Jean Figarella via FreeIPA-users <freeipa-users@lists.fedorahosted.org> writes:
> Hello all, > > In a IdM + AD trust setup; has anyone ever had the need to restrict > IPA client logins to a specific Active Directory server when using > their AD credentials? > > The problem I am having is that the one of my clients has a AD cluster > and some of the kdc servers in that cluster have clocks that are not > synchronized. Whenever someone tries to log in using their AD account, > if they hit a un-synchronized server then they get hit with the > "kinit: clock skew too great ..." error. > > Since we don't control the AD server and since they refused to fix > their time sync issues, I have been trying to restrict AD logins to a > specific kdc server, but have been unable to do it. I have tried to > edit the sssd.conf and krb5.conf configuration files, but nothing > seems to work. What do the Windows-AD users do? Same problem? One possibility might be to edit the `clockskew` variable in libdefaults of krb5.conf. I usually recommend against this because it makes things more confusing, but it may help. In this case, I believe SSSD is providing the AD addresses, which will be used in preference to any `kdc = ...` lines in krb5.conf. Perhaps one of the SSSD folk can comment on the problem you're having? Thanks, --Robbie
signature.asc
Description: PGP signature
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org