[Freeipa-users] CentOS IPA Client using Fedora IPA Server - SSO Fails from AD Trust domain
Alexander Bokovoy
abokovoy at redhat.com
Wed Feb 5 07:39:27 UTC 2014
On Tue, 04 Feb 2014, Mark Gardner wrote:
>I'm trying to configure our CentOS IPA Client for Single Sign On from our
>trusted AD domain.
>SSO works fine when I ssh to the IPA server, but not to the CentOS Client.
>It prompts for password which it accepts, so it's getting the
>authentication from the AD domain.
>
>Fedora 20 IPA Server
>CentOS 6.5 IPA Client
>Win 2012 AD Domain Server
>
>Setup as IPA as a subdomain of AD.
>AD Domain: test.local
>IPA Domain: hosted.test.local
>
>Anybody run into this? Suggestions?
Each client needs to be configured to accept AD users' SSO.
Check that /etc/krb5.conf contains auth_to_local rules mapping principals from
AD to their names as returned by SSSD.
SSH daemon is picky about principal/name mapping.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list