On Tue, Nov 10, 2020 at 03:56:48PM -0000, kotelnikova9314--- via FreeIPA-users wrote:
Hello all,
sorry if this question was already several times discussed, nevertheless, i am stuck with
setting up a trust between FreeIPA and AD.
To be more precise, the one way Trus is setup and i can log in into Freeipa server with
AD credentials.
I have also a bunch of servers with ipa-client configured and i am able to login to them
with Freeipa accounts, but not ADs.
1) Did i understood correctly, that clients should "somehow" authenticate to AD
via Freeipa? Or do they need to contact directly AD?
The client will get user and group information from the FreeIPA server
but for authentication (Kerberos) they will talk with AD DCs directly.
2) If the clients should be configured to talk to AD, which configurations are needed?
For a start no specific configuration is needed, ipa-client-install
should set all needed options.
3) The way i am trying to login is as follows:
> ssh -v -l ad_user@ad_domain hostname
4) In logs i have such errors during authentication:
sshd[11294]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=10.45.33.1 user=ad_user@ad_domain
sshd[11294]: pam_sss(sshd:auth): received for user ad_user@ad_domain: 6 (Permission
denied)
sshd[11290]: error: PAM: Authentication failure for ad_user@ad_domain from 10.45.33.1
sshd[11290]: Connection closed by authenticating user user_ad@ad_domain 10.45.33.1 port
40108 [preauth]
Please add 'debug_level = 9' to the [pam] and [domain/...] section in
sssd.conf, restart SSSD, try to authenticate again and send the logs.
bye,
Sumit
Thanks in advance!
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...