[Freeipa-users] Unable to login via ssh with AD credentials after upgrade FreeIPA

Tue, 19 Feb 2019 09:20:26 -0800 

Hi everybody.

I have just upgraded my cluster from FreeIPA 4.4.0-14 to 4.6.4-10.
All is good, logging via IPA credentials, HBAC and sudo rules are working.
I have only a issue logging via SSH with AD credentials. Before the upgrade
all was working well.

I think that the trust is ok, because *kinit*, *ipa hbactest* and *ipa
trustdomain-find* (on both ipa servers) are working well:


























*[root@mlv-ipasrv01 ~]# ipa trustdomain-find MYDOMAIN.COM
<http://MYDOMAIN.COM>  Domain name: mydomain.com <http://mydomain.com>
Domain NetBIOS name: MYDOMAIN  Domain Security Identifier:
S-1-5-21-3367759252-2451474351-126822339  Domain enabled:
True----------------------------Number of entries returned
1----------------------------[root@mlv-ipasrv01 ~]# ipa hbactest
--user=morgan.maro...@mydomain.com <morgan.maro...@mydomain.com>
--host=mlv-testipa01.ipa.mydomain.com
<http://mlv-testipa01.ipa.mydomain.com>Service:
sshd--------------------Access granted: True--------------------  Matched
rules: allow_ad_ipa_admins  Not matched rules: allow_ad_ipa_apps  Not
matched rules: allow_ipa_it_mysite[root@mlv-testipa01 ~]# kinit
morgan.maro...@mydomain.com <morgan.maro...@mydomain.com>Password for
morgan.maro...@mydomain.com
<morgan.maro...@mydomain.com>:[root@mlv-testipa01 ~]# klistTicket cache:
KEYRING:persistent:0:0Default principal: morgan.maro...@mydomain.com
<morgan.maro...@mydomain.com>Valid starting       Expires
Service principal02/19/2019 17:55:23  02/20/2019 03:55:23
krbtgt/mydomain....@mydomain.com <mydomain....@mydomain.com>        renew
until 02/20/2019 17:55:18*

This is the error log:




*[root@mlv-testipa01 ~]# tail -f /var/log/secureFeb 19 18:03:21
mlv-testipa01 sshd[378408]: pam_sss(sshd:auth): authentication success;
logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.252
user=morgan.maro...@mydomain.com <morgan.maro...@mydomain.com>Feb 19
18:03:21 mlv-testipa01 sshd[378408]: pam_sss(sshd:account): Access denied
for user morgan.maro...@mydomain.com <morgan.maro...@mydomain.com>: 6
(Permission denied)Feb 19 18:03:21 mlv-testipa01 sshd[378401]: error: PAM:
User account has expired for morgan.maro...@mydomain.com
<morgan.maro...@mydomain.com> from 192.168.100.252Feb 19 18:03:21
mlv-testipa01 sshd[378401]: fatal: monitor_read: unpermitted request 104*

It seems a problem with pam and sssd.
Do you have any suggestions?

Thanks, bye.
Morgan

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to