I am using free-ipa 2.2 to manage LDAP/DNS for about a dozen CentOS 6.3
servers on a small network. I am having a problem where a user cannot
log into a host even though "ipa hbactest" says the he is authorized.
This user can log into other hosts where "ipa hbactest" says he is


Here is the problem in a nutshell:


# Works for host1

$ ssh user1@host1

user1@host1's password: <top-secret>

Last login ...

[user1@host1 ~] echo "SUCCESS"



# Fails for host2

$ ssh user1@host2

Password: <top-secret>

Permission denied (publickey, gssapi-keyex, gssapi-with-mic,


# hbactest

$ ipa hbactest  --user=user1  --host=host1  --service==sshd


Access granted: True


<output snipped>


# hbactest

$ ipa hbactest  --user=user1  --host=host2  --service==sshd


Access granted: True


<output snipped>


It seems that free-ipa thinks that everything is copacetic so there must
be something different on the hosts.


I looked at /etc/ssh/sshd.conf, /etc/nsswitch.conf and
/etc/sssd/sssd.conf on both hosts but didn't see anything that looked
out of whack. I also tried "ssh  -vvv" but wasn't sure how to interpret
the results. I am using an NFS automount /home setup so both are using
the same ~/.ssh.


I am not sure how to debug this.


Do you know why the password prompt is different? That may be a clue.


Can you suggest some other things that I can try?


Any help would be greatly appreciated.

Thank you.







Freeipa-users mailing list

Reply via email to