On Mon, Mar 31, 2014 at 11:05:18PM +0000, Todd Maugh wrote:
> 
> [root@black-62 sssd]# tail -f sssd_ops.boingo.com.log
> (Mon Mar 31 22:58:01 2014) [sssd[be[ops.boingo.com]]] 
> [be_resolve_server_done] (4): Found address for server 
> idm-master-els.ops.boingo.com: [172.22.170.46] TTL 7200
> (Mon Mar 31 22:58:01 2014) [sssd[be[ops.boingo.com]]] [sasl_bind_send] (4): 
> Executing sasl bind mech: GSSAPI, user: host/black-62.qa.boingo.com
> (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [child_sig_handler] 
> (4): child [13134] finished successfully.
> (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [fo_set_port_status] 
> (4): Marking port 0 of server 'idm-master-els.ops.boingo.com' as 'working'
> (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] 
> [set_server_common_status] (4): Marking server 
> 'idm-master-els.ops.boingo.com' as 'working'
> (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [be_run_online_cb] (3): 
> Going online. Running callbacks.
> (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] 
> (4): Request processed. Returned 0,0,Success
> (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] 
> [delayed_online_authentication_callback] (5): Backend is online, starting 
> delayed online authentication.
> (Mon Mar 31 22:59:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] 
> (4): Got request for [4097][1][name=tmp.XXXXUiK3X6]
> (Mon Mar 31 22:59:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] 
> (4): Request processed. Returned 0,0,Success
> (Mon Mar 31 23:00:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] 
> (4): Got request for [4097][1][name=tmp.XXXXUiK3X6]
> (Mon Mar 31 23:00:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] 
> (4): Request processed. Returned 0,0,Success
> (Mon Mar 31 23:01:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] 
> (4): Got request for [4097][1][name=tmp.XXXXUiK3X6]
> (Mon Mar 31 23:01:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] 
> (4): Request processed. Returned 0,0,Success
> (Mon Mar 31 23:02:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] 
> (4): Got request for [4097][1][name=tmp.XXXXUiK3X6]
> (Mon Mar 31 23:02:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] 
> (4): Request processed. Returned 0,0,Success
> (Mon Mar 31 23:03:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] 
> (4): Got request for [4097][1][name=tmp.XXXXUiK3X6]
> (Mon Mar 31 23:03:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] 
> (4): Request processed. Returned 0,0,Success

The log does not show any authentication or PAM related activities.
Please increase the debug_level and check for PAM related messages like
e.g. "[pam_print_data] (0x0100): command: PAM_AUTHENTICATE".

If there are no such messages, please check your PAM configuration as
Dmitri suggested.

HTH

bye,
Sumit

> 
> I see this in the sssd Logs  but still not authenticating
> 
> will check out AVC and SELinux very frustrating
> 
> 
> ________________________________________
> From: Rob Crittenden <rcrit...@redhat.com>
> Sent: Monday, March 31, 2014 3:52 PM
> To: Todd Maugh; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and 
> enrolled to new server cant authenticate
> 
> Todd Maugh wrote:
> > HBAC rules are set to allow_all enabled
> 
> Ok. I'd start with increasing the sssd log level and see what it says.
> 
> I gather that basic nss works since you can kinit as other users.
> 
> You may want to check for SELinux AVCs as well.
> 
> rob
> 
> >
> > -----Original Message-----
> > From: Rob Crittenden [mailto:rcrit...@redhat.com]
> > Sent: Monday, March 31, 2014 3:44 PM
> > To: Todd Maugh; freeipa-users@redhat.com
> > Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and 
> > enrolled to new server cant authenticate
> >
> > Todd Maugh wrote:
> >> Hi,
> >>
> >> I have a rhel5 client  I had problems with my IPA environment and had
> >> to rebuild
> >>
> >> I'm on the latest version of IPA with a red hat 6 server
> >>
> >> I successfully enrolled the client to the new server (same domain,
> >> same
> >> realm) I had removed all old certs, sysrestores, and ipa/default.conf
> >>
> >> I can ssh to the box as root, and then either su or kinit to any IPA
> >> user with out issue
> >>
> >> But when I try to ssh as the ipauser to the box it gives me permission
> >> denied, please try again
> >>
> >> I cleared out the sssd cache and restarted sssd
> >>
> >> Is there something I'm missing or a log to check?
> >>
> >> I need to worked this out before I move forward enrolling other
> >> previously enrolled clients.
> >
> > Check your HBAC rules.
> >
> > rob
> >
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to