On Thu, Aug 04, 2016 at 12:57:40PM +0200, Troels Hansen wrote:
> Hi, we have set up IPA in a AD trust and is about 90% done, but still have 
> one problem using SSH login. 
> 
> Kerberos works: 
> # kdestroy 
> # kinit drext...@net.dr.dk 
> Password for drext...@net.dr.dk: 
> # klist 
> Ticket cache: KEYRING:persistent:0:0 
> Default principal: drext...@net.dr.dk 
> 
> Valid starting Expires Service principal 
> 08/04/2016 12:46:17 08/04/2016 22:46:17 krbtgt/net.dr...@net.dr.dk 
> renew until 08/05/2016 12:46:09 
> 
> 
> I can see the user: 
> 
> # getent passwd drext...@net.dr.dk 
> drext...@net.dr.dk:*:1349938498:1349938498:DREXTRHA:/home/net.dr.dk/drextrha: 
> 
> However, can't log in using SSH: 
> 
> login as: drext...@net.dr.dk 
> drext...@net.dr.dk@ipa02tst.linux.dr.dk's password: 
> Access denied 
> 
> 
> When I look at the log files it looks correct, untill we receive a " 
> be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success 
> (System error)] " error, which I can't quite resolve or even verify if thats 
> what's causing the problem. 
> 
> 
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [krb5_auth_store_creds] 
> (0x0010): unsupported PAM command [249]. 
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [krb5_auth_store_creds] 
> (0x0010): password not available, offline auth may not work. 
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback] 
> (0x0100): Backend returned: (0, 0, <NULL>) [Success (Success)] 
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback] 
> (0x0100): Sending result [0][net.dr.dk] 
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback] 
> (0x0100): Sent result [0][net.dr.dk] 
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler] (0x0100): 
> Got request with the following data 
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): 
> command: PAM_AUTHENTICATE 
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): 
> domain: net.dr.dk 
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): 
> user: drext...@net.dr.dk 
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): 
> service: sshd 
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): 
> tty: ssh 
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): 
> ruser: 
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): 
> rhost: t01042.net.dr.dk 
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): 
> authtok type: 1 
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): 
> newauthtok type: 0 
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): 
> priv: 1 
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): 
> cli_pid: 17348 
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [pam_print_data] (0x0100): 
> logon name: not set 
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [fo_resolve_service_send] 
> (0x0100): Trying to resolve service 'IPA' 
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [child_sig_handler] 
> (0x0100): child [17356] finished successfully. 
> (Thu Aug 4 12:51:10 2016) [sssd[be[linux.dr.dk]]] [be_pam_handler_callback] 
> (0x0100): Backend returned: (0, 4, <NULL>) [Success (System error)] 

Please take a look into krb5_child.log, it should have more hints on why
the authentication failed.

(This is documented at
https://fedorahosted.org/sssd/wiki/Troubleshooting, section
"Troubleshooting general authentication problems")

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to