Hello, I have created a FreeIPA solution using Red Hat’s IDM product. FreeIPA version: 4.5.0 OS version: RHEL 7.4
I have successfully installed the server portion and can authenticate to it using local IDM users, such as the ‘admin’ user. I have created a one-way trust between the IPA realm and an AD realm successfully, as `ipa trust-show` demonstrates, returning the SID of the domain. I have also created the local POSIX and external groups and mapped them. `ipa group-show <extgroupname>` returns the external member SID just fine. However, I cannot authenticate in the server over SSH using one of those AD users. I’ve checked the HBAC rules and they are fine. One thing I noticed when monitoring the securelog when testing is that the IDM users make a call to pam_sss, as expected, but the AD users do not. I have tried multiple ways of passing the user and all are rejected -- user@netbios, user@domainfqdn, netbios\user, and domainfqdn\user. The user in question is in a single group in AD, and it has been tested with the group being both Domain Local and Universal with the same results. There is only one member of the group, the user that I am attempting login with. Have I missed something? David Eddleman
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
