as below.


Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

From: Joe Linoff []
Sent: Tuesday, 24 July 2012 10:04 a.m.
To: Steven Jones
Cc:; Joe Linoff
Subject: Re: [Freeipa-users] User can't login via ssh from external

Hi Steve:

Thank you for your suggestions.

> In the gui you can do a hbac test of the rule.

I ran the hbactest rule testing from the command line using “ipa hbactest …”. 
It showed that the rules were correct. Do you think that the GUI might provide 
a different result?

probably not

> Also what are the UIDS?  IPA provided 32bit ones?  or your own?

The UID’s were provided by IPA. Actually during testing I also provided my own 
at one point but reverted back when that didn’t seem to make a difference.

Can you explain why that might cause the problem? For example, would duplicates 
break the system or are there ranges of UIDs that are not legal?

pam prevents any user with a UID <500 from logging in with ssh (that bit me 
last week).

> I'd suggest re-setting that user's password and get them to login and reset 
> the password, that

> works for me, it was a sign of bad/failed replication in my system I think 
> (now fixed).

I tried that using kpasswd and “ipa passwd” to change the password but neither 
solved the problem. In both cases I was able to run “kinit new-user” and set 
the credentials using the new password but new-user could not ssh in.
It was a really strange problem. It looks like something got out of sync but I 
could not (and cannot) figure out where. It is doubly difficult because 
removing and re-adding the user worked. In addition, adding other users worked.

Yes, I had the same symptoms, removing and re-adding a user worked for me also 
but re-setting the user's password in the web ui also worked and its easier. It 
came down to failed replication I think, as now that is solved the issue has 
not re-appeared for users.


Freeipa-users mailing list

Reply via email to