[Freeipa-users] ssh login from windows AD trust host not working

Natxo Asenjo natxo.asenjo at gmail.com
Fri Apr 19 20:14:36 UTC 2013 

hi,

a bit puzzled now. I have joined another 2k8r2 host to the AD domain that
is trusted by the ipa domain.

As AD\administrator I can ssh to the linux host.

I create a bunch of AD users, standard members of 'Domain Users'. But I
cannot login to the linux host.

When I run wbinfo --online-status i get this:

# wbinfo --online-status
BUILTIN : online
IPA : online
AD : offline

# wbinfo --domain-info ad.asenjo.nx
Name              : AD
Alt_Name          : ad.asenjo.nx
SID               : S-1-5-21-2508008360-1834726910-79835928
Active Directory  : No
Native            : No
Primary           : No

# wbinfo --domain ad.asenjo.nx -u
With this last command I would expect to see all the users I created in the
AD.

# getent group ad_users
ad_users:*:642801446:administrator at ad.asenjo.nx

this tellms me that the external group we created has only the AD
administrator in it, so It makes sense only this one is allowed. But I I
checked the SID of the mapped group:

# ipa group-show ad_users_external
  Group name: ad_users_external
  Description: AD users external map
  Member of groups: ad_users
  External member: S-1-5-21-2508008360-1834726910-79835928-513

And it is the AD\Domain Users sid, I checked it on the windows host because
wbinfo shows me no info:

[root at kdc ~]# wbinfo -n "AD\Domain Users"
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name AD\Domain Users
[root at kdc ~]# wbinfo -s S-1-5-21-2508008360-1834726910-79835928-513
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-5-21-2508008360-1834726910-79835928-513
[root at kdc ~]# wbinfo -s S-1-5-21-2508008360-1834726910-79835928-513 -d
ad.asenjo.nx
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-5-21-2508008360-1834726910-79835928-513

So how can I get the rest of the users in the group mapped?

TIA,

-- 
groet,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130419/0b6319ce/attachment.htm>

More information about the Freeipa-users mailing list