Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 980409
Description of problem: Can't login to RHEL ipa-client machine using an AD account after setting up an trust against an 2012 Active Directory domain controller. Version-Release number of selected component (if applicable): rpm -qa | grep ipa ipa-server-3.0.0-26.el6_4.2.x86_64 libipa_hbac-1.9.2-82.7.el6_4.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-3.0.0-26.el6_4.2.x86_64 ipa-server-selinux-3.0.0-26.el6_4.2.x86_64 ipa-server-trust-ad-3.0.0-26.el6_4.2.x86_64 ipa-admintools-3.0.0-26.el6_4.2.x86_64 ipa-client-3.0.0-26.el6_4.2.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.9.2-82.7.el6_4.x86_64 How reproducible: Always Steps to Reproduce: 1. Create a trust to an AD 2012 domain 2. Login to an ipa-client machine using an AD account Actual results: # ssh -l admpetgus@EXAMPLE.COM ipa-server.example.com admpetgus@EXAMPLE.COM@ipa-server.example.com's password: Permission denied, please try again. And in /var/log/secure on the ipa-client machine: Jul 2 11:14:59 ipa-server sshd[7785]: pam_sss(sshd:auth): system info: [KDC returned error string: HANDLE_AUTHDATA] Jul 2 11:14:59 ipa-server sshd[7785]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.65 user=admpetgus@CYDMODULE.COM Jul 2 11:14:59 ipa-server sshd[7785]: pam_sss(sshd:auth): received for user admpetgus@EXAMPLE.COM: 4 (System error) kvno host/$(hostname)@NIX.EXAMPLE.COM kvno: KDC returned error string: HANDLE_AUTHDATA while getting credentials for host/ipa-server.nix.example.com@NIX.EXAMPLE.COM # Expected results: ssh login should work. Additional info: Backport trac ticket is https://fedorahosted.org/freeipa/ticket/3289 to ipa 3.0 so an trust against an AD 2012 works. Br, Peter Gustafsson
This is not an upstream issue.
Metadata Update from @rcritten: - Issue assigned to someone - Issue set to the milestone: FreeIPA 3.2.x - 2013/06 (bug fixing)
Login to comment on this ticket.