On to, 14 syys 2017, Jakub Hrozek via FreeIPA-users wrote:
On Thu, Sep 14, 2017 at 11:08:54AM -0400, Rob Crittenden via
FreeIPA-users wrote:
> Louis Abel via FreeIPA-users wrote:
> > I should probably mention that IPA users have started working. But not my AD
users.
> >
> > [root@rhn2 tmp]# ssh -l louis.abel2(a)ipa.example.com devu16 -q
> > Password:
> > Last login: Thu Sep 14 07:57:55 2017 from
rhn2.example.com
> > Could not chdir to home directory /home/louis.abel2: No such file or directory
> > Oracle Corporation SunOS 5.11 11.3 June 2017
> > -bash-4.4$ logout
> > [root@rhn2 tmp]# ssh -l louis.abel(a)ad.example.com devu16 -q
> > Password:
> > Password:
> >
> > AD users seem to be suffering from the same errors:
> >
> > libsldap: Status: 53 Mesg: openConnection: simple bind failed - DSA is unwilling
to perform
> > libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid
credentials
> >
>
> Not sure why some users would work and some wouldn't but I'd suspect the
> bind password in your ldapclient config.
Another thing that bit me in the past was that since on the IPA server,
the password binds against AD users are intercepted and turned into a
PAM conversation against the system-auth service, HBAC must allow the
system-auth service on the IDM server itself.
(Check /var/log/secure on the IDM server for messages from pam-sss.so..)
This one as
well. It is documented in both slapi-nis and overall IPA
documentation.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/...
5.4.1:
----
If the host-based access control (HBAC) allow_all rule is disabled,
enable the system-auth service on the IdM server, which allows
authentication of the AD users.
----
--
/ Alexander Bokovoy