Hi Rob: Thank you for helping.
> Are you performing a login between steps 3 and 5? Otherwise all that does is add > a member/memberof and then remove it. I don't see how this would affect anything. Hmmm, good point. I think that I was probably doing a "kinit" between steps 3 and 5 which would amount to the same thing, right? Regards, Joe -----Original Message----- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Monday, July 23, 2012 3:21 PM To: Joe Linoff Cc: sgall...@redhat.com; d...@redhat.com; firstname.lastname@example.org Subject: Re: [Freeipa-users] User can't login via ssh from external Joe Linoff wrote: > Hi Folks: > > I managed to get the user working doing the following (all from the CLI): > > 1.Deleted the user (ipa user-del new-user) > > 2.Re-added the user > > 3.Add the user to administrator groups. > > 4.Changed/set the password. > > 5.Removed the administrator privileges. > > 6.Attempt report ssh login. > > Steps 3 and 5 are a hack but I can demonstrate that /not /doing them > causes the strange login problem. I can also show that the HBAC rules > are enforced properly after step 5 is run so this works for me. I just > don't understand why it is necessary. Are you performing a login between steps 3 and 5? Otherwise all that does is add a member/memberof and then remove it. I don't see how this would affect anything. rob > Thank you for all of your help and suggestions. > > Regards, > > Joe > > *From:*Joe Linoff > *Sent:* Monday, July 23, 2012 1:51 PM > *To:* sgall...@redhat.com; d...@redhat.com > *Cc:* email@example.com; Joe Linoff > *Subject:* Re: [Freeipa-users] User can't login via ssh from external > > Hi Stephen and Dmitri: > > Thank you for the sshd GSSAPI configuration suggestion. I tried it > this morning but it didn't work. That particular user is still not > able to login. What is even more interesting is that I created a user > with the identical setup and the new user worked (i.e., they were able > to ssh in remotely). > > I am really confused by this because it does not appear to be a global > setup issue like ssh. It may be some sort of HBAC rule violation or > something else equally strange. I just can't figure it out. > > Can you suggest any other ways to troubleshoot this? > > > Thanks, > > Joe > > > > _______________________________________________ > Freeipa-users mailing list > Freeipafirstname.lastname@example.org > https://www.redhat.com/mailman/listinfo/freeipa-users > _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users