Clients unable to resolve Trusted AD users

Latest response

I have installed an IPA Server, created a replica agreement and set up a one way trust to our AD Forest. The IPA servers have integrated DNS and are in their own dns zone. This works as expected, I am able to log into the IPA servers with my AD account.

My issue is when setting up a client, I am able to use IPA users (ex. admin) but unable to authenticate/login with my AD account.

Running an HBAC test on the IPA server verified my AD user has access to the client. I can also successfully obtain a kerberos ticket for the AD users on my IPA client.

When I perform an id on the AD account from the IPA client I receive an

unknown user error

When I try to ssh, secure log shows, illegal user/unknown user to underlying authentication module.

These errors are in the sssd_domain_name.log
(Fri May 19 10:01:34 2017) [sssd[be[ipa.us.int.kn]]] [add_v1_user_data] (0x0040): find_domain_by_name failed.
(Fri May 19 10:01:34 2017) [sssd[be[ipa.us.int.kn]]] [s2n_response_to_attrs] (0x0040): add_v1_user_data failed.
(Fri May 19 10:01:34 2017) [sssd[be[ipa.us.int.kn]]] [ipa_s2n_get_user_done] (0x0040): s2n_response_to_attrs failed.
(Fri May 19 10:01:34 2017) [sssd[be[ipa.us.int.kn]]] [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: [12]: Cannot allocate memory.

Responses

Does that AD user belong to any group that has an @ sign in the group name (something@somenthing@AD_DOMAIN)? I'm getting similar issues with users like that.

It does not although I did come across others having that issue and using "full_name_format = %1$s" to get around that. I was able to get my client working, and so far it looks good (not done testing yet though). I had to comment out dns_discovery_domain and include 'ipa_server_mode = True', which is intented for ipa servers not clients. I don't fully understand why this resolved the issue (I am guessing its related to the ldap query), so if anyone has some insight I would appreciate it.

My sssd.conf is as follows for anyone who may benefit from this post.

[domain/ipa.example.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = lxmatazan100s.example.com chpass_provider = ipa ipa_server = srv, lxipaazan100s.ipa.example.com ldap_tls_cacert = /etc/ipa/ca.crt ipa_server_mode = True

dns_discovery_domain = example.com subdomains_provider = ipa full_name_format = %1$s

[sssd] domains = ipa.example.com config_file_version = 2 debug_level = 0 services = nss, sudo, pam, ssh subdomain_enumerate = all

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.