Re: [Freeipa-users] SSH login to client

Thu, 09 Jun 2016 05:48:04 -0700 


----- Original Message -----
From: "David Kupka" <dku...@redhat.com>
To: "Pavel Picka" <ppi...@redhat.com>, freeipa-users@redhat.com
Sent: Thursday, June 9, 2016 1:45:26 PM
Subject: Re: [Freeipa-users] SSH login to client

On 09/06/16 13:18, Pavel Picka wrote:
> Hi,
>
> Have anyone experience, when create user on ipa-server, and want to login on 
> client with this user I get :
>
> Permission denied, please try again.
> Permission denied, please try again.
> Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
>
> (with kinit [1st time change] was password changed to new one)
> even with another change with ipa user-mod --password I am getting same result
>
> and on client in /var/log/messages found :
>
> Jun  9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check 
> failed
> Jun  9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check 
> failed
> Jun  9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check 
> failed
> Jun  9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check 
> failed
> Jun  9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check 
> failed
> Jun  9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check 
> failed
>
>
>
> --
> Pavel Picka
>
Hi Pavel!

I have few questions that may help locating the issue:

Are you able to kinit as the user on server and client?
- kinit is ok on both
Are you able to ssh to the client as the admin?
- no I am not able to use 'admin' to ssh to client
What is the output of "id user" on client?
[root@rhel04 ~]# id tuser
uid=418200001(tuser) gid=418200001(tuser) groups=418200001(tuser)


I have noticed I am able ssh when 'kinit user' is active

For detailed logs here is ssh -vvv

http://pastebin.test.redhat.com/382140

@Sumit

I found /var/log/sssd/krb5_child.log empty, but didn't set log level to 10, is 
it done by krb5.conf or else?

-- 
David Kupka

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to