On Wed, Sep 21, 2016 at 05:43:29PM +0500, Alexander K wrote: > Hello, > > I'm having troubles with AD users authentication on IPA client. > I have 3 VMs in my test inveronment: > win-dc.windc.local 10.1.97.122 - AD DC server 2012R2 > fedora-dc.demo.loc 10.1.97.120 - fedora 24 + FreeIPA > wks.demo.loc 10.1.97.121 - IPA client > > I have done IPA AD trust setup > https://www.freeipa.org/page/Active_Directory_trust_setup > > AD user can access IPA server: > login as: Administrator@windc.local > Administrator@windc.local@10.1.97.120's password: > Last login: Wed Sep 21 13:59:36 2016 from 192.168.70.26 > Could not chdir to home directory /home/windc.local/administrator: No such > file or directory > -sh-4.3$ > > IPA user can login IPA client: > login as: admin > admin@10.1.97.121's password: > Last login: Wed Sep 21 16:12:31 2016 from 192.168.70.26 > [admin@wks ~]$ > > > But AD user can't access IPA client: > login as: Administrator@windc.local > Administrator@windc.local@10.1.97.121's password: > Access denied > > On another hand, ID works correct for AD users: > [root@wks ~]# id Administrator@windc.local > uid=429000500(administrator@windc.local) > gid=429000500(administrator@windc.local) > groups=429000500(administrator@windc.local),429000520(group policy creator > owners@windc.local),429000519(enterprise admins@windc.local),429000513(domain > users@windc.local),429000518(schema admins@windc.local),429000512(domain > admins@windc.local) > > I have attached logs > (Last login time is 17:29-17:30)
The domain logs say the authentication takes too long, it might be due to processing the PAC. Try increasing the authentication timeout (krb5_auth_timeout). > > > Any help would be appreciated! > > > -- > Best regards, > Alexander K > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project