Re: [Freeipa-users] AD users can't login to IPA client

Wed, 21 Sep 2016 06:48:47 -0700 

On Wed, Sep 21, 2016 at 05:43:29PM +0500, Alexander K wrote:
> Hello,
> 
> I'm having troubles with AD users authentication on IPA client.
> I have 3 VMs in my test inveronment:
> win-dc.windc.local 10.1.97.122 - AD DC server 2012R2
> fedora-dc.demo.loc 10.1.97.120 - fedora 24 + FreeIPA
> wks.demo.loc 10.1.97.121 - IPA client
> 
> I have done IPA AD trust setup
> https://www.freeipa.org/page/Active_Directory_trust_setup
> 
> AD user can access IPA server:
> login as: Administrator@windc.local
> Administrator@windc.local@10.1.97.120's password:
> Last login: Wed Sep 21 13:59:36 2016 from 192.168.70.26
> Could not chdir to home directory /home/windc.local/administrator: No such
> file or directory
> -sh-4.3$
> 
> IPA user can login IPA client:
> login as: admin
> admin@10.1.97.121's password:
> Last login: Wed Sep 21 16:12:31 2016 from 192.168.70.26
> [admin@wks ~]$
> 
> 
> But AD user can't access IPA client:
> login as: Administrator@windc.local
> Administrator@windc.local@10.1.97.121's password:
> Access denied
> 
> On another hand, ID works correct for AD users:
> [root@wks ~]# id Administrator@windc.local
> uid=429000500(administrator@windc.local)
> gid=429000500(administrator@windc.local)
> groups=429000500(administrator@windc.local),429000520(group policy creator
> owners@windc.local),429000519(enterprise admins@windc.local),429000513(domain
> users@windc.local),429000518(schema admins@windc.local),429000512(domain
> admins@windc.local)
> 
> I have attached logs
> (Last login time is 17:29-17:30)

The domain logs say the authentication takes too long, it might be
due to processing the PAC. Try increasing the authentication timeout
(krb5_auth_timeout).
> 
> 
> Any help would be appreciated!
> 
> 
> -- 
> Best regards,
> Alexander K





> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to