On Thu, Jul 09, 2015 at 08:59:11PM -0700, Angelo Pantano wrote: > I have the exact same problem, have a windows AD that trusts IPA server and > an IPA client that connect to the IPA server via sssd.If I try to ssh on > the IPA client using an AD user it fails authentication. The same happens > if I try to su - ADuser. > > Basically IPA server is not correctly proxying the requests to AD, I can > pull the info with getent, so I know the trust is working,
Are you sure SSSD is not just returning records from cache? Do you have full SSSD logs? > but when I try > to authenticate it's always failing. > > The relevant bits I found in the sssd logs suggests a problem contacting > the AD subdomain via kerberos > > (Thu Jul 9 20:42:15 2015) [[sssd[krb5_child[12110]]]] [get_and_save_tgt] > (0x0020): 996: [-1765328230][Cannot find KDC for realm "AD.LOCAL"] The original poster had non-standard UPNs, so the users with those UPNs were failing. Is that your case also or do all users fail like this? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
