[Freeipa-users] RHEL 5 client?

Alexander Bokovoy abokovoy at redhat.com
Thu Apr 2 04:22:37 UTC 2015 

On Wed, 01 Apr 2015, Guertin, David S. wrote:
>>The 5.x ipa-client should work fine. What isn't working?
>
>I cannot SSH in as an AD user. (Sorry, I should have mentioned that in
>my original post.) The client installs without errors, and I can get a
>Kerberos ticket for the admin user. But when I try to SSH in as an AD
>domain user, the login fails:
>
>$ ssh -l 'MIDD\juser' yakko.ipa
>Red Hat Enterprise Linux Server release 5.11 (Tikanga)
>Kernel 2.6.18-402.el5 on an x86_64
>
>Password:
>Password:
>Password:
>MIDD\juser at yakko.ipa's password:
>Received disconnect from 140.233.1.100: 2: Too many authentication failures for MIDD\\juser
>
>And on the client, with debug_level = 10 for sssd, /var/log/sssd/sssd_nss.log shows:
>
>(Wed Apr  1 14:24:03 2015) [sssd[nss]] [sss_ncache_set_str] (6): Adding [NCE/USER/ipa.middlebury.edu/MIDD\juser] to negative cache
>(Wed Apr  1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): No results for getpwnam call
>(Wed Apr  1 14:24:03 2015) [sssd[nss]] [sss_dp_req_destructor] (8): Could not clear entry from request queue
>(Wed Apr  1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x1aeec870][17]
>(Wed Apr  1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x1aeec870][17]
>(Wed Apr  1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x1aeec870][17]
>(Wed Apr  1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [MIDD\juser] from [<ALL>]
>(Wed Apr  1 14:24:03 2015) [sssd[nss]] [sss_ncache_check_str] (8): Checking negative cache for [NCE/USER/ipa.middlebury.edu/MIDD\juser]
>(Wed Apr  1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): User [MIDD\juser] does not exist in [ipa.middlebury.edu]! (negative cache)
>(Wed Apr  1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): No matching domain found for [MIDD\juser], fail!
>
>There's a trust relationship set up between the IPA domain and the AD
>domain, but it's like the RHEL 5 client doesn't know about it. Did I
>miss something?
Show your sssd.conf.
Practically, in order to provide access to RHEL5 systems for AD users,
you need to configure sssd on RHEL5 against compat tree on IPA LDAP.
More to that, we had few bugs that prevented successful authentication
to complete from older clients against compat tree. These bugs are fixed
as part of RHEL7.1 update 1 cumulative release.

A typical RHEL5 configuration script can be obtained by running
'ipa-advise config-redhat-sssd-before-1-9' on IPA master.
-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list