[Freeipa-users] This again :) - ssh authentication for users in complex AD forest - where am I going wrong?
Simpson Lachlan
Lachlan.Simpson at petermac.org
Tue Nov 22 21:30:08 UTC 2016
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
> bounces at redhat.com] On Behalf Of Chris Dagdigian
> Sent: Wednesday, 23 November 2016 2:37 AM
> To: freeipa-users at redhat.com
> Subject: [Freeipa-users] This again :) - ssh authentication for users in complex AD
> forest - where am I going wrong?
>
>
> /etc/krb5.conf (IPA client)
> ---------------------------------
>
> [libdefaults]
>
> default_realm = COMPANY-IDM.ORG
> dns_lookup_realm = true
> dns_lookup_kdc = true
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
> udp_preference_limit = 0
> default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
>
> COMPANY-IDM.ORG = {
> kdc = usaeilidmp001.company-idm.org:88
> master_kdc = usaeilidmp001.company-idm.org:88
> admin_server = usaeilidmp001.company-idm.org:749
> default_domain = company-idm.org
> pkinit_anchors = FILE:/etc/ipa/ca.crt
>
> }
>
> [domain_realm]
>
> ipa-client.company-aws.org = COMPANY-IDM.ORG
>
> [capaths]
>
> COMPANY-AWS.ORG = {
>
> COMPANY-IDM.ORG = COMPANY-AWS.ORG
>
> }
>
> COMPANY-IDM.ORG = {
>
> COMPANY-AWS.ORG = COMPANY-AWS.ORG
>
> }
By no means am I an expert, but isn't there meant to be a stanza in [realm] that looks like this?
auth_to_local = RULE:[1:$1@$0](^.*@DOMAIN.COM$)s/@DOMAIN.COM/@domain.com/
auth_to_local = DEFAULT
Cheers
L.
This email (including any attachments or links) may contain
confidential and/or legally privileged information and is
intended only to be read or used by the addressee. If you
are not the intended addressee, any use, distribution,
disclosure or copying of this email is strictly
prohibited.
Confidentiality and legal privilege attached to this email
(including any attachments) are not waived or lost by
reason of its mistaken delivery to you.
If you have received this email in error, please delete it
and notify us immediately by telephone or email. Peter
MacCallum Cancer Centre provides no guarantee that this
transmission is free of virus or that it has not been
intercepted or altered and will not be liable for any delay
in its receipt.
More information about the Freeipa-users
mailing list