[Freeipa-users] Unable to Login until Trust is Repaired

[Alexander Bokovoy]

On Wed, 12 Nov 2014, Jonathan Bradford wrote:
>This is my first post on the IPA mailing list. Hey guys :)
>
>I've successfully walked through the IdM Red Hat document on "Integrating
>with Active Directory Through Cross-Realm Kerberos Trusts" using separate
>DNS domains. I've reached the part where you test the trust using SSH via
>PuTTY, and I have noticed a problem.
>
>If I add a user in Active Directory (group mapping is on), the user cannot
>immediately SSH to an IPA host. In fact, it never allows me to login until
>I first login to a Windows machine with the account and then repair the
>trust via AD.
>
>To repair the trust, I have to go to AD Domains and Trusts > Properties >
>Trusts> and Validate the incoming and outgoing connections. When I do this,
>it gives me an error message about the RPC server not running, but if I
>proceed, it eventually tells me that the connection has been repaired. Only
>after doing this can I successfully SSH with a new user.
>
>Do you have any idea why this might be happening? I have followed Red Hat's
>documentation exactly, so I am not sure why I am having issues. If you have
>any thoughts or ideas, I would greatly appreciate them. Thanks!
We need to see debugging output to make decision on what is happening.
>From your description I'd say you haven't had a trust properly
configured and most likely either AD DCs don't see directly IPA masters
or there is a domain/NetBIOS name conflicts in place.

You can produce logs by following
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Debugging_trust
For RHEL 6.x configuration use 'service' instead of 'systemctl' and
separate actions for starting/stopping multiple services:

service stop smb
service stop winbind

..

service start smb
service start winbind

..

You can then send logs to me directly.

-- 
/ Alexander Bokovoy