Albert Adams wrote:
Rob,
There are no HBAC rules defined other than the default "allow_all" rule
which has not been customized.  It is a vanilla instal at this point.  I
have not added anything other than the replica, a few clients, one user
group and the users to the system.


Ok. I would update the sssd debug level and restart it, then try the login again. On system2 are you able to use nss tools to identify IPA users (id, getent, etc)?

rob



On Thu, Dec 6, 2012 at 11:08 PM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:

    Albert Adams wrote:

        I have a small IPA domain setup on RHEL 6 server with a FreeIPA
        server,
        a replica and two clients.  There are six users setup in the domain.
        All users are able
        to login over SSH to both client systems.  I am not using IPA to
        control
        sudo access.  Sudo privilges are granted by group membership (group
        memberships are managed
        by IPA).  So here is where it gets weird.

        Client Systems

        system1 - testuser1 can authenticate over SSH using public
        key,can login
        at the console, and CAN sudo (all other users are able to do the
        same)
        system2 - testuser1 can authenticate over SSH using public key and
        CANNOT login at the console or sudo (two out of six users can
        login and
        sudo)

        So for example:

        system1 - SSH, console and sudo access
        testuser1, testuser2, testuser3, testuser4, testuser5, testuser6

        system2 - SSH access only
        testuser1, testuser2, testuser3, testuser4

        system2 - SSH, console and sudo access
        testuser5, testuser6

        All users have the same group memberships and use SSH keys to
        authenticate to the system.

        Errors when the user tries to sudo
        ------------------------------__------------------------------
        /var/log/secure
        Dec  6 18:54:39 ipa-client1 sudo: pam_sss(sudo:auth): authentication
        failure; logname=testuser1 uid=0 euid=0 tty=/dev/pts/1
        ruser=testuser1
        rhost= user=testuser1
        Dec  6 18:54:39 ipa-client1 sudo: pam_sss(sudo:auth): received
        for user
        testuser1: 4 (System error)
        Dec  6 18:54:47 ipa-client1 sudo: pam_sss(sudo:auth): authentication
        failure; logname=testuser1 uid=0 euid=0 tty=/dev/pts/1
        ruser=testuser1
        rhost= user=testuser1
        Dec  6 18:54:47 ipa-client1 sudo: pam_sss(sudo:auth): received
        for user
        testuser1: 4 (System error)
        Dec  6 18:54:51 ipa-client1 sudo: pam_sss(sudo:auth): authentication
        failure; logname=testuser1 uid=0 euid=0 tty=/dev/pts/1
        ruser=testuser1
        rhost= user=testuser1
        Dec  6 18:54:51 ipa-client1 sudo: pam_sss(sudo:auth): received
        for user
        testuser1: 4 (System error)
        Dec  6 18:54:52 ipa-client1 sudo: testuser1 : 3 incorrect password
        attempts ; TTY=pts/1 ; PWD=/home/testuser1 ; USER=root ;
        COMMAND=/bin/su -

        Errors when the user tries to login at the console
        ------------------------------__------------------------------__-
        /var/log/secure
        Dec  6 19:53:56 ipa-client1 login: pam_unix(login:auth):
        authentication
        failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
          user=testuser1
        Dec  6 19:53:56 ipa-client1 login: pam_sss(login:auth):
        authentication
        failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
        user=testuser1
        Dec  6 19:53:56 ipa-client1 login: pam_sss(login:auth): received for
        user testuser1: 4 (System error)
        Dec  6 19:53:58 ipa-client1 login: FAILED LOGIN 1 FROM (null) FOR
        testuser1, Authentication failure


        I found this post and it looks similar but my
        /var/log/sssd/krb5_child.log is empty.

        
https://www.redhat.com/__archives/freeipa-users/2012-__October/msg00004.html
        
<https://www.redhat.com/archives/freeipa-users/2012-October/msg00004.html>

        The link to
        
http://www.mail-archive.com/__sssd-devel%20lists%__20fedorahosted%20org/msg10176.__html
        
<http://www.mail-archive.com/sssd-devel%20lists%20fedorahosted%20org/msg10176.html>
        was dead but I check the /tmp permissions like the guy in the
        forum post and they were:

        # ll -dZ /tmp/
        drwxrwxrwt. root root system_u:object_r:tmp_t:s0       /tmp/

        It's really puzzling that sudo works for some users but not
        others and
        it's only on one system.  I've thought about enrolling additional
        systems to the IPA domain
        to determine if this one system is just a problem child but I'd
        rather
        get it ironed out before moving over any additional systems.

        Thanks in advance,
        Albert


    I would look to see if you have any Host-based access (HBAC) rules
    defined. This would explain the behavior.

    rob



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to