Re: [Freeipa-users] Mostly working trust, SSH failure [SOLVED]

2016-05-25 Thread Erik Mackdanz
On Mon, May 23, 2016 at 4:26 PM, Rob Crittenden wrote: > https://lists.fedorahosted.org/archives/list/sssd-de...@lists.fedorahosted.org/thread/TUZ6ZWLRZ6QSMUHV44PRT75T6OVBGILK/ This was exactly our issue. We were able to build a patched version, and our forest AD user could

Re: [Freeipa-users] Mostly working trust, SSH failure [SOLVED]

2016-05-25 Thread Jakub Hrozek
On Wed, May 25, 2016 at 09:43:55AM -0500, Erik Mackdanz wrote: > On Mon, May 23, 2016 at 4:26 PM, Rob Crittenden wrote: > > https://lists.fedorahosted.org/archives/list/sssd-de...@lists.fedorahosted.org/thread/TUZ6ZWLRZ6QSMUHV44PRT75T6OVBGILK/ > > This was exactly our issue.

Re: [Freeipa-users] Mostly working trust, SSH failure

2016-05-23 Thread Rob Crittenden
Erik Mackdanz wrote: For the bug you mentioned ([1], downstream [2]), there is a patch but it's not publicly accessible. Are you able post the patch to this list? It may help us determine if we are directly affected.

Re: [Freeipa-users] Mostly working trust, SSH failure

2016-05-23 Thread Erik Mackdanz
For the bug you mentioned ([1], downstream [2]), there is a patch but it's not publicly accessible. Are you able post the patch to this list? It may help us determine if we are directly affected. Thanks, Erik [1] https://fedorahosted.org/sssd/ticket/3015 [2]

Re: [Freeipa-users] Mostly working trust, SSH failure

2016-05-22 Thread Jakub Hrozek
> On 20 May 2016, at 19:31, Erik Mackdanz wrote: > > Thanks Jakub, > > Yes, the "marking subdomain ... inactive" portion is below. > > There are failures in resolving the Global Catalog via SRV, but what > I've read says that should be okay because we fall back to the >

Re: [Freeipa-users] Mostly working trust, SSH failure

2016-05-20 Thread Erik Mackdanz
Thanks Jakub, Yes, the "marking subdomain ... inactive" portion is below. There are failures in resolving the Global Catalog via SRV, but what I've read says that should be okay because we fall back to the SID<->UID mapping. With dig, I can reproduce sssd's finding that those SRV records don't

Re: [Freeipa-users] Mostly working trust, SSH failure

2016-05-20 Thread Jakub Hrozek
On Thu, May 19, 2016 at 05:18:43PM -0500, Erik Mackdanz wrote: > Hello, > > I've set up a one-way trust to an Active Directory domain. Things > seem to roughly work, but something's missing. > > Can any kind soul spot a problem with my configuration, or advise on > how to further troubleshoot?

[Freeipa-users] Mostly working trust, SSH failure

2016-05-19 Thread Erik Mackdanz
Hello, I've set up a one-way trust to an Active Directory domain. Things seem to roughly work, but something's missing. Can any kind soul spot a problem with my configuration, or advise on how to further troubleshoot? Facts: - An AD user gets 'Access denied' when SSH'ing by password to the