Hi Sumit,
thank you for the comprehensive answer.
On Tue, Nov 10, 2020 at 03:56:48PM -0000, kotelnikova9314--- via
FreeIPA-users wrote:
The client will get user and group information from the FreeIPA server
but for authentication (Kerberos) they will talk with AD DCs directly.
Ok, i see, thank you for the explanation.
For a start no specific configuration is needed, ipa-client-install
should set all needed options.
Found my mistake. My clients were configured without trust, thus the krb5.conf had such
configurations in [realm] section.
kdc = ipaserver.ipadomain.com:88
master_kdc = ipaserver.ipadomain.com:88
admin_server = ipaserver.ipadomain.com:749
kpasswd_server = ipaserver.ipadomain.com:464
default_domain =
ipadomain.com
After re-installing clients with ipa-client-install, when the trust was established, these
lines were removed and authentication for AD users succeeded.
Without reinstalling, the definition of AD trust domain in [realm] sections also helped:
AD.DOMAIN = {
kdc = ad-controlled.ad.domain:88
}
Please add 'debug_level = 9' to the [pam] and [domain/...]
section in
sssd.conf, restart SSSD, try to authenticate again and send the logs.
No need, i found already, that the problem was in SSSD cache, i had to wait a bit or
remove the cache in order to the updated HBAC rules were applied.
> bye,
> Sumit