Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
From: Joe Linoff [jlin...@tabula.com]
Sent: Tuesday, 24 July 2012 10:04 a.m.
To: Steven Jones
Cc: email@example.com; Joe Linoff
Subject: Re: [Freeipa-users] User can't login via ssh from external
Thank you for your suggestions.
> In the gui you can do a hbac test of the rule.
I ran the hbactest rule testing from the command line using “ipa hbactest …”.
It showed that the rules were correct. Do you think that the GUI might provide
a different result?
> Also what are the UIDS? IPA provided 32bit ones? or your own?
The UID’s were provided by IPA. Actually during testing I also provided my own
at one point but reverted back when that didn’t seem to make a difference.
Can you explain why that might cause the problem? For example, would duplicates
break the system or are there ranges of UIDs that are not legal?
pam prevents any user with a UID <500 from logging in with ssh (that bit me
> I'd suggest re-setting that user's password and get them to login and reset
> the password, that
> works for me, it was a sign of bad/failed replication in my system I think
> (now fixed).
I tried that using kpasswd and “ipa passwd” to change the password but neither
solved the problem. In both cases I was able to run “kinit new-user” and set
the credentials using the new password but new-user could not ssh in.
It was a really strange problem. It looks like something got out of sync but I
could not (and cannot) figure out where. It is doubly difficult because
removing and re-adding the user worked. In addition, adding other users worked.
Yes, I had the same symptoms, removing and re-adding a user worked for me also
but re-setting the user's password in the web ui also worked and its easier. It
came down to failed replication I think, as now that is solved the issue has
not re-appeared for users.
Freeipa-users mailing list