On (09/06/16 08:43), Pavel Picka wrote: > > >----- Original Message ----- >From: "David Kupka" <[email protected]> >To: "Pavel Picka" <[email protected]>, [email protected] >Sent: Thursday, June 9, 2016 1:45:26 PM >Subject: Re: [Freeipa-users] SSH login to client > >On 09/06/16 13:18, Pavel Picka wrote: >> Hi, >> >> Have anyone experience, when create user on ipa-server, and want to login on >> client with this user I get : >> >> Permission denied, please try again. >> Permission denied, please try again. >> Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). >> >> (with kinit [1st time change] was password changed to new one) >> even with another change with ipa user-mod --password I am getting same >> result >> >> and on client in /var/log/messages found : >> >> Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check >> failed >> Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check >> failed >> Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check >> failed >> Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check >> failed >> Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check >> failed >> Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check >> failed >> >> >> >> -- >> Pavel Picka >> >Hi Pavel! > >I have few questions that may help locating the issue: > >Are you able to kinit as the user on server and client? >- kinit is ok on both >Are you able to ssh to the client as the admin? >- no I am not able to use 'admin' to ssh to client >What is the output of "id user" on client? >[root@rhel04 ~]# id tuser >uid=418200001(tuser) gid=418200001(tuser) groups=418200001(tuser) > > >I have noticed I am able ssh when 'kinit user' is active > >For detailed logs here is ssh -vvv > >http://pastebin.test.redhat.com/382140 > >@Sumit > >I found /var/log/sssd/krb5_child.log empty, but didn't set log level to 10, is >it done by krb5.conf or else? /ets/sssd/sssd.conf and domian section.
You might find useful following wiki. https://fedorahosted.org/sssd/wiki/Troubleshooting LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
