On (18/02/16 18:41), Rakesh Rajasekharan wrote:
>I set up freeipa on our environment and its works perfectly for most of the
>hosts.. but on few I am getting a permission denied.
>
>[root@ipa-client-1c :~] ssh tempuser@localhost
>tempuser@localhost's password:
>Permission denied, please try again.
>tempuser@localhost's password:
>
>
>
>
>I checked the hbac, but that seems to be fine
>
>root@ipa-master-test-1b ] ipa hbactest --user=tempuser --host=x.x.x.x
>--service=sshd
>--------------------
>Access granted: True
>--------------------
> Matched rules: allow_all
>
>
>Another thing I noticed is the nsswitch.conf had the below entries after
>the freeipa installation
>passwd: files sss ldap
>shadow: files sss ldap
>group: files sss ldap
>
>hosts: files dns
>
>
>bootparams: nisplus [NOTFOUND=return] files
>
>ethers: files
>netmasks: files
>networks: files
>protocols: files
>rpc: files
>services: files sss
>
>netgroup: files sss ldap
>
>publickey: nisplus
>
>automount: files ldap
>aliases: files nisplus
>
>sudoers: files sss
>
>
>The ldap shouldn't be there above I guess..
>
>and from the logs, i have the below errors
>
>==> /var/log/secure <==
>Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_unix(sshd:auth): authentication
>failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser
>Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): authentication
>failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser
>Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): received for
>user tempuser: 4 (System error)
^^^^^^^^^^^^^^^^
This usually mean critical error in sssd.
Please provide log files (sssd_$domain.log and krb5_child.log)
with high debug level.
https://fedorahosted.org/sssd/wiki/Troubleshooting
Whis version of sssd do you have?
LS
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
