On Thu, May 19, 2016 at 05:18:43PM -0500, Erik Mackdanz wrote: > Hello, > > I've set up a one-way trust to an Active Directory domain. Things > seem to roughly work, but something's missing. > > Can any kind soul spot a problem with my configuration, or advise on > how to further troubleshoot? > > Facts: > > - An AD user gets 'Access denied' when SSH'ing by password to the > FreeIPA host. This is my concern. > > - This AD user has not been locked out. > > - getent passwd succeeds for the AD user > > - A FreeIPA user can successfully SSH by password to the same FreeIPA > host. > > - That FreeIPA user can then successfully kinit as the AD user (the > same AD user denied above) > > - HBAC is set to the default allow_all rule, which is enabled. > Running the HBAC Test tool on the AD user confirms that they are > authorized for sshd. > > This tells me something is awry in sssd.conf or sshd_config or pam.d > or HBAC. > > Thanks, > Erik > > I've got sssd debug to 9. Here's some output: > >
[...] > (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] > [ipa_srv_ad_acct_lookup_step] (0x0400): Looking up AD account > (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] > [be_mark_dom_offline] (0x1000): Marking subdomain na.bazzlegroup.com > offline > (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] > [be_mark_subdom_offline] (0x4000): Subdomain already inactive > (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] Here it looks like sssd previously had issues connectying to AD and went offline. Can you search the logs a bit earlier for the first occurence of "Marking subdomain xxx as offline" ? Can you kinit as that user? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
