Hello, I've worked through many issues learning and implementing FreeIPA in my realm. Thanks to many for the helpful direction.
One Ubuntu client is not behaving. It joined successfully, but will not authenticate. Kerberos works:
# kinit ndemarco # klist Ticket cache: KEYRING:persistent:0:0 Default principal: ndemarco@PCHEM.PRO
Valid starting Expires Service principal 03/07/2020 12:20:20 03/08/2020 13:20:17 krbtgt/PCHEM.PRO@PCHEM.PRO
However, I cannot login as the same user. The password is not recognized.
No local user with the same name: # getent passwd | grep ndemarco
None of the SSSD logs show anything interesting.
I'm a learner. Please give me a hint++ on where to look next.
Sincerely, Nick
On la, 07 maalis 2020, Nicholas DeMarco via FreeIPA-users wrote:
Hello, I've worked through many issues learning and implementing FreeIPA in my realm. Thanks to many for the helpful direction.
One Ubuntu client is not behaving. It joined successfully, but will not authenticate. Kerberos works:
# kinit ndemarco # klist Ticket cache: KEYRING:persistent:0:0 Default principal: ndemarco@PCHEM.PRO
Valid starting Expires Service principal 03/07/2020 12:20:20 03/08/2020 13:20:17 krbtgt/PCHEM.PRO@PCHEM.PRO
However, I cannot login as the same user. The password is not recognized.
No local user with the same name: # getent passwd | grep ndemarco
None of the SSSD logs show anything interesting.
I'm a learner. Please give me a hint++ on where to look next.
Don't use 'getent passwd' without explicit user name. Enumeration of users is disabled by default in SSSD for a good reason, so not being able to see yourself this way is fine.
Does 'getent passwd ndemarco' return anything on that machine?
If not, does 'sssctl domain-status pchem.pro' work and show the domain online?
On Mar 7, 2020, at 12:32:38 PM, Nicholas DeMarco via FreeIPA-users <freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org> wrote:
# getent passwd | grep ndemarco
Are you sure this is supposed to work? Typically you want to disable enumeration. Does
getent passwd ndemarco
also fail?
freeipa-users@lists.fedorahosted.org