[Freeipa-users] Re: AD trust setup woes

[Igor Sever via FreeIPA-users]

It looks like my problems with AD trust on server side went away when I 
upgraded to FreeIPA 4.5 using Centos 7.4 packages, but unfortunately this is 
only half of the way. 
I have alot of SLES servers 11 and 12, but it looks like SSSD that comes with 
SLES is not fully featured as RHEL or Centos. Basic authentication is working , 
but policies are not working because group membership is not available on SLES 
SSSD client (when checking with id command). Even on SLES 12 SP1 I cannot get 
it to work.
In krb5_child.log I see error: 
[validate_tgt] (0x0040): sss_extract_and_send_pac failed, group membership for 
user with principal [******] might not be correct.
When I try to enable PAC service starting of SSSD fails and I get:
[service_startup_handler] (0x0010): Could not exec /usr/lib/sssd/sssd_pac 
--debug-to-files, reason: No such file or directory
I installed all packages related to SSSD and all dependencies.
Is PAC service necessary for group resolution? Is there any other option?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org