On Thu, Sep 27, 2012 at 08:18:21AM +0200, David Sastre wrote:
> On Wed, Sep 26, 2012 at 11:08 PM, David Sastre Medina <
> d.sastre.med...@gmail.com> wrote:
> 
> > On Wed, Sep 26, 2012 at 03:06:40PM -0400, Rob Crittenden wrote:
> > > David Sastre wrote:
> > > > [big snip]
> > > Does sssd work on this machine otherwise? getent passwd <foo>, you
> > > can log into the console as the user, or perhaps kinit to the user?
> >
> 
> It looks like sssd is operating correctly
> $ getent passwd dsastrem
> dsastrem:*:1543400001:1543400001:David Sastre
> Medina:/home/dsastrem:/bin/rbash
> 
> I can also kinit w/o problems:
> $ klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_500)
> 
> $ kinit dsastrem
> Password for dsast...@some.domain.com:
> 

kinit bypasses the SSSD and talks to the KDC directly.

> $ klist
> Ticket cache: FILE:/tmp/krb5cc_500
> Default principal: dsast...@some.domain.com
> 
> I can log in using ssh, and the log shows:
> debug1: Authentication succeeded (gssapi-with-mic).
> 
> Valid starting     Expires            Service principal
> 09/27/12 07:59:36  09/28/12 07:59:36  krbtgt/some.domain....@some.domain.com
>         renew until 09/28/12 08:01:20
> 

...however, the ssh should go through the SSSD...

> Yet, sudo fails to authenticate me:
> dsastrem@obelix ~
> $ sudo ip addr show
> [sudo] password for dsastrem:
> Sorry, try again.
> [sudo] password for dsastrem:
> Sorry, try again.
> [sudo] password for dsastrem:
> sudo: 2 incorrect password attempts

Can you check the messages that appear in /var/log/secure during the
sudo auth attempt? You should see pam_sss being contacted, what does it
say? Is there any error?

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to