Thanks Alexander that was it. On Wed, Feb 14, 2018 at 6:06 AM, Alexander Bokovoy <[email protected]> wrote:
> On ke, 14 helmi 2018, Alexandre Pitre via FreeIPA-users wrote: > >> Earlier this week, users reported they could no longer ssh to freeipa >> joined servers using their AD login. After some inverstigation, it was >> discovered if krb5_validate was set to false in the sssd.conf, AD ssh >> login >> would start working again. >> >> One of our IPA server is showing these errors in /var/log/messages: >> >> Feb 13 20:53:28 ipaserver ns-slapd: [13/Feb/2018:20:53:28.823685558 >> +0000] >> - ERR - is_allowed_to_access_attr - [file ipa_pwd_extop.c, line 786]: >> slapi_access_allowed does not allow READ to ipaProtectedOperation;read_key >> s! >> Feb 13 20:53:28 ipaserver ns-slapd: [13/Feb/2018:20:53:28.826357278 >> +0000] >> - ERR - ipapwd_getkeytab - [file ipa_pwd_extop.c, line 1646]: Not allowed >> to retrieve keytab on [[email protected]] as user [fqdn= >> ipaserver.ipa.domain.com,cn=computers,cn=accounts,dc=ipa,dc= >> domain,dc=com]! >> Feb 13 20:53:28 ipaserver sssd: Failed to parse result: Insufficient >> access >> rights >> Feb 13 20:53:28 ipaserver sssd: Failed to get keytab >> >> I could paste the the debug logs from sssd but I'm pretty sure that error >> in /var/log/messages is the root cause preventing AD ssh login. I did some >> research and couldn't find anything revelant. >> >> Any ideas how to fix this ? >> > It looks like ipaserver.ipa.domain.com is not a trust agent. Remember > that only trust agents and trust controllers can retrieve trusted domain > object credentials to communicate to AD DCs. > > -- > / Alexander Bokovoy > -- Alexandre Pitre [email protected]
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
