AD users can not login to IdM member server from trusted AD- [-1765328377]Error constructing AP-REQ armor

Solution Verified - Updated -

Issue

  1. We have an IdM environment idm.example.com with two IdM replicas and established trust with AD ad.example.com.

  2. On IdM replicas servers the id command can resolve AD users :

[root@idm-server ~]# id aduser@ad.example.com
uid=723030917(aduser@ad.example.com) gid=723030917(aduser@ad.example.com) groups=723030917(aduser@ad.example.com),723024036(adgroup1n@ad.example.com),723031146(adgroup2@ad.example.com)
  1. However, idm-client cannot resolve AD users:
[root@idm-client ~]# id aduser@ad.example.com
id: ‘aduser@ad.example.com’: no such user
  1. I can successfully use kinit command on that system idm-client and I get the correct kerberos ticket from AD for that user.
[root@idm-client ~]# kinit aduser@ad.example.com
Password for aduser@ad.example.com:
Warning: Your password will expire in 5 days on Wed 04 Sep 2024 03:07:21 PM CEST
[root@idm-client ~]# klist
Ticket cache: KCM:0:7119
Default principal: aduser@ad.example.com

Valid starting       Expires              Service principal
08/29/2024 20:59:01  08/30/2024 06:59:01  krbtgt/ad.example.com@ad.example.com
        renew until 08/30/2024 20:58:50
  1. /var/log/secure errors:
Aug 29 20:02:55 idm-client.idm.example.com sshd[149996]: Connection from 192.168.1.10 port 51195 on 10.129.43.237 port 22 rdomain ""
Aug 29 20:03:48 idm-client.idm.example.com sshd[150000]: Connection from 192.168.1.10 port 51196 on 10.129.43.237 port 22 rdomain ""
Aug 29 20:03:59 idm-client.idm.example.com sshd[150000]: Invalid user aduser@ad.example.com from 192.168.1.10 port 51196
Aug 29 20:04:00 idm-client.idm.example.com sshd[150000]: Postponed keyboard-interactive for invalid user aduser@ad.example.com from 192.168.1.10 port 51196 ssh2 [preauth]
Aug 29 20:04:16 idm-client.idm.example.com sshd[150002]: pam_unix(sshd:auth): check pass; user unknown
Aug 29 20:04:16 idm-client.idm.example.com sshd[150002]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.10
Aug 29 20:04:18 idm-client.idm.example.com sshd[150000]: error: PAM: Authentication failure for illegal user aduser@ad.example.com from 192.168.1.10
Aug 29 20:04:18 idm-client.idm.example.com sshd[150000]: Failed keyboard-interactive/pam for invalid user aduser@ad.example.com from 192.168.1.10 port 51196 ssh2
Aug 29 20:04:18 idm-client.idm.example.com sshd[150000]: Postponed keyboard-interactive for invalid user aduser@ad.example.com from 192.168.1.10 port 51196 ssh2 [preauth]
Aug 29 20:04:55 idm-client.idm.example.com sshd[149996]: fatal: Timeout before authentication for 192.168.1.10 port 51195
Aug 29 20:05:07 idm-client.idm.example.com sshd[150000]: Connection closed by invalid user aduser@ad.example.com 192.168.1.10 port 51196 [preauth]

Environment

  • Red Hat Enterprise Linux 9.4
  • Red Hat IPA
  • Active Directory

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content