On Wed, Jul 29, 2020 at 02:11:43PM +0000, TOULMONDE Sébastien (CSC/MST) via FreeIPA-users wrote: > Hi, > > Yesterday we migrated our dev servers to IPA - to help in the migration, I > enabled the allow_all HBAC rule, but despite that, some users get this > message: > > Jul 29 15:56:23 el4966 sshd[98029]: Postponed keyboard-interactive for > id094844 from 81.245.6.11 port 35552 ssh2 [preauth] > Jul 29 15:56:49 el4966 sshd[98034]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=el1921.bc user=id094844 > Jul 29 15:56:49 el4966 sshd[98034]: pam_sss(sshd:auth): received for user > id094844: 6 (Permission denied) < ----- This > Jul 29 15:56:52 el4966 sshd[98029]: error: PAM: Authentication failure for > id094844 from el1921.bc > Jul 29 15:56:52 el4966 sshd[98029]: Failed keyboard-interactive/pam for > id094844 from 81.245.6.11 port 35552 ssh2 > Jul 29 15:56:58 el4966 sshd[98029]: Postponed keyboard-interactive for > id094844 from 81.245.6.11 port 35552 ssh2 [preauth] > Jul 29 15:57:00 el4966 sshd[98029]: Connection closed by 81.245.6.11 port > 35552 [preauth] > > These are external (AD) users. Weird thing: not all users have this and not > everywhere... I tried to remove the LDAP filter on the IPA server -> same > thing... I'm running out of ideas...
Hi, please set 'debug_level = 9' to the [domain/...] section in sssd.conf, restart SSSD, try to authenticate again and check krb5_child.log and the domain log for errors. HTH bye, Sumit > > Thanks for your help! > > S. Toulmonde > > > Sensitivity: Internal Use Only > > This e-mail cannot be used for other purposes than Proximus business use. See > more on https://www.proximus.be/maildisclaimer > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
