Earlier this week, users reported they could no longer ssh to freeipa
joined servers using their AD login. After some inverstigation, it was
discovered if krb5_validate was set to false in the sssd.conf, AD ssh login
would start working again.

One of our IPA server is showing these errors in /var/log/messages:

Feb 13 20:53:28 ipaserver ns-slapd: [13/Feb/2018:20:53:28.823685558 +0000]
- ERR - is_allowed_to_access_attr - [file ipa_pwd_extop.c, line 786]:
slapi_access_allowed does not allow READ to ipaProtectedOperation;read_keys!
Feb 13 20:53:28 ipaserver ns-slapd: [13/Feb/2018:20:53:28.826357278 +0000]
- ERR - ipapwd_getkeytab - [file ipa_pwd_extop.c, line 1646]: Not allowed
to retrieve keytab on [IPA$@DOMAIN.COM] as user [fqdn=
Feb 13 20:53:28 ipaserver sssd: Failed to parse result: Insufficient access
Feb 13 20:53:28 ipaserver sssd: Failed to get keytab

I could paste the the debug logs from sssd but I'm pretty sure that error
in /var/log/messages is the root cause preventing AD ssh login. I did some
research and couldn't find anything revelant.

Any ideas how to fix this ?

Alexandre Pitre
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to