Hi Rob, That was issue. many thanks. AD server was on a different timezone.
Now it works. BR, On Mon, Feb 1, 2021 at 8:04 PM Rob Crittenden <[email protected]> wrote: > Mustapha Aissat via FreeIPA-users wrote: > > Hi all, > > > > > > I'm facing some problems with connecting AD user to Linux host via ssh. > > > > > > I already configure the trust between IPA server and AD. > > > > I create an external group "*grp_dba*" to point on AD group > > > > I create a posix group "*admindba*" that contain the external group > > > > I create a HBAC rule "*allow_dba*" to allow the group to access the host. > > > > > > I did an HBAC test and it tells me that the access is granted to the > > user. On the Client host, id, getent and even su work. but I still can't > > do an ssh! > > > > > > Can you please guide me? > > > > > > Thank you in advance. > > > > > > Here some commands that I used and logs > > > > ---------- > > > > _on IPA server :_ > > > > > > [root@idm01 ~]# *ipa group-show admindba* > > Group name: admindba > > GID: 336200005 > > Member groups: grp_dba > > Member of HBAC rule: allow_dba > > > > > > [root@idm01 ~]# *ipa hbactest [email protected] > > --host=zabbix.linux.dz.corp --service=sshd* > > -------------------- > > Access granted: True > > -------------------- > > Matched rules: allow_dba > > > > > > _On Client host :_ > > > > > > [root@zabbix ~]# *id [email protected]* > > uid=1790001108([email protected]) gid=1790001108([email protected]) > > groups=1790001108([email protected]),1790000513(domain > > [email protected]),336200005(admindba),1790001107([email protected]) > > > > > > [root@zabbix ~]# *geten [email protected]* > > getenforce getent > > > > > > [root@zabbix ~]# *getent passwd [email protected]* > > [email protected] > :*:1790001108:1790001108:admin_dba01:/home/dz.corp/admin_dba01: > > > > > > [root@zabbix ~]# *getent group [email protected]* > > [email protected]:*:1790001108: > > > > > > [root@zabbix ~]# *su - [email protected]* > > Last login: Mon Feb 1 16:57:39 CET 2021 on pts/1 > > *[[email protected]@zabbix ~]$ logout* > > [root@zabbix ~]# > > > > > > > > [root@zabbix ~]# *journalctl -e* > > > > Feb 01 19:32:33 zabbix.linux.dz.corp systemd[1]: Starting SSSD Kerberos > > Cache Manager... > > Feb 01 19:32:33 zabbix.linux.dz.corp systemd[1]: Started SSSD Kerberos > > Cache Manager. > > Feb 01 19:32:33 zabbix.linux.dz.corp sssd[kcm][17086]: Starting up > > Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17083]]][17083]: > > Ticket not yet valid > > Looks to me like the system is not in time sync with the KDC. > > rob > > > Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17083]]][17083]: > > Ticket not yet valid > > Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17087]]][17087]: > > Ticket not yet valid > > Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17087]]][17087]: > > Ticket not yet valid > > Feb 01 19:32:33 zabbix.linux.dz.corp sshd[17080]: pam_sss(sshd:auth): > > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > > rhost=192.168.122.1 [email protected] > > Feb 01 19:32:33 zabbix.linux.dz.corp sshd[17080]: pam_sss(sshd:auth): > > received for user [email protected]: 6 (Permission denied) > > Feb 01 19:32:35 zabbix.linux.dz.corp sshd[17076]: error: PAM: > > Authentication failure for [email protected] from 192.168.122.1 > > Feb 01 19:32:35 zabbix.linux.dz.corp sshd[17076]: Postponed > > keyboard-interactive for [email protected] from 192.168.122.1 port > > 43908 ssh2 [preauth] > > Feb 01 19:32:36 zabbix.linux.dz.corp sshd[17076]: Connection closed by > > authenticating user [email protected] 192.168.122.1 port 43908 > [preauth] > > > > > > > > ------- > > > > Best regards, > > > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- [email protected] > > To unsubscribe send an email to > [email protected] > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > > > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
