On Fri, Feb 15, 2019 at 08:33:21AM +0100, Hans Schou wrote: > Hi > > I have two servers "L" & "R" which are connected to the AD. > On server L I can login with SSO and I don't have to type password. > On server R I can't login with SSO and I have to type the AD password. > The user is only defined in the AD not locally.
I assume you are using ssh (putty) to log in with SSO? For a start you can check on R by increasing the LogLevel in /etc/ssh/sshd_config and restarting sshd if GSSAPI authentication is tried at all? As on alternative the ssh client logs might show this as well. Additionally it would be good to check on the client after trying to connect with ssh if there is a Kerberos ticket for R. For this you can call klist and it should show something like 'host/[email protected]'. HTH bye, Sumit > > I have tried "realm leave" + "realm join" and "sss_cache -E". > Removed > /etc/sssd/* > /etc/krb5.keytab > /var/lib/sss/db/* > to make sure no config was leftover. > > The /etc/sssd/sssd.conf is equal on both servers. > > Both servers are running RHEL 7.6. > > /etc/sssd/sssd.conf : > [sssd] > domains = acme.com > config_file_version = 2 > services = nss, pam > > [domain/acme.com] > ad_domain = acme.com > krb5_realm = ACME.COM > realmd_tags = manages-system joined-with-samba > cache_credentials = True > id_provider = ad > krb5_store_password_if_offline = True > default_shell = /bin/bash > ldap_id_mapping = True > use_fully_qualified_names = False > fallback_homedir = /home/%u > access_provider = ad > debug_level = 7 > > Any hint much appreciated. > > best regards > Hans > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
