On Tue, Jun 05, 2018 at 03:06:44PM -0000, Bart via FreeIPA-users wrote:
Hi all,
I've set up two FreeIPA servers without CA (I provided 3rd party certificates during the installation process). I also established trust to an AD domain as below:
ipa trust-add --type=ad AD.DOMAIN --external=True --all
I checked that I can successfully obtain cross-realm ticket (kvno -S host ...) as described below: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... I also can ssh to either of the two FreeIPA servers as user@ad.domain.
However, when I configured FreeIPA client and tried to ssh into it / su inside it as the same ad user then it fails (I cannot ssh, when I try to su - as the ad user it fails with user@ad.domain does not exist.
I increased sssd log level on both client and servers but I cannot find anything spooky there (but I might as well not know what to look for :)). Can someone please advise on how to narrow this down?
First, can you resolve the user and all their groups on the client?
If yes, then I normally start with /var/log/secure or journal to see what did pam_sss return and work my way from there to the sssd logs..