[Freeipa-users] RHEL 5 client?

Guertin, David S. guertin at middlebury.edu
Wed Apr 1 18:28:53 UTC 2015 

>The 5.x ipa-client should work fine. What isn't working?

I cannot SSH in as an AD user. (Sorry, I should have mentioned that in my original post.) The client installs without errors, and I can get a Kerberos ticket for the admin user. But when I try to SSH in as an AD domain user, the login fails:

$ ssh -l 'MIDD\juser' yakko.ipa
Red Hat Enterprise Linux Server release 5.11 (Tikanga)
Kernel 2.6.18-402.el5 on an x86_64

Password: 
Password: 
Password: 
MIDD\juser at yakko.ipa's password: 
Received disconnect from 140.233.1.100: 2: Too many authentication failures for MIDD\\juser

And on the client, with debug_level = 10 for sssd, /var/log/sssd/sssd_nss.log shows:

(Wed Apr  1 14:24:03 2015) [sssd[nss]] [sss_ncache_set_str] (6): Adding [NCE/USER/ipa.middlebury.edu/MIDD\juser] to negative cache
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): No results for getpwnam call
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [sss_dp_req_destructor] (8): Could not clear entry from request queue
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x1aeec870][17]
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x1aeec870][17]
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x1aeec870][17]
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [MIDD\juser] from [<ALL>]
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [sss_ncache_check_str] (8): Checking negative cache for [NCE/USER/ipa.middlebury.edu/MIDD\juser]
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): User [MIDD\juser] does not exist in [ipa.middlebury.edu]! (negative cache)
(Wed Apr  1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): No matching domain found for [MIDD\juser], fail!

There's a trust relationship set up between the IPA domain and the AD domain, but it's like the RHEL 5 client doesn't know about it. Did I miss something?

David Guertin

More information about the Freeipa-users mailing list