Here's weirdness for you. I left yesterday and it wasn't working. I
arrived this morning and it was. Near as I can tell, it had to do with
the sssd cache.
Another user had a similar problem when I unenrolled & enrolled his
system to the new servers. It wouldn't take any of his passwords (he had
been authenticated by the old servers when he first got in). I stopped
sssd, rm -rf'd the cache db files, and then restarted it and voila, he
was able to authenticate with the new servers.
Thanks, all!
On 06/03/2018 03:30 PM, Bret Wortman via FreeIPA-users wrote:
I don’t think it is, actually. That’s just where we left off. I’ll
start walking more logs this week.
photo
*Bret Wortman*
Founder,Damascus Products LLC
855-644-2783 <tel:855-644-2783>|b...@damascusproducts.com
<mailto:b...@damascusproducts.com>
http://damascusproducts.com/
<http://link.wisestamp.com/wf/click?upn=R-2BpN2N2cBn5ZSQQsZ-2FkEQEB7dvxjTF-2FM-2FSWeMsTWY146Zfk7ejdBcOF0kzyDH2GQ_4AlNZbcVaMIZvejNZI-2Bx7D3hQosPA6YtG9epbV4F4ArzEQlokOCQwmB4G8uS1d3jiskSvoDILuoyP2DpBWVt7-2BQ4j02NpibLQhQA0fHF3z7-2BRPL4e8jnaXdlKYzjabO9tEL7CDdrC6-2B8ZRSrZHQs1Fxuk2HHhhMN3NRkJQ0rg7voxxuh2XMZ9Ua9bA07t5UhWXGKPjpTAGNzpNEvunhsR-2FQVvg4QRYEFSC-2B9ZiyqFmosD5pTjtwA7-2B6O-2FVoo-2Fc0KgLOsekcchv5J9AYu4HoWXQ-3D-3D>
10332 Main St Suite 319 Fairfax, VA 22030 <x-apple-data-detectors://3>
<http://link.wisestamp.com/wf/click?upn=vpKJERi1tY7PB5Tngc96AybWG2oBJjuIZXUnsw1N4z5o31wAARdngqurchPNjg3N_4AlNZbcVaMIZvejNZI-2Bx7D3hQosPA6YtG9epbV4F4ArzEQlokOCQwmB4G8uS1d3jiskSvoDILuoyP2DpBWVt73alNu1KhJ5JfryYC8wxxepry-2BFYXzB6WogJSy27kNp1VcCBYUF5eBd90geEGy0Vb6HLIdzzCJU8RX57JlA-2BE9M-2BiqLbCx7rRhwncnBhWLWhn6GL68uZ-2FI8QnIpd5LifwH-2FlYq-2FxS94j1jq1cFZYIqwkS9XUVx0FA3KwMS5tNXMcAZqqCxt5HVMQWS6pqHbkfg-3D-3D>
<http://link.wisestamp.com/wf/click?upn=JpWBgyEnwHH-2BZ-2F6q0khuJNj3-2BOPwXU204ZX623JVNB3sEJ9QbsPPq9gWpz71oDUM_4AlNZbcVaMIZvejNZI-2Bx7D3hQosPA6YtG9epbV4F4ArzEQlokOCQwmB4G8uS1d3jiskSvoDILuoyP2DpBWVt75T44vDP5kBbwo72MWfpzKWjJWhd-2BrS2BpRQJBuYJ3ncractikh1Y4acKVLwrU9r9978Q4JRPMH-2BtcTXM-2BhlEzTTkiODBOGW5hCTskzBFVjXU2i0QFQQG9Yz6t8Lgwu5Rc1PAPaIhCrK3RsRPupv7Y9Rm63sZLFHDUQEGTflZpzw2631HvAT9Xc4Ygg8YIkbdg-3D-3D>
<http://link.wisestamp.com/wf/click?upn=frqkw0-2BXQfUAqxIenKLOlNVUb3mQcTCczCfpPsp-2FU5YgIibCsyWQLvHEUyKIadlh_4AlNZbcVaMIZvejNZI-2Bx7D3hQosPA6YtG9epbV4F4ArzEQlokOCQwmB4G8uS1d3jiskSvoDILuoyP2DpBWVt74EavmmK2OfRTw-2Fa4lh8azWT0QniM7oO86m6DmQi4tWfl1Nbt5AaK0XQNaMaJSK6UDSiNjVJTI-2Fo2SeRBuXga-2F4Fj9LGDJeBw77SWynwi3jMu5WyWuFGY25HAPjd4s4o3F56VdMazcQ8qcqta2O8oEi9kHCJChI3yiQC-2FvVzfxbzfE99RWW8VjofG9dEE0-2FiPw-3D-3D>
<http://link.wisestamp.com/wf/click?upn=LgCARJHnjtd3UE8bx6jzptjNRyekl8Pvwy5-2FHDn1-2FaQzqpk0QaN2M0cExN-2BbGi6s_4AlNZbcVaMIZvejNZI-2Bx7D3hQosPA6YtG9epbV4F4ArzEQlokOCQwmB4G8uS1d3jiskSvoDILuoyP2DpBWVt7-2FHbZ3hpSknEhA6qmJARjG3xaAU7e-2B7tC3HBce4MxTikogJ5eBfX1k43azEkw2G4FW0Ws5T-2BXClFjqZZdlOToiji3xWFngyiBu6cuJXADIbpAcySipYmBIC08bulW93EZHt2FwDd7HXLbEsn2tZBggT2aJ28L8-2Bfn-2F1m6jIxEH2roZp1RGZAuOq8MsVD8XJCwg-3D-3D>
On Jun 3, 2018, 3:00 PM -0400, Jakub Hrozek <jhro...@redhat.com>, wrote:
On 3 Jun 2018, at 13:33, Bret Wortman via FreeIPA-users
<freeipa-users@lists.fedorahosted.org> wrote:
I just realized that I never closed the loop on this problem and
just finished upgrading all my systems to use our new IPA servers.
And this problem is still with me.
I can log onto some workstations but not all. My only enabled hbac
rule is still "allow_all", and it's as permissive as it gets.
Is there anything else I can check? I'm trying to get this working
before my users arrive on Monday and carry off my head on a pikestaff…
Are you sure the issue is HBAC, then? Normally I first check either
/var/log/secure or journald, search for pam_sss to see what kind of
error sssd returned (if any..) and then work my way through the sssd
logs, the sssd_pam.log/sssd_nss.log first and then the sssd_domain.log..
Bret
On 02/22/2018 09:30 AM, Bret Wortman wrote:
Back to this thread; I stood up a new VM and used
ipa-client-install to subscribe it to the new server. I can log on
to it from both ssh and console, so the problem on my original
workstation appears to be in switching from one server to another.
Thoughts?
On 02/21/2018 10:29 AM, Bret Wortman wrote:
My only hbac rule is "allow_all", and it's enabled. I hadn't
gotten around to setting up any additional ones yet.
On 02/21/2018 10:14 AM, Rob Crittenden wrote:
Bret Wortman via FreeIPA-users wrote:
Any ideas why I might be prevented from logging in on a system
through
GDM and the console, but if I log in as root and:
# ssh bretw@localhost
I'm able to log in without issues? And it'll tell me about
failed logins
for every time I try through GDM or the console.
This is on a brand new IPA server I'm setting up using data from our
older ones but it's not set up as a replica.
Check HBAC rules. Logging into console is a different pam service
than ssh.
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/SJBUVQTSKRNFLMKFUNFY7UUYE52OGVOB/
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/SRIPOGWWVUQZEHD6YGV2VIJCN54RQXEC/
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/XDM7HCNF2BMJIPVZTNFIZNXRQZE5VZOI/
