Hi,
I've configured IPA with trust to our AD. Everything seems ok except for one thing: if
one AD user is not present in "cn=Users,dc=example,dc=org" but exists in
"ou=Group,dc=example,dc=org" , I can login only on IPA server. The IPA clients
accepts login only from the AD users present in "cn=Users,dc=example,dc=org".
This is the /var/log/secure output from the IPA client when I'm trying to connect with
my user that is present in "ou=my organization unit,dc=example,dc=org" or
"ou=Domain Users,dc=example,dc=org":
Aug 9 09:59:52 freeipaclient sshd[3334]: pam_unix(sshd:auth): check pass; user unknown
Aug 9 09:59:52 freeipaclient sshd[3334]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser=
rhost=finke.example.org
Aug 9 09:59:54 freeipaclient sshd[3332]: error: PAM: User not known to the underlying
authentication module for illegal user mspezie(a)example.org from
finke.example.org
Aug 9 09:59:54 freeipaclient sshd[3332]: Failed keyboard-interactive/pam for invalid user
mspezie(a)example.org from 192.168.*.* port 64721 ssh2
Aug 9 09:59:54 freeipaclient sshd[3332]: Postponed keyboard-interactive for invalid user
mspezie(a)example.org from 192.168.*.* port 64721 ssh2 [preauth]
If I try to connect with a user present in "cn=Users,dc=example,dc=org" this is
the /var/log/secure output:
Aug 9 10:18:08 freeipaclient sshd[3358]: pam_sss(sshd:auth): authentication success;
logname= uid=0 euid=0 tty=ssh ruser=
rhost=finke.example.org user=freeipa(a)example.org
Aug 9 10:18:09 freeipaclient sshd[3354]: Accepted keyboard-interactive/pam for
freeipa(a)example.org from 192.168.*.* port 64945 ssh2
Aug 9 10:18:09 freeipaclient sshd[3354]: pam_unix(sshd:session): session opened for user
freeipa(a)example.org by (uid=0)
It seems that IPA client can only search in "cn=Users,dc=example,dc=org" . How
could I change it or permit to look in the groups (we have 3 groups with all the users
stored there and no one in cn=Users except for admins or testing)?