Kevin Vasko via FreeIPA-users wrote:
> Have you made sure your “elham” user has the correct permissions to access
> the machines? Take a look in the UI at the groups/permissions that user elham
> has. Take a look at your HBAC rules as well. That would be my first
> recommendation to check if it was me.
Right, and the troubleshooting page suggests that (and increasing debug
logging).
Please provide the output of the things you have already looked at.
rob
>
> -Kevin
>
>> On Oct 9, 2019, at 7:23 AM, Elhamsadat Azarian via FreeIPA-users
>> <freeipa-users@lists.fedorahosted.org> wrote:
>>
>> ### Request for enhancement
>> as a Linux admin i want to login into my ipa client with a user that is
>> defined in ipa-server UI.
>>
>> ### Issue
>> I installed Ipa-server and an Ipa-client on CentOS7.6
>> I defined Internal DNS on ipa-server and i defined A and PTR records for
>> client on ipa-server.
>> now i can see my client in ipa-UI and i defined a user with name "elham" and
>> i expect that it can login into ipa-client.
>> when i login with root in ipa-client and i do sudo elham, it works and kinit
>> elham works too but
>> when i do ssh into ipa-client with this user, it show "Access denied"
>> i have errors with this context:
>> pam_reply : authentication failure to the client
>> pam_sss: authentication falure
>>
>> im tired of this issue. please help me if you know the solution.
>>
>> #### Steps to Reproduce
>> 1. define new user "elham" in ipa UI
>> 2. SSH to ipa-client with elham
>> 3. access denied
>>
>> #### Actual behavior
>> (what happens)
>>
>> #### Expected behavior
>> login into ipa-client successfully
>>
>> #### Version/Release/Distribution
>> ipa-server 4.6.5-11.el7
>> ipa-client 4.6.4-10.el7.centos.3
>> Log files and config files are added below:
>>
>>
>>
>> krb5.conf
>> ------------
>> #File modified by ipa-client-install
>>
>> includedir /etc/krb5.conf.d/
>> includedir /var/lib/sss/pubconf/krb5.include.d/
>>
>>
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>> [libdefaults]
>> default_realm = LSHS.DC
>> dns_lookup_realm = false
>> dns_lookup_kdc = false
>> rdns = false
>> ticket_lifetime = 24h
>> forwardable = yes
>> allow_weak_crypto = true
>> default_ccache_name = KEYRING:persistent:%{uid}
>>
>> [realms]
>> LSHS.DC = {
>> kdc = ipa-irvlt01.example.dc:88
>> admin_server = ipa-irvlt01.example.dc:749
>> default_domain = example.dc
>> }
>> [domain_realm]
>> .example.com = LSHS.DC
>> example.com = LSHS.DC
>> ############################################
>>
>>
>> sssd.conf
>> -------------
>> [domain/example.dc]
>>
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> ipa_domain = example.dc
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ldap_tls_cacert = /etc/ipa/ca.crt
>> ipa_hostname = ipacli-irvlt01.example.dc
>> chpass_provider = ipa
>> dyndns_update = True
>> ipa_server = _srv_, ipa-irvlt01.example.dc
>> dyndns_iface = ens160
>> dns_discovery_domain = example.dc
>>
>> debug_level = 10
>> [sssd]
>> ########### AFTER IPA ###################
>> #services = nss, sudo, pam, ssh
>> services = nss, pam
>> config_file_version = 2
>> #########################################
>> domains = example.dc
>>
>> debug_level = 10
>> [nss]
>> homedir_substring = /home
>>
>> [pam]
>> debug_level = 10
>>
>> [sudo]
>>
>> [autofs]
>>
>> [ssh]
>>
>> [pac]
>>
>> [ifp]
>>
>> [secrets]
>>
>> [session_recording]
>>
>> ##########################################
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
