[Freeipa-users] AD trust relationship is established, but IPA cannot see AD users

Guertin, David S. guertin at middlebury.edu
Mon Mar 2 19:32:54 UTC 2015 

I'm trying to set up a trust relationship between IPA and our Active Directory environment so that our AD users can log in to our Linux machines. The two-way trust relationship appears to be set up correctly, with no errors reported, and everything looking normal in the GUI and the CLI. For example:


# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin at CSNS.MIDDLEBURY.EDU

Valid starting     Expires            Service principal
03/02/15 10:13:40  03/03/15 10:13:10  krbtgt/CSNS.MIDDLEBURY.EDU at CSNS.MIDDLEBURY.EDU
03/02/15 10:15:13  03/03/15 10:13:10  host/ipa1.csns.middlebury.edu at CSNS.MIDDLEBURY.EDU
03/02/15 10:15:35  03/03/15 10:13:10  krbtgt/MIDDLEBURY.EDU at CSNS.MIDDLEBURY.EDU
03/02/15 10:15:46  03/02/15 20:15:46  host/ad1.middlebury.edu at MIDDLEBURY.EDU
03/02/15 10:56:55  03/03/15 10:13:10  HTTP/ipa1.csns.middlebury.edu at CSNS.MIDDLEBURY.EDU

In this case, middlebury.edu is our AD domain, and csns.middlebury.edu is our new IPA domain, set up as a subdomain.


I have created IPA and AD groups for AD users, and set them up according the documentation:


ipa group-add --desc='AD users external map' ad_users_external --external

ipa group-add --desc='AD users' ad_users

ipa group-add-member ad_users_external --external "<AD DOMAIN>\IPA group"

ipa group-add-member ad_users --groups ad_users_external


So now the AD group "IPA group" is a member of the IPA group ad_users_external , which is in turn a member of ad_users.


I would expect that any AD users I put into the group "IPA group" should show up as valid users in IPA, but they don't. And when I try to add an AD user directly into the ad_users_external group, it is added without error (and the correct SID shows up), but the user still can't log in.

If the user tries to SSH in the logs show:
Mar  2 11:13:42 ipa1 sshd[31720]: Invalid user testuser from *.*.*.*
Mar  2 11:13:42 ipa1 sshd[31721]: input_userauth_request: invalid user testuser


And if root tries to su to the user, it also fails:

su: user testuser does not exist


I would expect the user to show up. What have I missed?


David Guertin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150302/2ad33a8f/attachment.htm>

More information about the Freeipa-users mailing list