[Freeipa-users] RHEL 5 client?
Guertin, David S.
guertin at middlebury.edu
Wed Apr 1 18:28:53 UTC 2015
>The 5.x ipa-client should work fine. What isn't working?
I cannot SSH in as an AD user. (Sorry, I should have mentioned that in my original post.) The client installs without errors, and I can get a Kerberos ticket for the admin user. But when I try to SSH in as an AD domain user, the login fails:
$ ssh -l 'MIDD\juser' yakko.ipa
Red Hat Enterprise Linux Server release 5.11 (Tikanga)
Kernel 2.6.18-402.el5 on an x86_64
Password:
Password:
Password:
MIDD\juser at yakko.ipa's password:
Received disconnect from 140.233.1.100: 2: Too many authentication failures for MIDD\\juser
And on the client, with debug_level = 10 for sssd, /var/log/sssd/sssd_nss.log shows:
(Wed Apr 1 14:24:03 2015) [sssd[nss]] [sss_ncache_set_str] (6): Adding [NCE/USER/ipa.middlebury.edu/MIDD\juser] to negative cache
(Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): No results for getpwnam call
(Wed Apr 1 14:24:03 2015) [sssd[nss]] [sss_dp_req_destructor] (8): Could not clear entry from request queue
(Wed Apr 1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x1aeec870][17]
(Wed Apr 1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x1aeec870][17]
(Wed Apr 1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x1aeec870][17]
(Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [MIDD\juser] from [<ALL>]
(Wed Apr 1 14:24:03 2015) [sssd[nss]] [sss_ncache_check_str] (8): Checking negative cache for [NCE/USER/ipa.middlebury.edu/MIDD\juser]
(Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): User [MIDD\juser] does not exist in [ipa.middlebury.edu]! (negative cache)
(Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): No matching domain found for [MIDD\juser], fail!
There's a trust relationship set up between the IPA domain and the AD domain, but it's like the RHEL 5 client doesn't know about it. Did I miss something?
David Guertin
More information about the Freeipa-users
mailing list