[Freeipa-users] AD trust relationship is established, but IPA cannot see AD users
Guertin, David S.
guertin at middlebury.edu
Mon Mar 2 19:32:54 UTC 2015
I'm trying to set up a trust relationship between IPA and our Active Directory environment so that our AD users can log in to our Linux machines. The two-way trust relationship appears to be set up correctly, with no errors reported, and everything looking normal in the GUI and the CLI. For example:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin at CSNS.MIDDLEBURY.EDU
Valid starting Expires Service principal
03/02/15 10:13:40 03/03/15 10:13:10 krbtgt/CSNS.MIDDLEBURY.EDU at CSNS.MIDDLEBURY.EDU
03/02/15 10:15:13 03/03/15 10:13:10 host/ipa1.csns.middlebury.edu at CSNS.MIDDLEBURY.EDU
03/02/15 10:15:35 03/03/15 10:13:10 krbtgt/MIDDLEBURY.EDU at CSNS.MIDDLEBURY.EDU
03/02/15 10:15:46 03/02/15 20:15:46 host/ad1.middlebury.edu at MIDDLEBURY.EDU
03/02/15 10:56:55 03/03/15 10:13:10 HTTP/ipa1.csns.middlebury.edu at CSNS.MIDDLEBURY.EDU
In this case, middlebury.edu is our AD domain, and csns.middlebury.edu is our new IPA domain, set up as a subdomain.
I have created IPA and AD groups for AD users, and set them up according the documentation:
ipa group-add --desc='AD users external map' ad_users_external --external
ipa group-add --desc='AD users' ad_users
ipa group-add-member ad_users_external --external "<AD DOMAIN>\IPA group"
ipa group-add-member ad_users --groups ad_users_external
So now the AD group "IPA group" is a member of the IPA group ad_users_external , which is in turn a member of ad_users.
I would expect that any AD users I put into the group "IPA group" should show up as valid users in IPA, but they don't. And when I try to add an AD user directly into the ad_users_external group, it is added without error (and the correct SID shows up), but the user still can't log in.
If the user tries to SSH in the logs show:
Mar 2 11:13:42 ipa1 sshd[31720]: Invalid user testuser from *.*.*.*
Mar 2 11:13:42 ipa1 sshd[31721]: input_userauth_request: invalid user testuser
And if root tries to su to the user, it also fails:
su: user testuser does not exist
I would expect the user to show up. What have I missed?
David Guertin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150302/2ad33a8f/attachment.htm>
More information about the Freeipa-users
mailing list