On Thu, Jun 09, 2016 at 08:43:57AM -0400, Pavel Picka wrote: > > > ----- Original Message ----- > From: "David Kupka" <[email protected]> > To: "Pavel Picka" <[email protected]>, [email protected] > Sent: Thursday, June 9, 2016 1:45:26 PM > Subject: Re: [Freeipa-users] SSH login to client > > On 09/06/16 13:18, Pavel Picka wrote: > > Hi, > > > > Have anyone experience, when create user on ipa-server, and want to login > > on client with this user I get : > > > > Permission denied, please try again. > > Permission denied, please try again. > > Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). > > > > (with kinit [1st time change] was password changed to new one) > > even with another change with ipa user-mod --password I am getting same > > result > > > > and on client in /var/log/messages found : > > > > Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check > > failed > > Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check > > failed > > Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check > > failed > > Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check > > failed > > Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check > > failed > > Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check > > failed > > > > > > > > -- > > Pavel Picka > > > Hi Pavel! > > I have few questions that may help locating the issue: > > Are you able to kinit as the user on server and client? > - kinit is ok on both > Are you able to ssh to the client as the admin? > - no I am not able to use 'admin' to ssh to client > What is the output of "id user" on client? > [root@rhel04 ~]# id tuser > uid=418200001(tuser) gid=418200001(tuser) groups=418200001(tuser) > > > I have noticed I am able ssh when 'kinit user' is active > > For detailed logs here is ssh -vvv > > http://pastebin.test.redhat.com/382140
This makes sense, GSSAPI authentication would be used in this case and SSSD is not involved in the authentication at all. But your paste ends with 'Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).' Are you sure you pasted the right test? > > @Sumit > > I found /var/log/sssd/krb5_child.log empty, but didn't set log level to 10, > is it done by krb5.conf or else? Please add 'debug_level=10' to the [domain/....] section of /etc/sssd/sssd.conf. bye, Sumit > > -- > David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
