The permission for /etc/krb5.conf was already set to 644. So, that aspect looks fine..
I think it might be something to do with the pam settings. here is my sssd.conf [root@ipa-client :/etc/sssd] cat sssd.con [domain/xyz.com] krb5_auth_timeout = 30 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = xyz.com id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = x.x.x.x chpass_provider = ipa ipa_server = _srv_, ipa-master.xyz.com dns_discovery_domain = xyz.com [domain/default] ldap_id_use_start_tls = True cache_credentials = True ldap_search_base = dc=ldap,dc=qa,dc=xyz,dc=com krb5_realm = xyz.com krb5_server = ipa-master.xyz.com:88 id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://ldap-int.xyz.com:636 ldap_tls_cacertdir = /etc/openldap/cacerts [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = default, xyz.com [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] Thanks, Rakesh On Thu, Feb 18, 2016 at 6:52 PM, Martin Kosek <mko...@redhat.com> wrote: > On 02/18/2016 02:11 PM, Rakesh Rajasekharan wrote: > > I set up freeipa on our environment and its works perfectly for most of > the > > hosts.. but on few I am getting a permission denied. > > > > [root@ipa-client-1c :~] ssh tempuser@localhost > > tempuser@localhost's password: > > Permission denied, please try again. > > tempuser@localhost's password: > > > > > > > > > > I checked the hbac, but that seems to be fine > > > > root@ipa-master-test-1b ] ipa hbactest --user=tempuser --host=x.x.x.x > > --service=sshd > > -------------------- > > Access granted: True > > -------------------- > > Matched rules: allow_all > > > > > > Another thing I noticed is the nsswitch.conf had the below entries after > > the freeipa installation > > passwd: files sss ldap > > shadow: files sss ldap > > group: files sss ldap > > > > hosts: files dns > > > > > > bootparams: nisplus [NOTFOUND=return] files > > > > ethers: files > > netmasks: files > > networks: files > > protocols: files > > rpc: files > > services: files sss > > > > netgroup: files sss ldap > > > > publickey: nisplus > > > > automount: files ldap > > aliases: files nisplus > > > > sudoers: files sss > > > > > > The ldap shouldn't be there above I guess.. > > > > and from the logs, i have the below errors > > > > ==> /var/log/secure <== > > Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_unix(sshd:auth): > authentication > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x > user=tempuser > > Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): > authentication > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser > > Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): received for > > user tempuser: 4 (System error) > > Feb 18 03:29:35 ip-x-x-x-x sshd[24851]: Failed password for tempuser from > > x.x.x.x port 36687 ssh2 > > Feb 18 03:29:39 ip-x-x-x-x sshd[24853]: Connection closed by x.x.x.x > > Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_unix(sshd:auth): > authentication > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 > user=tempuser > > Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_sss(sshd:auth): > authentication > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 > user=tempuser > > Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_sss(sshd:auth): received for > > user tempuser: 4 (System error) > > Feb 18 03:34:19 ip-x-x-x-x sshd[25108]: Failed password for tempuser from > > 127.0.0.1 port 59870 ssh2 > > > > > > ==> /var/log/messages <== > > Feb 18 03:37:45 ip-x-x-x-x sssd[be[xyz.com]]: Shutting down > > Feb 18 03:37:45 ip-x-x-x-x sssd: Starting up > > Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: Starting up > > Feb 18 03:37:46 ip-x-x-x-x sssd[nss]: Starting up > > Feb 18 03:37:46 ip-x-x-x-x sssd[sudo]: Starting up > > Feb 18 03:37:46 ip-x-x-x-x sssd[pam]: Starting up > > Feb 18 03:37:46 ip-x-x-x-x sssd[pac]: Starting up > > Feb 18 03:37:46 ip-x-x-x-x sssd[ssh]: Starting up > > Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: dereference processing > failed > > : Input/output error > > Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: dereference processing > failed > > : Input/output error > > Feb 18 03:38:41 ip-x-x-x-x [sssd[krb5_child[25324]]]: Permission denied > > Feb 18 03:38:41 ip-x-x-x-x [sssd[krb5_child[25324]]]: Permission denied > > Could it be caused by /etc/krb5.conf permissions as here: > https://lists.fedorahosted.org/pipermail/sssd-users/2014-August/002103.html > ? > > Some advise is also here: > > http://serverfault.com/questions/697113/linux-ad-integration-unable-to-login-when-using-windows-server-2012-dc > > Martin >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project