On Wed, Jun 14, 2017 at 02:37:23AM -0400, Striker Leggette wrote: > There is an article on Red Hat's website about authenticating to two > different, un-trusted active directory domains. If you have a login, you > should be able to see it: > > https://access.redhat.com/solutions/3073511 > > Is there a reason you are trying to join the machine to both domains? Is > your child domain in a trust relationship with the parent? If so, you only > need to be joined to the parent. > > Once that is figured out, you should add 'debug_level = 9' to the domain > section of sssd.conf, restart the service and then reproduce the issue > before checking the domain logs within /var/log/sssd. > > Jakub's blog gives an overview of the user lookup process and should guide > you to identifying further what the main issue is: > https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/ > > > On 06/13/2017 01:43 PM, acybul...@albany.edu wrote: > > I'm trying to get my system to accept logins from both the child domain it > > is a part of, and my campuses parent domain, where most user accounts are > > stored. I have added both domains to the sssd.conf and the krb5.conf files. > > (Perhaps incorrectly) > > > > The child domain authenticates fine, the parent domain does not. Oddly, the > > system seems to connect to AD well enough, as the login screen translates > > the account name to the users full name, and I receive this in the secure > > log: > > > > Jun 13 13:05:40 host-univ-school-edu gdm-password]: > > pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 > > tty= ruser= rhost= user=sysu...@univ.school.edu
Please note that authentication is successful but ... > > Jun 13 13:05:40 host-univ-school-edu gdm-password]: > > pam_sss(gdm-password:account): Access denied for user > > sysu...@univ.school.edu: 6 (Permission denied) ... the user is rejected by the access control check. Which access provider do you use? By default SSSD's AD provider uses a GPO based access control, please see man sssd-ad for details. HTH bye, Sumit > > Jun 13 13:10:55 host-univ-school-edu gdm-password]: gkr-pam: no password is > > available for user > > > > Any help is appreciated. Let me know if i should attach any files. > > _______________________________________________ > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
