[Freeipa-users] Unable to ssh after establishing trust
Lachlan Musicman
datakid at gmail.com
Mon Jul 11 06:30:38 UTC 2016
Have you set up the external group and internal group as required in IPA?
The server you are trying to log into - you have added this to the IPA
server using ipa-client-install?
When you are logged into the server that you want to login to as root (or
local user), does `id user at ad_domain.com` give you the results you expected?
(sorry to ask simple questions, but just in case....)
cheers
L.
------
The most dangerous phrase in the language is, "We've always done it this
way."
- Grace Hopper
On 11 July 2016 at 13:46, pgb205 <pgb205 at yahoo.com> wrote:
> I have successfully established trust and am able to obtain ticket
> granting ticket
> kinit user at AD_DOMAIN.COM
> I can also do kinit admin at IPA_DOMAIN.COM
> ssh admin at IPA_DOMAIN.COM also works
>
> however, ssh user at AD_DOMAIN.COM or user at ad_domain.com fails
>
> I have checked that there are no hbac rules other then the default
> allow_all rule
>
> in sssd_ssh.log see
> permission denied (6) error
>
> in sssd_ipa.domain.log file I see
> pam_handler_callback 6 permission_denied
>
> in sssd_nss.log
> Unable to get information from Data Provider
> Error: 3 Account info lookup failed
> Will try to return what we have in cache
>
> in /var/log/secure
> received for user user at AD_DOMAIN.COM: 6 (Permission denied)
>
> I can provided full logs if necessary to diagnose the above problem.
>
> ----------
> Additionally, I would like to be able to login as *user *not *user at AD_DOMAIN.COM
> <user at AD_DOMAIN.COM>*
> My understanding that only thing that I have to change to make this happen
> is /etc/krb5.conf
> for line
> [libdefaults]
> default_realm=AD_DOMAN.COM
> and then restarting ipa services.
>
> However, when I do this I get failure to restart Samba service
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160711/dd1402f0/attachment.htm>
More information about the Freeipa-users
mailing list