Hi Everybody:
I am using FreeIPA 2.2.0 on CentOS 6.3 and am having a challenging problem with a new user that I just setup. That user cannot ssh into any host on the realm from an external source. They get a permission denied problem but "old-user" with the same HBAC configuration works. % ssh -A -t -o Port=9346 new-u...@somehost.example.com new-u...@somehost.example.com's password: Permission denied, please try again. % ssh -A -t -o Port=9346 old-u...@somehost.example.com old-u...@somehost.example.com's password: Last login: ... [old-user@somehost ~]$ I checked their password by setting up a TGT using kinit. It worked. I was also able to ssh into another host on the network. % kinit new-user Password for new-u...@example.com % ssh new-user@somehost Last login: ... Could not chdir to home directory ... -bash-4.1$ exit That seems to indicate that the password is correct and that the permissions are correct but to be sure I ran an hbactest on the server: % ipa hbactest --user=new-user --service=ssh --host=somehost -------------------- Access granted: True -------------------- ... I did see something strange in /var/log/messages: Jul 20 11:48:16 somehost [sssd[krb5_child[16478]]]: Decrypt integrity check failed Jul 20 11:48:16 somehost [sssd[krb5_child[16478]]]: Decrypt integrity check failed Jul 20 11:48:26 somehost [sssd[krb5_child[16481]]]: Decrypt integrity check failed Jul 20 11:48:26 somehost [sssd[krb5_child[16481]]]: Decrypt integrity check failed Jul 20 11:48:54 somehost [sssd[krb5_child[16488]]]: Password has expired Jul 20 11:48:55 somehost [sssd[krb5_child[16488]]]: Decrypt integrity check failed Jul 20 11:49:05 somehost [sssd[krb5_child[16491]]]: Password has expired Jul 20 11:49:05 somehost [sssd[krb5_child[16491]]]: Decrypt integrity check failed So I reset the password using the ipa passwd command: % ipa passwd new-user New Password: Etner New Password again to verify: ------------------------------------------- Changed password for new-u...@example.com ------------------------------------------ But I am still getting the Permission denied error. What am I doing wrong? How can I debug this? Any help would be greatly appreciated. Thanks, Joe
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users