Did you clear out /var/lib/sss/db between re-installation of the client? There was a bug which might not have been fixed downstream yet.
On Thu, Aug 20, 2015 at 1:21 PM, Chris Mohler <cmoh...@oberlin.edu> wrote: > Hi List, > I'm still fairly new to this list and administrating FreeIPA. > > I had a very old version of freeipa and had all sorts of odd issues with > it. I had 47 ubuntu clients attached to the domain. > > I setup a newer freeipa server version: 4.1.4 > I recreated all my user accounts by hand I did not migrate any of them. > I then removed the 47 clients from the old domain > > #ipa-client-install --uninstall > > Then I reinstalled each client > > #ipa-client-install --domain=cs.oberlin.edu --realm=CS.OBERLIN.EDU -p > admin -W --hostname `hostname` -N > > it finished without errors on all my systems. > > two of my systems will not let any ipa users login via ssh or the console. > the rest of them work fine. > After keying in the password I get the following. > > Permission denied, please try again. > > id (username) shows the UID and GID and Groups correctly. > getent passwd shows only my local accounts I don't have enumerate on. > kinit also works. > > *my auth.log shows this* > pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh > ruser= rhost=132.162.201.237 user=HIDDEN > pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh > ruser= rhost=132.162.201.237 user=HIDDEN > pam_sss(sshd:auth): received for user : 7 (Authentication failure) > > I know it's the correct password as it works on the other clients. > > *I get this in krb5_child.log* > > [[sssd[krb5_child[10546]]]] [unpack_buffer] (0x0100): cmd [241] uid > [66133] gid [100] validate [true] enterprise principal [false] offline > [false] UPN [@CS.OBERLIN.EDU] > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [unpack_buffer] > (0x0100): ccname: [FILE:/tmp/krb5cc_66133_XXXXXX] keytab: > [/etc/krb5.keytab] > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] > from environment. > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > environment. > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [k5c_setup_fast] > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [ > host/occs.cs.oberlin....@cs.oberlin.edu] > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [match_principal] > (0x1000): Principal matched to the sample ( > host/occs.cs.oberlin....@cs.oberlin.edu). > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [check_fast_ccache] > (0x0200): FAST TGT is still valid. > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [main] (0x0400): > Will perform online auth > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [tgt_req_child] > (0x1000): Attempting to get a TGT > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [get_and_save_tgt] > (0x0400): Attempting kinit for realm [CS.OBERLIN.EDU] > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [validate_tgt] > (0x0400): TGT verified using key for [ > host/occs.cs.oberlin....@cs.oberlin.edu]. > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [become_user] > (0x0200): Trying to become user [66133][100]. > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [k5c_send_data] > (0x0200): Received error code 0 > (Tue Aug 18 10:46:28 2015) [[sssd[krb5_child[10546]]]] [main] (0x0400): > krb5_child completed successfully > (Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616]]]] [main] (0x0400): > krb5_child started. > (Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616]]]] [unpack_buffer] > (0x1000): total buffer size: [127] > (Tue Aug 18 10:50:20 2015) [[sssd[krb5_child[10616]]]] [unpack_buffer] > (0x0100): cmd [241] uid [66133] gid [100] validate [true] enterprise > principal [false] offline [false] UPN [@CS.OBERLIN.EDU] > > *sssd.conf on the broken machine* > > [domain/cs.oberlin.edu] > debug_level=8 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = cs.oberlin.edu > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = occs.cs.oberlin.edu > chpass_provider = ipa > ipa_server = _srv_, ipa1.cs.oberlin.edu > ldap_tls_cacert = /etc/ipa/ca.crt > [sssd] > services = nss, pam, ssh > config_file_version = 2 > debug_level=8 > domains = cs.oberlin.edu > [nss] > debug_level=8 > [pam] > debug_level=8 > [sudo] > > [autofs] > > [ssh] > debug_level=8 > [pac] > > > > *The broken systems sssd_nss.log *[nss_cmd_getpwnam_search] (0x0400): > Returning info for user [hid...@cs.oberlin.edu] > [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input > [HIDDEN]. > [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'HIDDEN' matched > without domain, user is HIDDEN > [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain > [(null)] > [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [HIDDEN] from > [<ALL>] > [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for > [NCE/USER/cs.oberlin.edu/HIDDEN] > [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ > hid...@cs.oberlin.edu] > [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. > > Any suggestions on how I can get users to login to this machine? > > Thanks, > -Chris > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project