[Freeipa-users] IPA versions for small scale hope-to-be-production use on CentOS 7?

List dedicated to discussions about use, configuration and deployment of the IPA server. freeipa-users at redhat.com
Tue Dec 6 16:14:00 UTC 2016 

On Tue, Dec 06, 2016 at 10:55:12AM -0500, List dedicated to discussions about use, configuration and deployment of the IPA server. wrote:
> 
> Still trying to figure out why my AD users in various trusted forests can be
> resolved and "su - <username>" but password checks via SSH logins fail.

Do you call 'su - <username>' as root or do you get a password prompt
here as well. In case you do it as root, can you try if calling it as
a user will accept the password or not?

In the latter case it might be some general issue with password
authentication and the krb5_child.log file with debug_level=10 in the
[domain/...] section of sssd.conf might help to find the reason (maybe
ticket validation?).

bye,
Sumit

> 
> In the mean time I'm wondering if I should consider upgrading before I go
> much further into the troubleshooting tunnel. It really does seem like there
> has been a ton of action in the codebase specifically relating to AD trusts.
> Maybe I should upgrade first and then keep troubleshooting on the updated
> software. We are not yet in production.
> 
> We have a standard CentOS 7 server running this software set:
> 
> > ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
> > ipa-server-dns-4.2.0-15.0.1.el7.centos.19.x86_64
> > python-iniparse-0.4-9.el7.noarch
> > sssd-ipa-1.13.0-40.el7_2.12.x86_64
> > ipa-python-4.2.0-15.0.1.el7.centos.19.x86_64
> > ipa-client-4.2.0-15.0.1.el7.centos.19.x86_64
> > ipa-admintools-4.2.0-15.0.1.el7.centos.19.x86_64
> > ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.19.x86_64
> > python-libipa_hbac-1.13.0-40.el7_2.12.x86_64
> > libipa_hbac-1.13.0-40.el7_2.12.x86_64
> 
> Would people generally recommend stepping up to the stable 4.3 release on
> CentOS 7? If so are there any repositories that would be a good source for
> grabbing RPMs?  Is 4.4 still not being recommended for production use?
> 
> Thanks!
> 
> Chris
> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list