Hi, I've enabled lvl 9 debug, I've started from 6 to see if there is anything obvious, but I can't see anything. It looks like on lvl 6 the difference between successful and not successful login is that the not successful one is not even triggering SSS_PAM_ACCT_MGMT command. What's interesting is that if I destroy c111111 user ticket from the machine and try login again, it will fail but my current login user can see that the krb ticket has been created. On lvl 9 I can see communication with IPA server is successful as well as it's querying all user info. I've disabled krb5_store_password_if_offline and cleared sssd cache on the host but still the same thing. The symptoms are almost like krb won't check the password and just return OK to ssh.
c111111@csc-64:/home/ubuntu$ klist -l Principal name Cache name -------------- ---------- [email protected] KEYRING:persistent:1938600006:krb_ccache_VaG0P4I When failing the following is not process at all, it just return OK (Mon Nov 30 07:05:50 2020) [sssd[be[stuxnet.lab]]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.pamHandler: Success (Mon Nov 30 07:05:50 2020) [sssd[be[stuxnet.lab]]] [child_sig_handler] (0x0100): child [602785] finished successfully. when successful the lvl 6 log continue with: (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [dp_pam_handler_send] (0x0100): Got request with the following data (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): domain: stuxnet.lab (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): user: [email protected] (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): service: sshd (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): tty: ssh (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): ruser: (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): rhost: 10.0.0.6 (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): authtok type: 0 (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): priv: 1 (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): cli_pid: 602527 (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): logon name: not set (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [pam_print_data] (0x0100): flags: 0 (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [dp_attach_req] (0x0400): DP Request [PAM Account #7]: New request. Flags [0000]. (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [sdap_access_send] (0x0400): Performing access check for user [[email protected]] (Mon Nov 30 07:04:50 2020) [sssd[be[stuxnet.lab]]] [sdap_account_expired_rhds] (0x0400): Performing RHDS _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
