<div dir="rtl"><div> </div><div dir="ltr" style="text-align:left">I have seen threads where opened on trust issues: "AD - Freeipa trust confusion" "Cross domain trust" "Cannot loging via SSH with AD user TO IPA Domain" - which I opened. It looks like after creation of trust, TGT ticket can be issued from AD, but "su" and "ssh" do not allow a log in with AD user. I'm not sure if a conclusion has been reached on this subject. I gave it a try again and attempted to create a trust with IPA as a DNS subdomain of AD. I followed : <a href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ipa-subdomain.html">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ipa-subdomain.html</a> AD domain: <a href="http://ADEXAMPLE.COM">ADEXAMPLE.COM</a> IPA subdoamin: <a href="http://LINUX.ADEXAMPLE.COM">LINUX.ADEXAMPLE.COM</a> When i finished the necessary steps i attempted to retrieve a TGT from AD (while logged in to IPA server): [root@ipaserver1 sbin]# kinit <a href="mailto:Administrator@ADEXAMPLE.COM">Administrator@ADEXAMPLE.COM</a> Password for <a href="mailto:Administrator@ADEXAMPLE.COM">Administrator@ADEXAMPLE.COM</a>: [root@ipaserver1 sbin]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: <a href="mailto:Administrator@ADEXAMPLE.COM">Administrator@ADEXAMPLE.COM</a> Valid starting Expires Service principal 02/14/14 07:50:21 02/14/14 17:50:20 krbtgt/<a href="mailto:ADEXAMPLE.COM@ADEXAMPLE.COM">ADEXAMPLE.COM@ADEXAMPLE.COM</a> renew until 02/15/14 07:50:21 But logging in by "ssh" and "su" ended in failure: login as: <a href="mailto:Administrator@ADEXAMPLE.COM">Administrator@ADEXAMPLE.COM</a> Administrator@ADDC.COM@<a href="http://192.168.227.201">192.168.227.201</a>'s password: Access denied After reading <a href="http://www.freeipa.org/page/IPAv3_testing_AD_trust#Create_a_trust_to_an_AD_domain">http://www.freeipa.org/page/IPAv3_testing_AD_trust#Create_a_trust_to_an_AD_domain</a> i did the following on the AD server: Administrative Tools -> Active Directory Domains and Trust -> <a href="http://adexample.com">adexample.com</a> (right click) -> Properties -> Trust -> Domain Trusted by this domain (outgoing trust) -> Properties -> General -> Validate After doing this i was able to login via "ssh" and "su" with "Administrator" user : login as: <a href="mailto:Administrator@ADEXAMPLE.COM">Administrator@ADEXAMPLE.COM</a> Administrator@ADEXAMPLE.COM@<a href="http://192.168.227.201">192.168.227.201</a>'s password: Last login: Wed Feb 12 14:39:49 2014 from 192.168.227.1 Could not chdir to home directory /home/<a href="http://adexample.com/administrator">adexample.com/administrator</a>: No such file or directory /usr/bin/xauth: error in locking authority file /home/<a href="http://adexample.com/administrator/.Xauthority">adexample.com/administrator/.Xauthority</a> -sh-4.1$ But still not able to login with other AD accounts: [root@ipaserver1 sbin]# su <a href="mailto:Genadi@ADEXAMPLE.COM">Genadi@ADEXAMPLE.COM</a> su: user <a href="mailto:Genadi@ADEXAMPLE.COM">Genadi@ADEXAMPLE.COM</a> does not exist After reading the other threads, ill try and provide as much information as i can: wbinfo -u does not return values. [root@ipaserver1 sbin]# wbinfo -u [root@ipaserver1 sbin]# wbinfo -u output: [root@ipaserver1 sbin]# wbinfo -g admins editors default smb group ad_users wbinfo --online-status shows ADEXAMPLE is offline [root@ipaserver1 ~]# wbinfo --online-status BUILTIN : online LINUX : online ADEXAMPLE : offline getent for Administrator does return value. [root@ipaserver1 sbin]# getent passwd <a href="mailto:Administrator@ADEXAMPLE.COM">Administrator@ADEXAMPLE.COM</a> administrator@adexample.com:*:699000500:699000500::/home/<a href="http://adexample.com/administrator">adexample.com/administrator</a>: getent for other AD users does not return value. [root@ipaserver1 sbin]# getent passwd <a href="mailto:Genadi@ADEXAMPLE.COM">Genadi@ADEXAMPLE.COM</a> [root@ipaserver1 sbin]# System info/configurations: [root@ipaserver1 ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.2 Beta (Santiago) [root@ipaserver1 sbin]# rpm -qa | grep ipa ipa-python-3.0.0-37.el6.x86_64 ipa-client-3.0.0-37.el6.x86_64 libipa_hbac-python-1.9.2-129.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-server-trust-ad-3.0.0-37.el6.x86_64 libipa_hbac-1.9.2-129.el6.x86_64 ipa-admintools-3.0.0-37.el6.x86_64 ipa-server-selinux-3.0.0-37.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-server-3.0.0-37.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch [root@ipaserver1 ~]# rpm -qa | grep sssd sssd-1.9.2-129.el6.x86_64 sssd-client-1.9.2-129.el6.x86_64 [root@ipaserver1 sbin]# rpm -qa | grep samb samba4-common-4.0.0-60.el6_5.rc4.x86_64 samba4-winbind-clients-4.0.0-60.el6_5.rc4.x86_64 samba4-libs-4.0.0-60.el6_5.rc4.x86_64 samba4-python-4.0.0-60.el6_5.rc4.x86_64 samba4-4.0.0-60.el6_5.rc4.x86_64 samba4-client-4.0.0-60.el6_5.rc4.x86_64 samba4-winbind-4.0.0-60.el6_5.rc4.x86_64 SSSD [root@ipaserver1 ~]# cat /etc/sssd/sssd.conf [domain/<a href="http://linux.adexample.com">linux.adexample.com</a>] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = <a href="http://linux.adexample.com">linux.adexample.com</a> id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = <a href="http://ipaserver1.linux.adexample.com">ipaserver1.linux.adexample.com</a> chpass_provider = ipa ipa_server = <a href="http://ipaserver1.linux.adexample.com">ipaserver1.linux.adexample.com</a> ldap_tls_cacert = /etc/ipa/ca.crt subdomains_provider = ipa debug_level = 6 [sssd] services = nss, pam, ssh, pac config_file_version = 2 domains = <a href="http://linux.adexample.com">linux.adexample.com</a> debug_level = 6 [nss] debug_level = 6 [pam] debug_level = 6 [sudo] debug_level = 6 [autofs] debug_level = 6 [ssh] debug_level = 6 [pac] debug_level = 6 KRB5 [root@ipaserver1 ~]# cat /etc/krb5.conf includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = <a href="http://LINUX.ADEXAMPLE.COM">LINUX.ADEXAMPLE.COM</a> dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] <a href="http://LINUX.ADEXAMPLE.COM">LINUX.ADEXAMPLE.COM</a> = { kdc = <a href="http://ipaserver1.linux.adexample.com:88">ipaserver1.linux.adexample.com:88</a> master_kdc = <a href="http://ipaserver1.linux.adexample.com:88">ipaserver1.linux.adexample.com:88</a> admin_server = <a href="http://ipaserver1.linux.adexample.com:749">ipaserver1.linux.adexample.com:749</a> default_domain = <a href="http://linux.adexample.com">linux.adexample.com</a> pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[1:$1@$0](^.*@<a href="http://ADEXAMPLE.COM">ADEXAMPLE.COM</a>$)s/@<a href="http://ADEXAMPLE.COM/@adexample.com/">ADEXAMPLE.COM/@adexample.com/</a> auth_to_local = DEFAULT } [domain_realm] .<a href="http://linux.adexample.com">linux.adexample.com</a> = <a href="http://LINUX.ADEXAMPLE.COM">LINUX.ADEXAMPLE.COM</a> <a href="http://linux.adexample.com">linux.adexample.com</a> = <a href="http://LINUX.ADEXAMPLE.COM">LINUX.ADEXAMPLE.COM</a> [dbmodules] <a href="http://LINUX.ADEXAMPLE.COM">LINUX.ADEXAMPLE.COM</a> = { db_library = ipadb.so } I have increased the debug level of the IPA components. </div><div dir="ltr" style="text-align:left"> Here are the logs (krb5_child.log, ldap_child.log, log.smbd, log.wb-ADEXAMPLE, log.wb-LINUX, log.winbindd, log.winbindd-dc-connect, log.winbindd-idmap, sssd.log, sssd_linux.adexample.com.log,sssd_nss.log, sssd_pac.log, sssd_pam.log, sssd_ssh.log, /var/log/secure): <a href="https://gist.github.com/anonymous/9006532">https://gist.github.com/anonymous/9006532</a> </div><div dir="ltr" style="text-align:left">Any insights on why only Administrator is recognized by the Trust? And why extra step on AD was needed? </div><div dir="ltr" style="text-align:left"> </div></div>