On Wed, Jun 14, 2017 at 02:37:23AM -0400, Striker Leggette wrote:
There is an article on Red Hat's website about authenticating to
different, un-trusted active directory domains. If you have a login, you
should be able to see it:
Is there a reason you are trying to join the machine to both domains? Is
your child domain in a trust relationship with the parent? If so, you only
need to be joined to the parent.
Once that is figured out, you should add 'debug_level = 9' to the domain
section of sssd.conf, restart the service and then reproduce the issue
before checking the domain logs within /var/log/sssd.
Jakub's blog gives an overview of the user lookup process and should guide
you to identifying further what the main issue is:
On 06/13/2017 01:43 PM, acybulski(a)albany.edu wrote:
> I'm trying to get my system to accept logins from both the child domain it is a
part of, and my campuses parent domain, where most user accounts are stored. I have added
both domains to the sssd.conf and the krb5.conf files. (Perhaps incorrectly)
> The child domain authenticates fine, the parent domain does not. Oddly, the system
seems to connect to AD well enough, as the login screen translates the account name to the
users full name, and I receive this in the secure log:
> Jun 13 13:05:40 host-univ-school-edu gdm-password]: pam_sss(gdm-password:auth):
authentication success; logname= uid=0 euid=0 tty= ruser= rhost=
Please note that authentication is successful but ...
> Jun 13 13:05:40 host-univ-school-edu gdm-password]:
pam_sss(gdm-password:account): Access denied for user sysuser(a)univ.school.edu: 6
... the user is rejected by the access control check.
Which access provider do you use? By default SSSD's AD provider uses a
GPO based access control, please see man sssd-ad for details.
> Jun 13 13:10:55 host-univ-school-edu gdm-password]: gkr-pam: no
password is available for user
> Any help is appreciated. Let me know if i should attach any files.
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org