Hello all,
In a IdM + AD trust setup; has anyone ever had the need to restrict IPA
client logins to a specific Active Directory server when using their AD
credentials?
The problem I am having is that the one of my clients has a AD cluster and
some of the kdc servers in that cluster have clocks that are not
synchronized. Whenever someone tries to log in using their AD account, if
they hit a un-synchronized server then they get hit with the "kinit: clock
skew too great ..." error.
Since we don't control the AD server and since they refused to fix their
time sync issues, I have been trying to restrict AD logins to a specific
kdc server, but have been unable to do it. I have tried to edit the
sssd.conf and krb5.conf configuration files, but nothing seems to work.
Any suggestions?
Thanks
Jean Figarella