I am seeing this error in /var/log/secure [r...@black-64.qa ~]# tail /var/log/secure Apr 1 17:54:05 black-64 sshd[3649]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.194.1.250 user=tmaugh Apr 1 17:54:05 black-64 sshd[3649]: pam_sss(sshd:auth): received for user tmaugh: 4 (System error) Apr 1 17:54:07 black-64 sshd[3649]: Failed password for tmaugh from 10.194.1.250 port 44697 ssh2 Apr 1 17:54:12 black-64 sshd[3649]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.194.1.250 user=tmaugh Apr 1 17:54:12 black-64 sshd[3649]: pam_sss(sshd:auth): received for user tmaugh: 4 (System error) Apr 1 17:54:14 black-64 sshd[3649]: Failed password for tmaugh from 10.194.1.250 port 44697 ssh2 Apr 1 17:54:15 black-64 sshd[3650]: Connection closed by 10.194.1.250 Apr 1 17:54:15 black-64 sshd[3649]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.194.1.250 user=tmaugh Apr 1 17:56:49 black-64 sshd[3713]: Accepted publickey for root from 10.194.1.250 port 38249 ssh2 Apr 1 17:56:49 black-64 sshd[3713]: pam_unix(sshd:session): session opened for user root by (uid=0)
________________________________________ From: freeipa-users-boun...@redhat.com <freeipa-users-boun...@redhat.com> on behalf of Todd Maugh <tma...@boingo.com> Sent: Tuesday, April 01, 2014 7:17 AM To: Sumit Bose Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate I set my debug level to 5 and these were the messages I got. I checked the sshd_config and it seems to be using gsapi what lines should be uncommented or entered or set to true or yes for Pam. I tried the one pam line I saw to true. But it made no difference -----Original Message----- From: Sumit Bose [mailto:sb...@redhat.com] Sent: Tuesday, April 01, 2014 12:19 AM To: Todd Maugh Cc: Rob Crittenden; freeipa-users@redhat.com Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate On Mon, Mar 31, 2014 at 11:05:18PM +0000, Todd Maugh wrote: > > [root@black-62 sssd]# tail -f sssd_ops.boingo.com.log (Mon Mar 31 > 22:58:01 2014) [sssd[be[ops.boingo.com]]] [be_resolve_server_done] > (4): Found address for server idm-master-els.ops.boingo.com: > [172.22.170.46] TTL 7200 (Mon Mar 31 22:58:01 2014) > [sssd[be[ops.boingo.com]]] [sasl_bind_send] (4): Executing sasl bind mech: > GSSAPI, user: host/black-62.qa.boingo.com (Mon Mar 31 22:58:02 2014) > [sssd[be[ops.boingo.com]]] [child_sig_handler] (4): child [13134] finished > successfully. > (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [fo_set_port_status] > (4): Marking port 0 of server 'idm-master-els.ops.boingo.com' as 'working' > (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] > [set_server_common_status] (4): Marking server > 'idm-master-els.ops.boingo.com' as 'working' > (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [be_run_online_cb] (3): > Going online. Running callbacks. > (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] > [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Mon Mar 31 > 22:58:02 2014) [sssd[be[ops.boingo.com]]] > [delayed_online_authentication_callback] (5): Backend is online, starting > delayed online authentication. > (Mon Mar 31 22:59:01 2014) [sssd[be[ops.boingo.com]]] > [be_get_account_info] (4): Got request for > [4097][1][name=tmp.XXXXUiK3X6] (Mon Mar 31 22:59:01 2014) > [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. > Returned 0,0,Success (Mon Mar 31 23:00:01 2014) > [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for > [4097][1][name=tmp.XXXXUiK3X6] (Mon Mar 31 23:00:01 2014) > [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. > Returned 0,0,Success (Mon Mar 31 23:01:01 2014) > [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for > [4097][1][name=tmp.XXXXUiK3X6] (Mon Mar 31 23:01:01 2014) > [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. > Returned 0,0,Success (Mon Mar 31 23:02:01 2014) > [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for > [4097][1][name=tmp.XXXXUiK3X6] (Mon Mar 31 23:02:01 2014) > [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. > Returned 0,0,Success (Mon Mar 31 23:03:01 2014) > [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for > [4097][1][name=tmp.XXXXUiK3X6] (Mon Mar 31 23:03:01 2014) > [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. > Returned 0,0,Success The log does not show any authentication or PAM related activities. Please increase the debug_level and check for PAM related messages like e.g. "[pam_print_data] (0x0100): command: PAM_AUTHENTICATE". If there are no such messages, please check your PAM configuration as Dmitri suggested. HTH bye, Sumit > > I see this in the sssd Logs but still not authenticating > > will check out AVC and SELinux very frustrating > > > ________________________________________ > From: Rob Crittenden <rcrit...@redhat.com> > Sent: Monday, March 31, 2014 3:52 PM > To: Todd Maugh; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled > and enrolled to new server cant authenticate > > Todd Maugh wrote: > > HBAC rules are set to allow_all enabled > > Ok. I'd start with increasing the sssd log level and see what it says. > > I gather that basic nss works since you can kinit as other users. > > You may want to check for SELinux AVCs as well. > > rob > > > > > -----Original Message----- > > From: Rob Crittenden [mailto:rcrit...@redhat.com] > > Sent: Monday, March 31, 2014 3:44 PM > > To: Todd Maugh; freeipa-users@redhat.com > > Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled > > and enrolled to new server cant authenticate > > > > Todd Maugh wrote: > >> Hi, > >> > >> I have a rhel5 client I had problems with my IPA environment and > >> had to rebuild > >> > >> I'm on the latest version of IPA with a red hat 6 server > >> > >> I successfully enrolled the client to the new server (same domain, > >> same > >> realm) I had removed all old certs, sysrestores, and > >> ipa/default.conf > >> > >> I can ssh to the box as root, and then either su or kinit to any > >> IPA user with out issue > >> > >> But when I try to ssh as the ipauser to the box it gives me > >> permission denied, please try again > >> > >> I cleared out the sssd cache and restarted sssd > >> > >> Is there something I'm missing or a log to check? > >> > >> I need to worked this out before I move forward enrolling other > >> previously enrolled clients. > > > > Check your HBAC rules. > > > > rob > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users