On 03/31/2014 07:05 PM, Todd Maugh wrote:
[root@black-62 sssd]# tail -f sssd_ops.boingo.com.log
(Mon Mar 31 22:58:01 2014) [sssd[be[ops.boingo.com]]] [be_resolve_server_done]
(4): Found address for server idm-master-els.ops.boingo.com: [172.22.170.46]
TTL 7200
(Mon Mar 31 22:58:01 2014) [sssd[be[ops.boingo.com]]] [sasl_bind_send] (4):
Executing sasl bind mech: GSSAPI, user: host/black-62.qa.boingo.com
(Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [child_sig_handler] (4):
child [13134] finished successfully.
(Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [fo_set_port_status] (4):
Marking port 0 of server 'idm-master-els.ops.boingo.com' as 'working'
(Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]]
[set_server_common_status] (4): Marking server 'idm-master-els.ops.boingo.com'
as 'working'
(Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [be_run_online_cb] (3):
Going online. Running callbacks.
(Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4):
Request processed. Returned 0,0,Success
(Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]]
[delayed_online_authentication_callback] (5): Backend is online, starting
delayed online authentication.
(Mon Mar 31 22:59:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info]
(4): Got request for [4097][1][name=tmp.XXXXUiK3X6]
(Mon Mar 31 22:59:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4):
Request processed. Returned 0,0,Success
(Mon Mar 31 23:00:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info]
(4): Got request for [4097][1][name=tmp.XXXXUiK3X6]
(Mon Mar 31 23:00:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4):
Request processed. Returned 0,0,Success
(Mon Mar 31 23:01:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info]
(4): Got request for [4097][1][name=tmp.XXXXUiK3X6]
(Mon Mar 31 23:01:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4):
Request processed. Returned 0,0,Success
(Mon Mar 31 23:02:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info]
(4): Got request for [4097][1][name=tmp.XXXXUiK3X6]
(Mon Mar 31 23:02:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4):
Request processed. Returned 0,0,Success
(Mon Mar 31 23:03:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info]
(4): Got request for [4097][1][name=tmp.XXXXUiK3X6]
(Mon Mar 31 23:03:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4):
Request processed. Returned 0,0,Success
I see this in the sssd Logs but still not authenticating
will check out AVC and SELinux very frustrating
Check your SSH configuration. Does it use PAM or it uses GSSAPI?
Check PAM config for SSH.
________________________________________
From: Rob Crittenden <[email protected]>
Sent: Monday, March 31, 2014 3:52 PM
To: Todd Maugh; [email protected]
Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and
enrolled to new server cant authenticate
Todd Maugh wrote:
HBAC rules are set to allow_all enabled
Ok. I'd start with increasing the sssd log level and see what it says.
I gather that basic nss works since you can kinit as other users.
You may want to check for SELinux AVCs as well.
rob
-----Original Message-----
From: Rob Crittenden [mailto:[email protected]]
Sent: Monday, March 31, 2014 3:44 PM
To: Todd Maugh; [email protected]
Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and
enrolled to new server cant authenticate
Todd Maugh wrote:
Hi,
I have a rhel5 client I had problems with my IPA environment and had
to rebuild
I'm on the latest version of IPA with a red hat 6 server
I successfully enrolled the client to the new server (same domain,
same
realm) I had removed all old certs, sysrestores, and ipa/default.conf
I can ssh to the box as root, and then either su or kinit to any IPA
user with out issue
But when I try to ssh as the ipauser to the box it gives me permission
denied, please try again
I cleared out the sssd cache and restarted sssd
Is there something I'm missing or a log to check?
I need to worked this out before I move forward enrolling other
previously enrolled clients.
Check your HBAC rules.
rob
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
--
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
