Hi, we have set up IPA in a AD trust and is about 90% done, but still have one 
problem using SSH login. 

Kerberos works: 
# kdestroy 
# kinit drext...@net.dr.dk 
Password for drext...@net.dr.dk: 
# klist 
Ticket cache: KEYRING:persistent:0:0 
Default principal: drext...@net.dr.dk 

Valid starting Expires Service principal 
08/04/2016 12:46:17 08/04/2016 22:46:17 krbtgt/net.dr...@net.dr.dk 
renew until 08/05/2016 12:46:09 


I can see the user: 

# getent passwd drext...@net.dr.dk 
drext...@net.dr.dk:*:1349938498:1349938498:DREXTRHA:/home/net.dr.dk/drextrha: 

However, can't log in using SSH: 

login as: drext...@net.dr.dk 
drext...@net.dr.dk@ipa02tst.linux.dr.dk's password: 
Access denied 


When I look at the log files it looks correct, untill we receive a " 
be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success 
(System error)] " error, which I can't quite resolve or even verify if thats 
what's causing the problem. 


(Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [krb5_auth_store_creds] 
(0x0010): unsupported PAM command [249]. 
(Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [krb5_auth_store_creds] 
(0x0010): password not available, offline auth may not work. 
(Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback] 
(0x0100): Backend returned: (0, 0, <NULL>) [Success (Success)] 
(Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback] 
(0x0100): Sending result [0][net.dr.dk] 
(Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback] 
(0x0100): Sent result [0][net.dr.dk] 
(Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler] (0x0100): 
Got request with the following data 
(Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): 
command: PAM_AUTHENTICATE 
(Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): 
domain: net.dr.dk 
(Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): 
user: drext...@net.dr.dk 
(Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): 
service: sshd 
(Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): 
tty: ssh 
(Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): 
ruser: 
(Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): 
rhost: t01042.net.dr.dk 
(Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): 
authtok type: 1 
(Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): 
newauthtok type: 0 
(Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): 
priv: 1 
(Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): 
cli_pid: 17348 
(Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): 
logon name: not set 
(Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [fo_resolve_service_send] 
(0x0100): Trying to resolve service 'IPA' 
(Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [child_sig_handler] (0x0100): 
child [17356] finished successfully. 
(Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback] 
(0x0100): Backend returned: (0, 4, <NULL>) [Success (System error)] 


Everything running RHEL 7.2: 
IPA 4.2.0-15.el7_2.18 
SSSD 1.13.0-40.el7_2.12 


Anyone having any clues on how to proceed? Could of cause just raise it as an 
RedHat support case, but guite a lot of genious people sit in here :-) 


-- 


Med venlig hilsen 

Troels Hansen 

Systemkonsulent 

Casalogic A/S 


T (+45) 70 20 10 63 

M (+45) 22 43 71 57 

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og 
meget mere. 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to