[Freeipa-users] FreeIPA ActiveDirectory Integration, Fedora and Windows 2008 R2 AD: "ipa: ERROR: an internal error has occurred"
Alexander Bokovoy
abokovoy at redhat.com
Sat Sep 13 18:59:07 UTC 2014
On Sat, 13 Sep 2014, Traiano Welcome wrote:
>On Sat, Sep 13, 2014 at 7:03 PM, Alexander Bokovoy <abokovoy at redhat.com>
>wrote:
>
>> On Sat, 13 Sep 2014, Traiano Welcome wrote:
>>
>>> Hi
>>>
>>> I've managed to get trusts working with CentOS 7 as an IdM server,
>>> Win2K8R2
>>> AD DC and CentOS6.5 as a client, using the exact same series of steps as
>>> in
>>> the documentation. Attached is the process I used.
>>>
>> You got one step wrong:
>> ============================================================
>> ================
>> 8. Modify /etc/krb5.conf
>>
>> [realms]
>> ENGENEON.LOCAL = {
>> kdc = idm003.engeneon.local:88
>> master_kdc = idm003.engeneon.local:88
>> admin_server = idm003.engeneon.local:749
>> default_domain = engeneon.local
>> pkinit_anchors = FILE:/etc/ipa/ca.crt
>> auth_to_local = RULE:[1:$1@$0](^.*@AD_DOMAIN$)s/@AD_DOMAIN/@ad_domain/
>> auth_to_local = DEFAULT
>> }
>> ============================================================
>> ================
>>
>> Here you have to substitute AD_DOMAIN and ad_domain by your actual
>> AD domain name. This change has to be done currently on every IPA
>> machine where you are expecting AD users to log in.
>>
>>
>
>
>Doh! ok, fixed. Although, I didn't notice any login failures testing with a
>bunch of users. Is it possible this behavior is already being adapted
>around in either one of PAM, OpenSSH or KRB5?
This affects single sign-on logins, i.e. when you try to logon with
Kerberos ticket.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list