Have you considered clock skew? It is probably not the cause here, but is
worth eliminating "just in case". A difference as small as 5 minutes
between the clocks of the client and server can cause problems with
authentication.

Chris



From:   Martin Kosek <mko...@redhat.com>
To:     "Matt ." <yamakasi....@gmail.com>, Janelle
            <janellenicol...@gmail.com>
Cc:     "freeipa-users@redhat.com" <freeipa-users@redhat.com>
Date:   03.08.2015 08:49
Subject:        Re: [Freeipa-users] Admin password not accepted during replica
            install
Sent by:        freeipa-users-boun...@redhat.com



When this command failed for me, it usually was a problem with SSSD on the
master. The service was down, offline or simply something wrong was with
it.

On the master, I would try:

$ id admin
$ ssh admin@localhost # (with password)

If that works, try manual

$ ssh admin@ipa.master.server # with password
and
$ kinit admin #(you can use temporary krb5.conf pointing to IPA master)
$ ssh admin@ipa.master.server # with password

to see what's really wrong.

Martin

On 08/01/2015 11:05 PM, Matt . wrote:
> I even checked working version (IPA clusters) and they don't even have
> this AllowGroups.
>
> Am I missing something ?
>
> 2015-08-01 22:52 GMT+02:00 Janelle <janellenicol...@gmail.com>:
>> which points to the configuration of sssd.conf and/or nsswitch.conf
>> It is in there. If you say there are no AllowGroups in sshd, it has to
be in
>> one of those 2 places.
>>
>> ~J
>>
>>
>> On 8/1/15 1:26 PM, Matt . wrote:
>>>
>>> kinit admin works perfectly, that is such strange.
>>>
>>> 2015-08-01 22:15 GMT+02:00 Janelle <janellenicol...@gmail.com>:
>>>>
>>>> lastly -- on the master - do you get the same error if you "kinit
admin"?
>>>> ~J
>>>>
>>>>
>>>> On 8/1/15 1:05 PM, Matt . wrote:
>>>>>
>>>>> This actually the most important part, and the GSS Failure concerns
me:
>>>>>
>>>>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>>>>> debug2: key: /root/.ssh/id_rsa ((nil)),
>>>>> debug2: key: /root/.ssh/id_dsa ((nil)),
>>>>> debug2: key: /root/.ssh/id_ecdsa ((nil)),
>>>>> debug2: key: /root/.ssh/id_ed25519 ((nil)),
>>>>> debug1: Authentications that can continue:
>>>>> publickey,gssapi-keyex,gssapi-with-mic,password
>>>>> debug3: start over, passed a different list
>>>>> publickey,gssapi-keyex,gssapi-with-mic,password
>>>>> debug3: preferred
>>>>> gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
>>>>> debug3: authmethod_lookup gssapi-keyex
>>>>> debug3: remaining preferred:
>>>>> gssapi-with-mic,publickey,keyboard-interactive,password
>>>>> debug3: authmethod_is_enabled gssapi-keyex
>>>>> debug1: Next authentication method: gssapi-keyex
>>>>> debug1: No valid Key exchange context
>>>>> debug2: we did not send a packet, disable method
>>>>> debug3: authmethod_lookup gssapi-with-mic
>>>>> debug3: remaining preferred: publickey,keyboard-interactive,password
>>>>> debug3: authmethod_is_enabled gssapi-with-mic
>>>>> debug1: Next authentication method: gssapi-with-mic
>>>>> debug1: Unspecified GSS failure.  Minor code may provide more
>>>>> information
>>>>> No Kerberos credentials available
>>>>>
>>>>> debug1: Unspecified GSS failure.  Minor code may provide more
>>>>> information
>>>>> No Kerberos credentials available
>>>>>
>>>>> debug1: Unspecified GSS failure.  Minor code may provide more
>>>>> information
>>>>>
>>>>>
>>>>> debug1: Unspecified GSS failure.  Minor code may provide more
>>>>> information
>>>>> No Kerberos credentials available
>>>>>
>>>>> debug2: we did not send a packet, disable method
>>>>> debug3: authmethod_lookup publickey
>>>>> debug3: remaining preferred: keyboard-interactive,password
>>>>> debug3: authmethod_is_enabled publickey
>>>>> debug1: Next authentication method: publickey
>>>>> debug1: Trying private key: /root/.ssh/id_rsa
>>>>> debug3: no such identity: /root/.ssh/id_rsa: No such file or
directory
>>>>> debug1: Trying private key: /root/.ssh/id_dsa
>>>>> debug3: no such identity: /root/.ssh/id_dsa: No such file or
directory
>>>>> debug1: Trying private key: /root/.ssh/id_ecdsa
>>>>> debug3: no such identity: /root/.ssh/id_ecdsa: No such file or
directory
>>>>> debug1: Trying private key: /root/.ssh/id_ed25519
>>>>> debug3: no such identity: /root/.ssh/id_ed25519: No such file or
>>>>> directory
>>>>> debug2: we did not send a packet, disable method
>>>>> debug3: authmethod_lookup password
>>>>> debug3: remaining preferred: ,password
>>>>> debug3: authmethod_is_enabled password
>>>>> debug1: Next authentication method: password
>>>>> admin@ipa-01.domain.local's password:
>>>>> debug3: packet_send2: adding 64 (len 58 padlen 6 extra_pad 64)
>>>>> debug2: we sent a password packet, wait for reply
>>>>> debug1: Authentications that can continue:
>>>>> publickey,gssapi-keyex,gssapi-with-mic,password
>>>>> Permission denied, please try again.
>>>>>
>>>>> 2015-08-01 22:02 GMT+02:00 Janelle <janellenicol...@gmail.com>:
>>>>>>
>>>>>> What is in the logs on the machine that is failing? Can you login to
>>>>>> admin
>>>>>> from anywhere?  Logs are you best friend.
>>>>>> Also, a simply "ssh -vvv" will help.
>>>>>>
>>>>>> ~J
>>>>>>
>>>>>>
>>>>>> On 8/1/15 12:51 PM, Matt . wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> This didn't fix it yet.
>>>>>>>
>>>>>>> I wonder if there are any checks I can do as in the very past I was
>>>>>>> able to do a simple replica without any issues.
>>>>>>>
>>>>>>> Matt
>>>>>>>
>>>>>>> 2015-08-01 21:34 GMT+02:00 Janelle <janellenicol...@gmail.com>:
>>>>>>>>
>>>>>>>> Double check you do not have "AllowGroups" set in your
>>>>>>>> /etc/ssh/sshd_config
>>>>>>>> file. If you do, add the "admins" group.
>>>>>>>>
>>>>>>>> Also, make sure on the master, that the /etc/nsswitch.conf was
>>>>>>>> properly
>>>>>>>> updated. Several server installs I have done, have left off the
"sss"
>>>>>>>> for
>>>>>>>> "passwd", "group" and "shadow".
>>>>>>>>
>>>>>>>> passwd:     files sss
>>>>>>>> shadow:     files sss
>>>>>>>> group:      files sss
>>>>>>>>
>>>>>>>> I bet one of those will fix your problem. Restart sssd and/of sshd
if
>>>>>>>> you
>>>>>>>> have to make changes.
>>>>>>>>
>>>>>>>> ~Janelle
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 8/1/15 10:13 AM, Matt . wrote:
>>>>>>>>>
>>>>>>>>> Hi Guys,
>>>>>>>>>
>>>>>>>>> I'm doing a replica install there my admin password for the SSH
>>>>>>>>> check
>>>>>>>>> to the master is not accepted.
>>>>>>>>>
>>>>>>>>> The password is not expired, I can use it on the GUI and even
>>>>>>>>> changing
>>>>>>>>> it in the GUI doesn't fix this.
>>>>>>>>>
>>>>>>>>> What can I check ?
>>>>>>>>>
>>>>>>>>> Cheers,
>>>>>>>>>
>>>>>>>>> Matt
>>>>>>>>>
>>
>

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to