Hi,
I'm having some issues ssh'ing as an AD user to a freeipa client, but I can successfully ssh as the same user to the IPA master. Our IPA domain, ipa.subdomain.contoso.com, is set up with a one-way trust with ad.contoso.com (IPA trusts ADs users). I have the standard "allow all" HBAC rule in place on FreeIPA for testing purposes. ad.contoso.com is a relatively huge AD, with over 400,000 user accounts.
ssh erik-ipa@freeipa1.ipa.subdomain.contoso.com --- (IPA user to FreeIPA master), works ssh erik-ad@ad.contso.com@freeipa1.ipa.subdomain.contoso.com --- (AD user to FreeIPA master), works ssh erik-ipa@rl9-ipa-client1.in.subdomain.contoso.com --- (IPA user to FreeIPA client), works ssh erik-ad@ad.contoso.com@rl9-ipa-client1.in.subdomain.contoso.com --- (AD user to FreeIPA client), doesn't work
I'm not sure what to look at in the SSSD logs to see what's going wrong here. I have uploaded sanitized SSSD logs from rl9-ipa-client1.in.subdomain.contoso.com for a failed login attempt (listed above as not working) at the following link:https://privatebin.net/?55e82c73463ae145#A59jSajU1ZwEwr3nEKhPqsT8Um4QXqHhQ2d...
If anyone can tell what my issue is here, or if other logs would be helpful let me know. I appreciate the help!
Thanks, Erik
freeipa-users@lists.fedorahosted.org