<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <style type="text/css" style="display:none"></style> </head> <body dir="ltr" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;"> <p>I'm trying to set up a trust relationship between IPA and our Active Directory environment so that our AD users can log in to our Linux machines. The two-way trust relationship appears to be set up correctly, with no errors reported, and everything looking normal in the GUI and the CLI. For example:<br> </p> <p><br> </p> <div># klist</div> <div>Ticket cache: FILE:/tmp/krb5cc_0</div> <div>Default principal: admin@CSNS.MIDDLEBURY.EDU</div> <div><br> </div> <div>Valid starting Expires Service principal</div> <div>03/02/15 10:13:40 03/03/15 10:13:10 krbtgt/CSNS.MIDDLEBURY.EDU@CSNS.MIDDLEBURY.EDU</div> <div>03/02/15 10:15:13 03/03/15 10:13:10 host/ipa1.csns.middlebury.edu@CSNS.MIDDLEBURY.EDU</div> <div>03/02/15 10:15:35 03/03/15 10:13:10 krbtgt/MIDDLEBURY.EDU@CSNS.MIDDLEBURY.EDU</div> <div>03/02/15 10:15:46 03/02/15 20:15:46 host/ad1.middlebury.edu@MIDDLEBURY.EDU</div> <div>03/02/15 10:56:55 03/03/15 10:13:10 HTTP/ipa1.csns.middlebury.edu@CSNS.MIDDLEBURY.EDU<br> </div> <div><br> </div> <div>In this case, middlebury.edu is our AD domain, and csns.middlebury.edu is our new IPA domain, set up as a subdomain.<br> </div> <p><br> </p> <p>I have created IPA and AD groups for AD users, and set them up according the documentation:<br> </p> <p><br> </p> <p>ipa group-add --desc='AD users external map' ad_users_external --external<br> </p> <p>ipa group-add --desc='AD users' ad_users<br> </p> <p>ipa group-add-member ad_users_external --external "<AD DOMAIN>\IPA group"<br> </p> <p>ipa group-add-member ad_users --groups ad_users_external<br> </p> <p><br> </p> <p>So now the AD group "IPA group" is a member of the IPA group ad_users_external , which is in turn a member of ad_users.<br> </p> <p><br> </p> <p>I would expect that any AD users I put into the group "IPA group" should show up as valid users in IPA, but they don't. And when I try to add an AD user directly into the ad_users_external group, it is added without error (and the correct SID shows up), but the user still can't log in.<br> </p> <div><br> </div> <div>If the user tries to SSH in the logs show:<br> </div> <div>Mar 2 11:13:42 ipa1 sshd[31720]: Invalid user testuser from *.*.*.*<br> </div> <div>Mar 2 11:13:42 ipa1 sshd[31721]: input_userauth_request: invalid user testuser<br> </div> <p><br> </p> <p>And if root tries to su to the user, it also fails:<br> </p> <p>su: user testuser does not exist<br> </p> <p><br> </p> <p>I would expect the user to show up. What have I missed?<br> </p> <p><br> </p> <p>David Guertin<br> </p> </body> </html>