[Freeipa-users] Active Directory Kerberos authentication on older versions of IPA clients
Jakub Hrozek
jhrozek at redhat.com
Fri Mar 27 17:08:24 UTC 2015
On Fri, Mar 27, 2015 at 05:00:43PM +0000, Srdjan Dutina wrote:
> Hi,
>
> I created the following test environment:
>
> 1. IPA server: v4.1.3 on Centos 7
> 2. Two-way trust with Active directory domain - Windows server 2012 R2
> 3. Connected multiple IPA clients:
> - Fedora 21 - v4.1.3
> - Centos 7 - v3.3.3
> - Centos 6.6 v.3.0.0
>
> to IPA domain.
>
> Using Kerberos ticket for AD user, I'm able to ssh to IPA server and Fedora
> client, but not to Centos clients, which have older IPA client versions.
> These clients just skip gssapi-with-mic auth and continue to password login
> (which is successful).
>
> Just to add that I can obtain Kerberos ticket using 'kinit' command for AD
> user from all clients and also get user and group IDs using 'id' command.
>
> Additionally, is it possible to join Centos 5 client to latest IPA server?
>
> Thank you.
Sounds a bit like the auth_to_local rules might be acting up, did you
configure krb5.conf according to
http://www.freeipa.org/page/Active_Directory_trust_setup#Edit_.2Fetc.2Fkrb5.conf
?
More information about the Freeipa-users
mailing list