On (18/02/16 18:41), Rakesh Rajasekharan wrote: >I set up freeipa on our environment and its works perfectly for most of the >hosts.. but on few I am getting a permission denied. > >[root@ipa-client-1c :~] ssh tempuser@localhost >tempuser@localhost's password: >Permission denied, please try again. >tempuser@localhost's password: > > > > >I checked the hbac, but that seems to be fine > >root@ipa-master-test-1b ] ipa hbactest --user=tempuser --host=x.x.x.x >--service=sshd >-------------------- >Access granted: True >-------------------- > Matched rules: allow_all > > >Another thing I noticed is the nsswitch.conf had the below entries after >the freeipa installation >passwd: files sss ldap >shadow: files sss ldap >group: files sss ldap > >hosts: files dns > > >bootparams: nisplus [NOTFOUND=return] files > >ethers: files >netmasks: files >networks: files >protocols: files >rpc: files >services: files sss > >netgroup: files sss ldap > >publickey: nisplus > >automount: files ldap >aliases: files nisplus > >sudoers: files sss > > >The ldap shouldn't be there above I guess.. > >and from the logs, i have the below errors > >==> /var/log/secure <== >Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_unix(sshd:auth): authentication >failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser >Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): authentication >failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser >Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): received for >user tempuser: 4 (System error) ^^^^^^^^^^^^^^^^ This usually mean critical error in sssd. Please provide log files (sssd_$domain.log and krb5_child.log) with high debug level. https://fedorahosted.org/sssd/wiki/Troubleshooting
Whis version of sssd do you have? LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project