I created a trust relationship between my IPA server, and an Active Directory. From any machine connected to freeIPA, I can : - sudo su - [email protected] - id [email protected] ( I get things like uid=167644279([email protected]) gid=167644279([email protected]) groups=167644279([email protected]),167616854([email protected]), .................... - getent passwd [email protected] [email protected]:*:167644279:167644279:ADuser:/home/example.com/ADuser
The connection between IPA and AD looks fine. Then I created : - An external group, with my [email protected] user (external) - An POSIX group, with my external group as a user group member - A HBAC rule to allow the POSIX group to connect to a server However, I can't ssh this server with my AD account, I get this : Sep 01 15:15:18 myServer.example.com systemd[1]: Starting SSSD Kerberos Cache Manager... Sep 01 15:15:18 myServer.example.com systemd[1]: Started SSSD Kerberos Cache Manager. Sep 01 15:15:18 myServer.example.com sssd[kcm][1730]: Starting up Sep 01 15:15:18 myServer.example.com [sssd[krb5_child[1727]]][1727]: Cannot find KDC for realm "EXAMPLE.COM" Sep 01 15:15:18 myServer.example.com [sssd[krb5_child[1727]]][1727]: Cannot find KDC for realm "EXAMPLE.COM" Sep 01 15:15:18 myServer.example.com [sssd[krb5_child[1731]]][1731]: Cannot find KDC for realm "EXAMPLE.COM" Sep 01 15:15:18 myServer.example.com [sssd[krb5_child[1731]]][1731]: Cannot find KDC for realm "EXAMPLE.COM" Sep 01 15:15:18 myServer.example.com sshd[1723]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.X.X.X [email protected] Sep 01 15:15:18 myServer.example.com sshd[1723]: pam_sss(sshd:auth): received for user [email protected]: 6 (Permission denied) Sep 01 15:15:20 myServer.example.com sshd[1723]: Failed password for [email protected] from X.X.X.X port 57320 ssh2 _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
