[Freeipa-users] Troubleshooting SSO
Gould, Joshua
Joshua.Gould at osumc.edu
Mon Mar 30 15:17:07 UTC 2015
The include is there:
# head /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = UNIX.TEST.OSUWMC
dns_lookup_realm = true
# ls -l /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
-rw-r--r--. 1 root root 118 Mar 30 08:46
/var/lib/sss/pubconf/krb5.include.d/localauth_plugin
# grep module /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
#
Different write-ups had slightly different examples for this line. Would
this be the issue?
# auth_to_local =
RULE:[1:$1@$0](^.*@TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/
auth_to_local = RULE:[1:$1 $0](^ *
TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/
On 3/30/15, 11:08 AM, "Jan Pazdziora" <jpazdziora at redhat.com> wrote:
>On Mon, Mar 30, 2015 at 11:04:58AM -0400, Gould, Joshua wrote:
>>
>> We¹re trying SSO from the test domain conroller via ssh (putty) to the
>> test IPA server.
>>
>> Unix.test.osuwmc is the IPA realm. > Test.osuwmc is the AD realm.
>>
>> IPA server is RHEL 7.1
>> Windows AD DC is Windows Server 2008 R2
>>
>> They have a two way trust and we¹re mapping SID¹s. Since most of our
>>SID¹s
>> are in the 300,000, we chose to add 1M to each SID to make mapping them
>> easy.
>
>Can you check that
>
> /etc/krb5.conf
>
>contains line
>
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
>and that
>
> /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
>
>exists and configures
>
> module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
>
>?
>
>--
>Jan Pazdziora
>Principal Software Engineer, Identity Management Engineering, Red Hat
More information about the Freeipa-users
mailing list