Hi, we have set up IPA in a AD trust and is about 90% done, but still have one problem using SSH login.
Kerberos works: # kdestroy # kinit [email protected] Password for [email protected]: # klist Ticket cache: KEYRING:persistent:0:0 Default principal: [email protected] Valid starting Expires Service principal 08/04/2016 12:46:17 08/04/2016 22:46:17 krbtgt/[email protected] renew until 08/05/2016 12:46:09 I can see the user: # getent passwd [email protected] [email protected]:*:1349938498:1349938498:DREXTRHA:/home/net.dr.dk/drextrha: However, can't log in using SSH: login as: [email protected] [email protected]@ipa02tst.linux.dr.dk's password: Access denied When I look at the log files it looks correct, untill we receive a " be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success (System error)] " error, which I can't quite resolve or even verify if thats what's causing the problem. (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [krb5_auth_store_creds] (0x0010): unsupported PAM command [249]. (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [krb5_auth_store_creds] (0x0010): password not available, offline auth may not work. (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success (Success)] (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback] (0x0100): Sending result [0][net.dr.dk] (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback] (0x0100): Sent result [0][net.dr.dk] (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler] (0x0100): Got request with the following data (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): domain: net.dr.dk (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): user: [email protected] (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): service: sshd (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): tty: ssh (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): ruser: (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): rhost: t01042.net.dr.dk (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): authtok type: 1 (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): priv: 1 (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): cli_pid: 17348 (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): logon name: not set (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [child_sig_handler] (0x0100): child [17356] finished successfully. (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success (System error)] Everything running RHEL 7.2: IPA 4.2.0-15.el7_2.18 SSSD 1.13.0-40.el7_2.12 Anyone having any clues on how to proceed? Could of cause just raise it as an RedHat support case, but guite a lot of genious people sit in here :-) -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57 Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
