[Freeipa-users] Freeipa4 - AD SSH logins

Aric Wilisch awilisch at gmail.com
Wed Apr 15 17:43:55 UTC 2015 

Today I managed to finally get a trust established between my AD Domain and my FreeIPA 4 environment. 

However I’m noticing a couple issues and hope someone might be able to give me some help.

First when the user logs in it creates their home directory in /home/fioptics/<username> rather than /home/<username>. I read that you had to put 
subdomain_homedir= /home in /etc/sssd/sssd.conf but that didn’t seem to fix it. 

Also the FreeIPA environment is set to use /bin/bash as the shell, however everyone from AD is logging in and using /bin/sh.

I’m hoping if I can get these issues sorted out the other issues I”m seeing with go as well, but if they don’t I can address those at that time.

Let me know what I would need to post in order to help. I’m including the sssd.conf and krb5.conf file below.

I appreciate any help anyone can give.

—————————
sssd.conf


includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = STAGING.FIOPTICS.INT
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes
 udp_preference_limit = 0
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 STAGING.FIOPTICS.INT = {
  kdc = stip01.staging.fioptics.int:88
  master_kdc = stip01.staging.fioptics.int:88
  admin_server = stip01.staging.fioptics.int:749
  default_domain = staging.fioptics.int
  pkinit_anchors = FILE:/etc/ipa/ca.crt
  auth_to_local = RULE:[1:$1@$0](^.*@AD_DOMAIN$)s/@AD_DOMAIN/@ad_domain/
  auth_to_local = DEFAULT
}

[domain_realm]
 .staging.fioptics.int = STAGING.FIOPTICS.INT
 staging.fioptics.int = STAGING.FIOPTICS.INT

[dbmodules]
  STAGING.FIOPTICS.INT = {
    db_library = ipadb.so
  }


————————————————
krb5.conf

includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = STAGING.FIOPTICS.INT
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes
 udp_preference_limit = 0
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 STAGING.FIOPTICS.INT = {
  kdc = stip01.staging.fioptics.int:88
  master_kdc = stip01.staging.fioptics.int:88
  admin_server = stip01.staging.fioptics.int:749
  default_domain = staging.fioptics.int
  pkinit_anchors = FILE:/etc/ipa/ca.crt
  auth_to_local = RULE:[1:$1@$0](^.*@AD_DOMAIN$)s/@AD_DOMAIN/@ad_domain/
  auth_to_local = DEFAULT
}

[domain_realm]
 .staging.fioptics.int = STAGING.FIOPTICS.INT
 staging.fioptics.int = STAGING.FIOPTICS.INT

[dbmodules]
  STAGING.FIOPTICS.INT = {
    db_library = ipadb.so
  }


Regards,
------------------------------------------
Aric Wilisch
awilisch at gmail.com

More information about the Freeipa-users mailing list