Hi, I'm having some issues ssh'ing as an AD user to a freeipa client, but I can successfully ssh as the same user to the IPA master. Our IPA domain, ipa.subdomain.contoso.com, is set up with a one-way trust with ad.contoso.com (IPA trusts ADs users). I have the standard "allow all" HBAC rule in place on FreeIPA for testing purposes. ad.contoso.com is a relatively huge AD, with over 400,000 user accounts.
ssh erik-...@freeipa1.ipa.subdomain.contoso.com --- (IPA user to FreeIPA master), works ssh erik...@ad.contso.com@freeipa1.ipa.subdomain.contoso.com --- (AD user to FreeIPA master), works ssh erik-...@rl9-ipa-client1.in.subdomain.contoso.com --- (IPA user to FreeIPA client), works ssh erik...@ad.contoso.com@rl9-ipa-client1.in.subdomain.contoso.com --- (AD user to FreeIPA client), doesn't work I'm not sure what to look at in the SSSD logs to see what's going wrong here. I have uploaded sanitized SSSD logs from rl9-ipa-client1.in.subdomain.contoso.com for a failed login attempt (listed above as not working) at the following link:https://privatebin.net/?55e82c73463ae145#A59jSajU1ZwEwr3nEKhPqsT8Um4QXqHhQ2duiH19gdU If anyone can tell what my issue is here, or if other logs would be helpful let me know. I appreciate the help! Thanks, Erik
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
