I'm trying to set up a trust relationship between IPA and our Active Directory environment so that our AD users can log in to our Linux machines. The two-way trust relationship appears to be set up correctly, with no errors reported, and everything looking normal in the GUI and the CLI. For example:
# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 03/02/15 10:13:40 03/03/15 10:13:10 krbtgt/[email protected] 03/02/15 10:15:13 03/03/15 10:13:10 host/[email protected] 03/02/15 10:15:35 03/03/15 10:13:10 krbtgt/[email protected] 03/02/15 10:15:46 03/02/15 20:15:46 host/[email protected] 03/02/15 10:56:55 03/03/15 10:13:10 HTTP/[email protected] In this case, middlebury.edu is our AD domain, and csns.middlebury.edu is our new IPA domain, set up as a subdomain. I have created IPA and AD groups for AD users, and set them up according the documentation: ipa group-add --desc='AD users external map' ad_users_external --external ipa group-add --desc='AD users' ad_users ipa group-add-member ad_users_external --external "<AD DOMAIN>\IPA group" ipa group-add-member ad_users --groups ad_users_external So now the AD group "IPA group" is a member of the IPA group ad_users_external , which is in turn a member of ad_users. I would expect that any AD users I put into the group "IPA group" should show up as valid users in IPA, but they don't. And when I try to add an AD user directly into the ad_users_external group, it is added without error (and the correct SID shows up), but the user still can't log in. If the user tries to SSH in the logs show: Mar 2 11:13:42 ipa1 sshd[31720]: Invalid user testuser from *.*.*.* Mar 2 11:13:42 ipa1 sshd[31721]: input_userauth_request: invalid user testuser And if root tries to su to the user, it also fails: su: user testuser does not exist I would expect the user to show up. What have I missed? David Guertin
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
