Hello,

You may need to increase the debug level to 9 and look in the sssd_<ipadomain>.log for failures after the failed login attempt - i would look in between log messages 'Got request for bobt...' and 'Backend returned' messages


https://fedorahosted.org/sssd/wiki/Troubleshooting

You can also send the debug logs here for review.

Make sure logins and lookups are working on the IPA server first before troubleshooting the IPA client.

Kind regards,

Justin Stephenson

On 08/09/2016 07:32 PM, Guy Knights wrote:
I've set up a freeipa server on a centos 7 machine and have successfully configured a 2-way trust between it and our active directory domain controller. I've also installed ipa-client on an ubuntu 14.04 machine and have run ipa-client-install, which has apparently successfully joined the FreeIPA domain.

So far, I can successfully do the following:

1. Log into the FreeIPA machine with an AD user account.
2. Log into the Ubuntu machine with a FreeIPA account.
3. Run 'getent passwd <freeipa username>' on the Ubuntu machine and have it return the associated FreeIPA user account details (eg. "jackt:*:1131000005:1131000005:Jack Test:/home/ipa.bbg.net/jackt:/bin/bash <http://ipa.bbg.net/jackt:/bin/bash>") 4. Run 'getent passwd <ad username>' on the Ubuntu machine and have it return the associated AD user account details (eg. "b...@ad.bbg.net:*:1946801107:1946801107::/home/ad.bbg.net/bobt:/bin/bash <http://ad.bbg.net/bobt:/bin/bash>")

What I can't do is log into the Ubuntu machine with the AD user. I'm using the following SSH command from the command line on my mac:

ssh -o User=b...@ad.bbg.net <mailto:b...@ad.bbg.net> vm1.bbg.com <http://vm1.bbg.com>

It asks me for the password, I enter it and it says permissions denied, please try again. I set the debug level in SSSD on the ubuntu client to 5 and this is what shows up in the log during the login attempt:

(Tue Aug 9 16:25:56 2016) [sssd[be[ipa.bbg.net <http://ipa.bbg.net>]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=bobt] (Tue Aug 9 16:25:56 2016) [sssd[be[ipa.bbg.net <http://ipa.bbg.net>]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,Account info lookup failed (Tue Aug 9 16:25:57 2016) [sssd[be[ipa.bbg.net <http://ipa.bbg.net>]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net <http://ipa.bbg.net>]]] [be_get_account_info] (0x0100): Got request for [3][1][name=bobt] (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net <http://ipa.bbg.net>]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,Account info lookup failed (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net <http://ipa.bbg.net>]]] [be_pam_handler] (0x0100): Got request with the following data (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): domain: ad.bbg.net <http://ad.bbg.net> (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): user: b...@ad.bbg.net <mailto:b...@ad.bbg.net> (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): service: sshd (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): tty: ssh (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): ruser: (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): rhost: 192.168.100.157 (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): authtok type: 1 (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): priv: 1 (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net <http://ipa.bbg.net>]]] [pam_print_data] (0x0100): cli_pid: 16230 (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net <http://ipa.bbg.net>]]] [krb5_auth_send] (0x0100): No ccache file for user [b...@ad.bbg.net <mailto:b...@ad.bbg.net>] found. (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net <http://ipa.bbg.net>]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net <http://ipa.bbg.net>]]] [be_resolve_server_process] (0x0200): Found address for server dc.ipa.bbg.net <http://dc.ipa.bbg.net>: [192.168.100.14] TTL 3600 (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net <http://ipa.bbg.net>]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net <http://ipa.bbg.net>]]] [be_pam_handler_callback] (0x0100): Sending result [4][ad.bbg.net <http://ad.bbg.net>] (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net <http://ipa.bbg.net>]]] [be_pam_handler_callback] (0x0100): Sent result [4][ad.bbg.net <http://ad.bbg.net>] (Tue Aug 9 16:27:54 2016) [sssd[be[ipa.bbg.net <http://ipa.bbg.net>]]] [child_sig_handler] (0x0100): child [16313] finished successfully.

Can anyone explain why it's saying account info lookup failed when it can get the account info fine via getent?

Thanks,
Guy



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to