Description of problem:
Can't login to RHEL ipa-client machine using an AD account after setting up an
trust against an 2012 Active Directory domain controller.



Version-Release number of selected component (if applicable):
rpm -qa | grep ipa
ipa-server-3.0.0-26.el6_4.2.x86_64
libipa_hbac-1.9.2-82.7.el6_4.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-python-3.0.0-26.el6_4.2.x86_64
ipa-server-selinux-3.0.0-26.el6_4.2.x86_64
ipa-server-trust-ad-3.0.0-26.el6_4.2.x86_64
ipa-admintools-3.0.0-26.el6_4.2.x86_64
ipa-client-3.0.0-26.el6_4.2.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.9.2-82.7.el6_4.x86_64


How reproducible:
Always


Steps to Reproduce:
1. Create a trust to an AD 2012 domain
2. Login to an ipa-client machine using an AD account

Actual results:
# ssh -l admpetgus@EXAMPLE.COM ipa-server.example.com
admpetgus@EXAMPLE.COM@ipa-server.example.com's password:
Permission denied, please try again.

And in /var/log/secure on the ipa-client machine:
Jul  2 11:14:59 ipa-server sshd[7785]: pam_sss(sshd:auth): system info: [KDC
returned error string: HANDLE_AUTHDATA]
Jul  2 11:14:59 ipa-server sshd[7785]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.65
user=admpetgus@CYDMODULE.COM
Jul  2 11:14:59 ipa-server sshd[7785]: pam_sss(sshd:auth): received for user
admpetgus@EXAMPLE.COM: 4 (System error)

kvno host/$(hostname)@NIX.EXAMPLE.COM
kvno: KDC returned error string: HANDLE_AUTHDATA while getting credentials for
host/ipa-server.nix.example.com@NIX.EXAMPLE.COM

#

Expected results:
ssh login should work.

Additional info:
Backport trac ticket is https://fedorahosted.org/freeipa/ticket/3289 to ipa 3.0
so an trust against an AD 2012 works.

Br, Peter Gustafsson