On Tue, Sep 01, 2020 at 01:17:43PM -0000, Christophe BERGER via FreeIPA-users
wrote:
I created a trust relationship between my IPA server, and an Active Directory.
From any machine connected to freeIPA, I can :
- sudo su - [email protected]
- id [email protected] ( I get things like
uid=167644279([email protected]) gid=167644279([email protected])
groups=167644279([email protected]),167616854([email protected]),
....................
- getent passwd [email protected]
[email protected]:*:167644279:167644279:ADuser:/home/example.com/ADuser
The connection between IPA and AD looks fine.
Then I created :
- An external group, with my [email protected] user (external)
- An POSIX group, with my external group as a user group member
- A HBAC rule to allow the POSIX group to connect to a server
However, I can't ssh this server with my AD account, I get this :
Sep 01 15:15:18 myServer.example.com systemd[1]: Starting SSSD Kerberos Cache
Manager...
Sep 01 15:15:18 myServer.example.com systemd[1]: Started SSSD Kerberos Cache
Manager.
Sep 01 15:15:18 myServer.example.com sssd[kcm][1730]: Starting up
Sep 01 15:15:18 myServer.example.com [sssd[krb5_child[1727]]][1727]: Cannot find KDC for
realm "EXAMPLE.COM"
Sep 01 15:15:18 myServer.example.com [sssd[krb5_child[1727]]][1727]: Cannot find KDC for
realm "EXAMPLE.COM"
Sep 01 15:15:18 myServer.example.com [sssd[krb5_child[1731]]][1731]: Cannot find KDC for
realm "EXAMPLE.COM"
Sep 01 15:15:18 myServer.example.com [sssd[krb5_child[1731]]][1731]: Cannot find KDC for
realm "EXAMPLE.COM"
Sep 01 15:15:18 myServer.example.com sshd[1723]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.X.X.X
[email protected]
Sep 01 15:15:18 myServer.example.com sshd[1723]: pam_sss(sshd:auth): received
for user [email protected]: 6 (Permission denied)
Sep 01 15:15:20 myServer.example.com sshd[1723]: Failed password for
[email protected] from X.X.X.X port 57320 ssh2
Hi,
you most probably have and additional domain suffix 'EXAMPLE.COM'
defined in AD and use it with the User Principal Name of the AD users.
Does
ipa trust-find
show 'EXAMPLE.COM' in the 'UPN suffixes' line? If yes, then the
automatic detection on the IPA clients might not work as expected. You
can help the client by setting
krb5_use_enterprise_principal = True
manually in the [domain/...] section of sssd.conf on the client.
If 'EXAMPLE.COM' is not listed it would be good to know first which
version of IPA you are using on the server.
bye,
Sumit
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
