hi,

I have successfully establised a one way cross realm trust between AD and IDM realms.

I can get info from AD users in the IDM hosts, and I created an external group and added it to a posix group as indicated in the documentation of the Windows integration guide.

So when I run this command I get users from AD resolved from the linux joined to IDM:

$ getent group posixgroupname

posixgroupname:*:1111111111111:user1@ad.local,user2@ad.local,user3@ad.local,user4@ad.local

And I can reolve the AD users as well:

$ getent passwd user1@ad.local

user1@ad.local:*:333333333:33333333:User Name:/home/ad.local/user1:

So it seems like it's working. Now I added a rbac rule to allow the members of that external group to login using ssh to a couple of hosts:

 $ ipa hbacrule-show "bastion ssh hosts"
  Rule name: bastion ssh hosts
  Enabled: TRUE
  User Groups: posixgroupname
  Host Groups: bastionssh
  Services: sshd

But when I try to log on it does not work

$ ssh user1@ad.local@bastion1.sub.domain.tld

Password:

Password:

Password:

Jun 28 10:42:06 bastion1 [sssd[krb5_child[20000]]]: Cannot find KDC for realm "AD.LOCAL"
Jun 28 10:42:06 bastion1 [sssd[krb5_child[20001]]]: Cannot find KDC for realm "AD.LOCAL"

I am checking the firewall logs but cannot see any denied packets coming from this host.

I can successfully find the kds using a dns query:

$ dig -t srv _kerberos._udp.ad.local +short
0 100 88 dc01.ad.local.
0 100 88 dc02.ad.local.

So I am a bit at a loss right now what is going wrong.

Is it only supposed to work if you have a working ticket from AD.LOCAL or can you try to log on interactively? I do not have a connection to the AD.LOCAL from my laptop or the bastion1 hosts but the kdcs with the trust do.

How can I debug in sssd this, I tried in the sssd.conf in the bastion host [domain/idm] section a debug = 9 but I could not spot the error in there.

Thanks in advance!