On su, 22 heinä 2018, Николай Савельев wrote:
22.07.2018, 12:56, "Alexander Bokovoy" <aboko...@redhat.com>:
When you are using trust to AD *all* authentication of AD users is
performed by AD DCs. IPA masters are not involved at all. So you need to
look at AD side for that.
Sorry, I don't undestend wat's going on.
I can login ad computers with new password.
And i also can login on one ipa client - a new member of ipa domen.
But whan I try login by ssh on old ipa members and ipa controllers, i see:
Password:
Password:
Passwors:
start-line\savelev@192.168.2.21's password:
I enter password 4 times, and after that i can login.
enable 'debug_level = 9' in domain and pam sections in sssd.conf, restart sssd,
try again and show logs.
When i root, I can doing su aduser@ad_domain.
This is *not* authenticating anything. Root is allowed to su to anyone
without authentication.
And then I can kinit and get kerberos ticket.
But if I another user, I must tape password after su ad_user@ad_domain and get
error
Password:
su: Authentication failure
because su wanted password just one time.
Again, show sssd logs. I suspect it is something with communicating to
your AD DCs because SSSD doesn't use anything else to authenticate.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/Y6JBXWLFCCTHSQDWX4MUDIVDZFY6377K/
