Hi, I've configured IPA with trust to our AD. Everything seems ok except for one thing: if one AD user is not present in "cn=Users,dc=example,dc=org" but exists in "ou=Group,dc=example,dc=org" , I can login only on IPA server. The IPA clients accepts login only from the AD users present in "cn=Users,dc=example,dc=org". This is the /var/log/secure output from the IPA client when I'm trying to connect with my user that is present in "ou=my organization unit,dc=example,dc=org" or "ou=Domain Users,dc=example,dc=org":
Aug 9 09:59:52 freeipaclient sshd[3334]: pam_unix(sshd:auth): check pass; user unknown Aug 9 09:59:52 freeipaclient sshd[3334]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=finke.example.org Aug 9 09:59:54 freeipaclient sshd[3332]: error: PAM: User not known to the underlying authentication module for illegal user mspezie@example.org from finke.example.org Aug 9 09:59:54 freeipaclient sshd[3332]: Failed keyboard-interactive/pam for invalid user mspezie@example.org from 192.168.*.* port 64721 ssh2 Aug 9 09:59:54 freeipaclient sshd[3332]: Postponed keyboard-interactive for invalid user mspezie@example.org from 192.168.*.* port 64721 ssh2 [preauth]
If I try to connect with a user present in "cn=Users,dc=example,dc=org" this is the /var/log/secure output:
Aug 9 10:18:08 freeipaclient sshd[3358]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=finke.example.org user=freeipa@example.org Aug 9 10:18:09 freeipaclient sshd[3354]: Accepted keyboard-interactive/pam for freeipa@example.org from 192.168.*.* port 64945 ssh2 Aug 9 10:18:09 freeipaclient sshd[3354]: pam_unix(sshd:session): session opened for user freeipa@example.org by (uid=0)
It seems that IPA client can only search in "cn=Users,dc=example,dc=org" . How could I change it or permit to look in the groups (we have 3 groups with all the users stored there and no one in cn=Users except for admins or testing)?
On Thu, Aug 09, 2018 at 08:23:57AM +0000, Mirko Spezie via FreeIPA-users wrote:
Hi, I've configured IPA with trust to our AD. Everything seems ok except for one thing: if one AD user is not present in "cn=Users,dc=example,dc=org" but exists in "ou=Group,dc=example,dc=org" , I can login only on IPA server. The IPA clients accepts login only from the AD users present in "cn=Users,dc=example,dc=org". This is the /var/log/secure output from the IPA client when I'm trying to connect with my user that is present in "ou=my organization unit,dc=example,dc=org" or "ou=Domain Users,dc=example,dc=org":
Aug 9 09:59:52 freeipaclient sshd[3334]: pam_unix(sshd:auth): check pass; user unknown Aug 9 09:59:52 freeipaclient sshd[3334]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=finke.example.org Aug 9 09:59:54 freeipaclient sshd[3332]: error: PAM: User not known to the underlying authentication module for illegal user mspezie@example.org from finke.example.org Aug 9 09:59:54 freeipaclient sshd[3332]: Failed keyboard-interactive/pam for invalid user mspezie@example.org from 192.168.*.* port 64721 ssh2 Aug 9 09:59:54 freeipaclient sshd[3332]: Postponed keyboard-interactive for invalid user mspezie@example.org from 192.168.*.* port 64721 ssh2 [preauth]
If I try to connect with a user present in "cn=Users,dc=example,dc=org" this is the /var/log/secure output:
Aug 9 10:18:08 freeipaclient sshd[3358]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=finke.example.org user=freeipa@example.org Aug 9 10:18:09 freeipaclient sshd[3354]: Accepted keyboard-interactive/pam for freeipa@example.org from 192.168.*.* port 64945 ssh2 Aug 9 10:18:09 freeipaclient sshd[3354]: pam_unix(sshd:session): session opened for user freeipa@example.org by (uid=0)
It seems that IPA client can only search in "cn=Users,dc=example,dc=org" . How could I change it or permit to look in the groups (we have 3 groups with all the users stored there and no one in cn=Users except for admins or testing)?
IPA client do not look up AD users and groups directly but ask an IPA server for the needed details.
Typically if you can log in on a server but not a client some GIDs cannot be resolved to group names. Please try to call
id mspezie@example.org
(or some other user name which cannot log in on the clients) In the output you should see for each group the pattern GID(group_name). If there are some groups where the name is missing please add them on AD.
HTH
bye, Sumit
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
freeipa-users@lists.fedorahosted.org
-
Mirko Spezie -
Sumit Bose