as: administra...@addc.com mailto:administra...@addc.com mailto:administra...@addc.com mailto:administra...@addc.com administra...@addc.com@192.168.227.128 http://192.168.227.128 http://192.168.227.128's password: Access denied Any ideas on what i could have done wrong in the process of creating the trust? I'd check the sssd logs and /var/log/secure. Do you have any HBAC rules? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Looks an error similar to what I see in the other thread. Unfortunately be might need to wait till Monday for Alexander, Sumit and Jakub to come back and provide help. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.
If you add debug_level = 5 into every section of /etc/sssd/sssd.conf Restart sssd Try and log in again cat /var/log/sssd/* And paste that somewhere. On 2 January 2014 21:45, Genadi Postrilko genadip...@gmail.com wrote: Its a newly installed IPA Server, haven't added any Rules. The relevant output from /var/log/secure : Jan 2 13:36:24 ipaserver sshd[4864]: Invalid user from 192.168.227.100 Jan 2 13:36:24 ipaserver sshd[4865]: input_userauth_request: invalid user Jan 2 13:36:26 ipaserver sshd[4865]: Connection closed by 192.168.227.100 Jan 2 13:36:35 ipaserver sshd[4868]: Invalid user administra...@addc.com from 192.168.227.100 Jan 2 13:36:35 ipaserver sshd[4869]: input_userauth_request: invalid user administra...@addc.com Jan 2 13:36:44 ipaserver sshd[4868]: pam_unix(sshd:auth): check pass; user unknown Jan 2 13:36:44 ipaserver sshd[4868]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.227.100 Jan 2 13:36:44 ipaserver sshd[4868]: pam_succeed_if(sshd:auth): error retrieving information about user administra...@addc.com Jan 2 13:36:46 ipaserver sshd[4868]: Failed password for invalid user administra...@addc.com from 192.168.227.100 port 62484 ssh2 2014/1/2 Rob Crittenden rcrit...@redhat.com Genadi Postrilko wrote: Hi all. I have a running IPA Server (3.0.0-37) on RHEL 6.2. I'm trying to create Trust between IPA server and AD (In different DNS domains). I followed the red hat guide https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/pdf/Identity_Management_Guide/Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US.pdf. When i completed the needed step to create the trust and retrieved a krb ticket from the AD server: [root@ipaserver ~]# kinit administra...@addc.com mailto:administra...@addc.com Password for administra...@addc.com mailto:administra...@addc.com: [root@ipaserver ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@addc.com mailto:administra...@addc.com Valid starting ExpiresService principal 01/02/14 12:20:30 01/02/14 22:20:34 krbtgt/addc@addc.com mailto:addc@addc.com renew until 01/03/14 12:20:30 But when i try to connect to the IPA server via SHH (Putty) i get Access denied message: login as: administra...@addc.com mailto:administra...@addc.com administra...@addc.com@192.168.227.128 http://192.168.227.128's password: Access denied Any ideas on what i could have done wrong in the process of creating the trust? I'd check the sssd logs and /var/log/secure. Do you have any HBAC rules? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.
Here are the *sssd.log, **sssd_nss.log. *Other logs where empty of did not contain the output for the relevant log in. https://gist.github.com/anonymous/8228284 2014/1/2 Dmitri Pal d...@redhat.com On 01/02/2014 04:45 PM, Genadi Postrilko wrote: Its a newly installed IPA Server, haven't added any Rules. The relevant output from /var/log/secure : Jan 2 13:36:24 ipaserver sshd[4864]: Invalid user from 192.168.227.100 Jan 2 13:36:24 ipaserver sshd[4865]: input_userauth_request: invalid user Jan 2 13:36:26 ipaserver sshd[4865]: Connection closed by 192.168.227.100 Jan 2 13:36:35 ipaserver sshd[4868]: Invalid user Administrator@ADDC.COMfrom 192.168.227.100 Jan 2 13:36:35 ipaserver sshd[4869]: input_userauth_request: invalid user administra...@addc.com Jan 2 13:36:44 ipaserver sshd[4868]: pam_unix(sshd:auth): check pass; user unknown Jan 2 13:36:44 ipaserver sshd[4868]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.227.100 Jan 2 13:36:44 ipaserver sshd[4868]: pam_succeed_if(sshd:auth): error retrieving information about user administra...@addc.com Jan 2 13:36:46 ipaserver sshd[4868]: Failed password for invalid user administra...@addc.com from 192.168.227.100 port 62484 ssh2 2014/1/2 Rob Crittenden rcrit...@redhat.com Genadi Postrilko wrote: Hi all. I have a running IPA Server (3.0.0-37) on RHEL 6.2. I'm trying to create Trust between IPA server and AD (In different DNS domains). I followed the red hat guide https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/pdf/Identity_Management_Guide/Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US.pdf . When i completed the needed step to create the trust and retrieved a krb ticket from the AD server: [root@ipaserver ~]# kinit administra...@addc.com mailto:administra...@addc.com Password for administra...@addc.com mailto:administra...@addc.com: [root@ipaserver ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@addc.com mailto: administra...@addc.com Valid starting ExpiresService principal 01/02/14 12:20:30 01/02/14 22:20:34 krbtgt/addc@addc.com mailto:addc@addc.com renew until 01/03/14 12:20:30 But when i try to connect to the IPA server via SHH (Putty) i get Access denied message: login as: administra...@addc.com mailto:administra...@addc.com administra...@addc.com@192.168.227.128 http://192.168.227.128's password: Access denied Any ideas on what i could have done wrong in the process of creating the trust? I'd check the sssd logs and /var/log/secure. Do you have any HBAC rules? rob ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users Looks an error similar to what I see in the other thread. Unfortunately be might need to wait till Monday for Alexander, Sumit and Jakub to come back and provide help. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users