Alex, thank you. Now it works, but not completely: 1.
[leszek@ipa1 ~]$ ssh ipatst03.linux.acme.example.com -l [email protected] Password: Last login: Wed Oct 15 16:11:27 2014 -sh-4.1$ id uid=127283727([email protected]) gid=127283727([email protected]) grupy=127283727([email protected]),127292838( [email protected]) I can't see all my groups. User1 is a member of 15 different groups at AD side, not one as above: [email protected] Could it be related? I can see all these membership groups at IPA Server (id [email protected]) 2. After login ssh ipatst03.linux.acme.example.com -l [email protected] -sh-4.1$ klist klist: Included profile file could not be read while initializing krb5 Even kinit not works: -sh-4.1$ kinit [email protected] kinit: Included profile file could not be read while initializing Kerberos 5 library What about that? I didn't see this error before. Related? I have another, but related question, If you don't mind: What if I would like to connect RHEL5 IPA client to my IPA Server AD Trust Setup? Do you think it is real and could it work? Thank you in advanced 2014-10-15 15:50 GMT+02:00 Alexander Bokovoy <[email protected]>: > On Wed, 15 Oct 2014, crony wrote: > >> Hi, >> I've been following the AD integration guide for IPAv3: >> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup >> >> My setup is: >> • 5 domain controllers with Windows 2008 R2 AD DC -> example.com as >> Forest >> Root Domain and acme.example.com as transitive child domain >> • RHEL7 as IPA server with domain: linux.acme.example.com >> • RHEL6.5 as IPA client server ipatst03.linux.acme.example.com >> >> Everything works correctly around IPA Server, but the problem is within >> IPA >> Client. >> >> I can not login by SSH or by su -: >> >> [leszek@ipatst03 ~]$ su - [email protected] >> Password: >> su: incorrect password >> >> I found this error in /var/log/sssd/krb5_child.log : >> >> (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [validate_tgt] >> (0x0020): TGT failed verification using key for [host/ >> [email protected]]. >> (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [get_and_save_tgt] >> (0x0020): 988: [-1765328341][Illegal cross-realm ticket] >> (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [map_krb5_error] >> (0x0020): 1043: [-1765328341][Illegal cross-realm ticket] >> (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [k5c_send_data] >> (0x0200): Received error code 1432158209 >> (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] >> [pack_response_packet] (0x2000): response packet size: [20] >> (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [k5c_send_data] >> (0x4000): Response sent. >> (Wed Oct 15 13:49:59 2014) [[sssd[krb5_child[1880]]]] [main] (0x0400): >> krb5_child completed successfully >> > Yes, this is known issue for transitive trusts. MIT Kerberos requires > for non-hierarchical trusts that [capaths] section contains proper map > of relationships between the realms. We've got an API to manage this map > from IPA KDC driver and we also write it down on the IPA masters with > the help of SSSD for KDC to use but on IPA clients it is not generated > as we hoped that receiving referrals from KDC would be enough. > > You can see that this is the issue by copying > /var/lib/sss/pubconf/krb5conf.d/domain_realm_linux_acme_example_com to > your client and placing it as > /var/lib/sss/pubconf/krb5conf.d/domain_realm_linux_acme_ > example_com_capaths > > On next authentication attempt things will work. > > -- > / Alexander Bokovoy > -- Pozdrawiam Leszek Miś www: http://cronylab.pl www: http://emerge.pl Nothing is secure, paranoia is your friend.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
