Jean Figarella via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
writes:

> Hello all,
>
> In a IdM + AD trust setup; has anyone ever had the need to restrict
> IPA client logins to a specific Active Directory server when using
> their AD credentials?
>
> The problem I am having is that the one of my clients has a AD cluster
> and some of the kdc servers in that cluster have clocks that are not
> synchronized. Whenever someone tries to log in using their AD account,
> if they hit a un-synchronized server then they get hit with the
> "kinit: clock skew too great ..." error.
>
> Since we don't control the AD server and since they refused to fix
> their time sync issues, I have been trying to restrict AD logins to a
> specific kdc server, but have been unable to do it. I have tried to
> edit the sssd.conf and krb5.conf configuration files, but nothing
> seems to work.

What do the Windows-AD users do?  Same problem?

One possibility might be to edit the `clockskew` variable in libdefaults
of krb5.conf.  I usually recommend against this because it makes things
more confusing, but it may help.

In this case, I believe SSSD is providing the AD addresses, which will
be used in preference to any `kdc = ...` lines in krb5.conf.  Perhaps
one of the SSSD folk can comment on the problem you're having?

Thanks,
--Robbie

Attachment: signature.asc
Description: PGP signature

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to