On Fri, Mar 27, 2015 at 05:00:43PM +0000, Srdjan Dutina wrote: > Hi, > > I created the following test environment: > > 1. IPA server: v4.1.3 on Centos 7 > 2. Two-way trust with Active directory domain - Windows server 2012 R2 > 3. Connected multiple IPA clients: > - Fedora 21 - v4.1.3 > - Centos 7 - v3.3.3 > - Centos 6.6 v.3.0.0 > > to IPA domain. > > Using Kerberos ticket for AD user, I'm able to ssh to IPA server and Fedora > client, but not to Centos clients, which have older IPA client versions. > These clients just skip gssapi-with-mic auth and continue to password login > (which is successful). > > Just to add that I can obtain Kerberos ticket using 'kinit' command for AD > user from all clients and also get user and group IDs using 'id' command. > > Additionally, is it possible to join Centos 5 client to latest IPA server? > > Thank you.
Sounds a bit like the auth_to_local rules might be acting up, did you configure krb5.conf according to http://www.freeipa.org/page/Active_Directory_trust_setup#Edit_.2Fetc.2Fkrb5.conf ? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
