[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

2017-08-15 Thread Alexandre Pitre via FreeIPA-users
Hi Alexander, You're correct, turns out I wasn't using the correct domain for the --domain parameter. I thought I was. Here's the command I used. ipa-client-install -U -p admin -w Passw0rd! --enable-dns-updates --mkhomedir --domain=ipa.ad.com --realm=IPA.AD.COM --no-ntp --debug All of my

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

2017-08-15 Thread Alexander Bokovoy via FreeIPA-users
On ma, 14 elo 2017, Alexandre Pitre via FreeIPA-users wrote: Although, the explanation from Alexander Bokovoy made perfect sense, I'm still facing the issue after I re-established the AD trust successfully: (Tue Aug 15 02:23:40 2017) [sssd[be[domain.ad.com]]] [sdap_cli_auth_step] (0x1000): the

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

2017-08-14 Thread Alexandre Pitre via FreeIPA-users
Although, the explanation from Alexander Bokovoy made perfect sense, I'm still facing the issue after I re-established the AD trust successfully: (Tue Aug 15 02:23:40 2017) [sssd[be[domain.ad.com]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1502764720 (Tue Aug 15 02:23:40 2017)

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

2017-08-12 Thread Alexander Bokovoy via FreeIPA-users
On ke, 09 elo 2017, Jakub Hrozek via FreeIPA-users wrote: On 9 Aug 2017, at 16:26, Alexandre Pitre wrote: If your hosts are in the IPA subdomain, then I would have expected centos.ipa.ad.com The centos client has a hostname set to

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

2017-08-09 Thread Jakub Hrozek via FreeIPA-users
> On 9 Aug 2017, at 16:26, Alexandre Pitre wrote: > > If your hosts are in the IPA subdomain, then I would have expected > centos.ipa.ad.com > > The centos client has a hostname set to centos.domain.ad.com >

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

2017-08-09 Thread Alexandre Pitre via FreeIPA-users
If your hosts are in the IPA subdomain, then I would have expected centos.ipa.ad.com The centos client has a hostname set to centos.domain.ad.com I'm using FQDN hostname based on the required DNS domain, not the IPA kerberos realm. Hence why centos.domain.ad.com. To explain further more, It'll

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

2017-08-09 Thread Jakub Hrozek via FreeIPA-users
> On 7 Aug 2017, at 20:02, Alexandre Pitre via FreeIPA-users > wrote: > > The client is in the IPA domain. Although it's sub-domain of ad.com > , I did delegate it and configure the IPA servers as name > servers. It uses a different

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

2017-08-07 Thread Alexandre Pitre via FreeIPA-users
The client is in the IPA domain. Although it's sub-domain of ad.com, I did delegate it and configure the IPA servers as name servers. It uses a different domain suffix than ipa realm which was specified by ipa-client-install: ipa-client-install -U -p admin -w Passw0rd! --enable-dns-updates

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

2017-08-07 Thread Jakub Hrozek via FreeIPA-users
> On 7 Aug 2017, at 18:11, Alexandre Pitre wrote: > > Clearing the sssd cache make the AD login works for a short while, it's > probably not necessary nor "production" ready. Looking at > /var/log/sssd/sssd_domain.ad.com . Sure, but

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

2017-08-07 Thread Alexandre Pitre via FreeIPA-users
Clearing the sssd cache make the AD login works for a short while, it's probably not necessary nor "production" ready. Looking at /var/log/sssd/ sssd_domain.ad.com. I do see offline messages: (Mon Aug 7 15:19:47 2017) [sssd[be[domain.ad.com]]] [sdap_id_op_connect_done] (0x0020): Failed to

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

2017-08-06 Thread Jakub Hrozek via FreeIPA-users
> On 4 Aug 2017, at 23:08, Alexandre Pitre via FreeIPA-users > wrote: > > Turns out, I'm still getting the same problem. It works right away after I > force clean the sssd cache: systemctl stop sssd ; rm -f /var/lib/sss/db/* > /var/log/sssd/* ; systemctl

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

2017-08-04 Thread Alexandre Pitre via FreeIPA-users
Turns out, I'm still getting the same problem. It works right away after I force clean the sssd cache: systemctl stop sssd ; rm -f /var/lib/sss/db/* /var/log/sssd/* ; systemctl start sssd After some time, trying to log back on the same system I see the login prompt is much quicker when I type

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

2017-07-31 Thread Alexandre Pitre via FreeIPA-users
Bull-eye Jakub, that did the trick. I should have posted for help on the mailing list sooner. Thanks you so much, you are saving my ass. It makes sense to increase the krb5_auth_timeout as my AD domain controllers servers are worldwide. Currently they exist in 3 regions: North America, Europe and

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

2017-07-27 Thread Jakub Hrozek via FreeIPA-users
On Thu, Jul 27, 2017 at 02:34:06AM -0400, Alexandre Pitre via FreeIPA-users wrote: > I uploaded krb5_child.log and ldap_child.log to > https://1drv.ms/f/s!AlZwwyQE2ZZ5p2b5ROa15PBkAEQD I think the child just times out during TGT validation, see: (Thu Jul 27 06:01:20 2017)