22.07.2018, 12:56, "Alexander Bokovoy"
<abokovoy(a)redhat.com>:
When you are using trust to AD *all* authentication of AD users is
performed by AD DCs. IPA masters are not involved at all. So you need to
look at AD side for that.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
Sorry, I don't undestend wat's going on.
I can login ad computers with new password.
And i also can login on one ipa client - a new member of ipa domen.
But whan I try login by ssh on old ipa members and ipa controllers, i see:
Password:
Password:
Passwors:
start-line\savelev(a)192.168.2.21's password:
I enter password 4 times, and after that i can login.
When i root, I can doing su aduser@ad_domain.
And then I can kinit and get kerberos ticket.
But if I another user, I must tape password after su ad_user@ad_domain and get error
Password:
su: Authentication failure
because su wanted password just one time.
--
С уважением, Николай.