[Freeipa-users] Troubleshooting SSO

Dmitri Pal dpal at redhat.com
Mon Mar 30 15:56:45 UTC 2015 

On 03/30/2015 11:17 AM, Gould, Joshua wrote:
> The include is there:
> # head /etc/krb5.conf
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
> [logging]
>   default = FILE:/var/log/krb5libs.log
>   kdc = FILE:/var/log/krb5kdc.log
>   admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>   default_realm = UNIX.TEST.OSUWMC
>   dns_lookup_realm = true
>
> # ls -l /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
> -rw-r--r--. 1 root root 118 Mar 30 08:46
> /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
> # grep module  /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
>    module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
> #
>
>
>
>
> Different write-ups had slightly different examples for this line. Would
> this be the issue?
>
> #  auth_to_local =
> RULE:[1:$1@$0](^.*@TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/
>    auth_to_local = RULE:[1:$1 $0](^ *
> TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/
If you use the plugin then this RULE should not be needed.
Have you tried commenting it out and restarting SSSD?


>
>
> On 3/30/15, 11:08 AM, "Jan Pazdziora" <jpazdziora at redhat.com> wrote:
>
>> On Mon, Mar 30, 2015 at 11:04:58AM -0400, Gould, Joshua wrote:
>>> We¹re trying SSO from the test domain conroller via ssh (putty) to the
>>> test IPA server.
>>>
>>> Unix.test.osuwmc is the IPA realm.  > Test.osuwmc is the AD realm.
>>>
>>> IPA server is RHEL 7.1
>>> Windows AD DC is Windows Server 2008 R2
>>>
>>> They have a two way trust and we¹re mapping SID¹s. Since most of our
>>> SID¹s
>>> are in the 300,000, we chose to add 1M to each SID to make mapping them
>>> easy.
>> Can you check that
>>
>> 	/etc/krb5.conf
>>
>> contains line
>>
>> 	includedir /var/lib/sss/pubconf/krb5.include.d/
>>
>> and that
>>
>> 	/var/lib/sss/pubconf/krb5.include.d/localauth_plugin
>>
>> exists and configures
>>
>> 	module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
>>
>> ?
>>
>> -- 
>> Jan Pazdziora
>> Principal Software Engineer, Identity Management Engineering, Red Hat
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list