On su, 22 heinä 2018, Николай Савельев wrote:
>22.07.2018, 12:56, "Alexander Bokovoy" <abokovoy(a)redhat.com>:
> When you are using trust to AD *all* authentication of AD users is
> performed by AD DCs. IPA masters are not involved at all. So you need to
> look at AD side for that.
Sorry, I don't undestend wat's going on.
I can login ad computers with new password.
And i also can login on one ipa client - a new member of ipa domen.
But whan I try login by ssh on old ipa members and ipa controllers, i see:
Password:
Password:
Passwors:
start-line\savelev(a)192.168.2.21's password:
I enter password 4 times, and after that i can login.
enable 'debug_level =
9' in domain and pam sections in sssd.conf, restart sssd,
try again and show logs.
When i root, I can doing su aduser@ad_domain.
This is *not* authenticating anything.
Root is allowed to su to anyone
without authentication.
And then I can kinit and get kerberos ticket.
But if I another user, I must tape password after su ad_user@ad_domain
and get error
Password:
su: Authentication failure
because su wanted password just one time.
Again, show sssd logs. I suspect it is
something with communicating to
your AD DCs because SSSD doesn't use anything else to authenticate.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland