thanks Alexander. We don't have selinux enabled so good point from you. I will implement the solution you suggested soon and let you know. Thanks heaps
Alfredo On Thu, Nov 8, 2018 at 9:05 PM Alexander Bokovoy <[email protected]> wrote: > On to, 08 marras 2018, Alfredo De Luca via FreeIPA-users wrote: > >Hi alexander. Thanks for your info. > >Here are 2 logs. One is the pam.log and the other one is the domain.log at > >the time when we got the error below. > > > >Nov 8 17:09:06 sftp-test sshd[25100]: pam_sss(sshd:account): Access > denied > >for user nifi_sftp: 4 (System error) > > > >The user to search is nifi_sftp. > > > >Thanks heaps and let me know if you need more info > Do you have SELinux enabled? Disabled? > > From the looks of sssd_<domain>.log you have trouble with setting > SELinux for the user: > > Thu Nov 8 17:09:06 2018) [sssd[be[novalocal]]] [selinux_child_done] > (0x0020): selinux_child_parse_response failed: [22][Invalid argument] > > This means that most likely you have SELinux disabled completely yet > SSSD attempts to set up SELinux context and considers its failure a hard > fail. > > Setting > > selinux_provider = none > > in [domain/novalocal] section should help if you are not using SELinux. > > >Cheers > > > > > > > >On Wed, Nov 7, 2018 at 3:49 PM Alexander Bokovoy <[email protected]> > >wrote: > > > >> On ke, 07 marras 2018, Alfredo De Luca via FreeIPA-users wrote: > >> >Hi all. I wonder who and how this is been resolved? > >> >I have centos 7 where an sftp server is running. Authentication is with > >> >freeIPA 4.5.4. > >> >all the users connect to the sftp server normally but when there are > >> >multiple connections randomly I got this error > >> > > >> >Nov 7 08:30:09 sftp sshd[23487]: pam_sss(sshd:account): Access denied > for > >> >user nifi_sftp: 4 (System error) > >> > > >> >Not sure why. The same user doesn't have any issue connecting manually > but > >> >when different connections from 3 nodes (running a open source sftp > client > >> >called NIFI from apache.org) I got that error. > >> >I have to say that I tried to reproduce with a script running multiple > >> >connections at the same time and I get the same errors. If I use > >> >controlmaster mechanism on ssh client I dont' get the error at all. > >> > > >> >Any idea? > >> Use sssd debugging to demonstrate why pam_sss is denying access. > >> https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html > >> > >> You'd need logs from the sssd_<domain>.log and sssd_pam.log related to > >> the time when there is an attempt to connect with NIFI. Use > >> debug_level=9 in domain and pam sections to show all logs and provide > >> them somewhere we can look up. > >> > >> -- > >> / Alexander Bokovoy > >> Sr. Principal Software Engineer > >> Security / Identity Management Engineering > >> Red Hat Limited, Finland > >> > > > > > >-- > >*Alfredo* > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > -- *Alfredo*
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
