[Freeipa-users] RHEL 5 client?

Dmitri Pal dpal at redhat.com
Thu Apr 2 03:00:30 UTC 2015 

On 04/01/2015 02:28 PM, Guertin, David S. wrote:
>> The 5.x ipa-client should work fine. What isn't working?
> I cannot SSH in as an AD user. (Sorry, I should have mentioned that in my original post.) The client installs without errors, and I can get a Kerberos ticket for the admin user. But when I try to SSH in as an AD domain user, the login fails:
>
> $ ssh -l 'MIDD\juser' yakko.ipa
> Red Hat Enterprise Linux Server release 5.11 (Tikanga)
> Kernel 2.6.18-402.el5 on an x86_64
>
> Password:
> Password:
> Password:
> MIDD\juser at yakko.ipa's password:
> Received disconnect from 140.233.1.100: 2: Too many authentication failures for MIDD\\juser
>
> And on the client, with debug_level = 10 for sssd, /var/log/sssd/sssd_nss.log shows:
>
> (Wed Apr  1 14:24:03 2015) [sssd[nss]] [sss_ncache_set_str] (6): Adding [NCE/USER/ipa.middlebury.edu/MIDD\juser] to negative cache
> (Wed Apr  1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): No results for getpwnam call
> (Wed Apr  1 14:24:03 2015) [sssd[nss]] [sss_dp_req_destructor] (8): Could not clear entry from request queue
> (Wed Apr  1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x1aeec870][17]
> (Wed Apr  1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x1aeec870][17]
> (Wed Apr  1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x1aeec870][17]
> (Wed Apr  1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [MIDD\juser] from [<ALL>]
> (Wed Apr  1 14:24:03 2015) [sssd[nss]] [sss_ncache_check_str] (8): Checking negative cache for [NCE/USER/ipa.middlebury.edu/MIDD\juser]
> (Wed Apr  1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): User [MIDD\juser] does not exist in [ipa.middlebury.edu]! (negative cache)
> (Wed Apr  1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): No matching domain found for [MIDD\juser], fail!
>
> There's a trust relationship set up between the IPA domain and the AD domain, but it's like the RHEL 5 client doesn't know about it. Did I miss something?
>
> David Guertin
>
Ah so you are using it with trust. Then you should change the 
configuration to not use kerberos but rather LDAP instead.
More details are here.
http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list