[Freeipa-users] Issue with MFA in CentOS 6.8

William Graboyes Tue, 07 Feb 2017 17:12:07 -0800

Hi All,

I am having some odd issues with MFA on CentOS release 6.8 (Final),
debug logs included below.  I have two users, one with MFA enabled, and
one without.  They are both in the same groups and have the same level
of access to the server, both pass the HBAC tests, however the one with
MFA fails to be granted access to the server and I am unable to come to
an idea of a solution.  Both users show up in the proper group with the
getent command.


OS: CentOS 6.8

IPA Version: ipa-client-3.0.0-50.el6.centos.3.x86_64

sssd Version: sssd-ipa-1.13.3-22.el6_8.4.x86_64


Any help would be greatly appreciated.

Thanks,

Bill


Debug logs (sanitized and for a single transaction of the MFA user):

sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[be_get_account_info] (0x0200): Got request for
[0x3][BE_REQ_INITGROUPS][1][name=usermfa]
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[be_req_set_domain] (0x0400): Changing request domain from [domain.tld]
to [domain.tld]
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_get_initgr_next_base] (0x0400): Searching for users with base
[cn=accounts,dc=domain,dc=tld]
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(uid=usermfa)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=domain,dc=tld].
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_save_user] (0x0400): Save user
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_get_primary_name] (0x0400): Processing object usermfa
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_save_user] (0x0400): Processing user usermfa
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_save_user] (0x0400): Adding original memberOf attributes to [usermfa].
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_save_user] (0x0400): Adding user principal [[email protected]] to
attributes of [usermfa].
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_save_user] (0x0400): Storing info for user usermfa
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_get_primary_name] (0x0400): Processing object usermfa
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=tld].
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][ipaUniqueID=5e66b39e-f8dc-11e4-b00c-525400bb2465,cn=hbac,dc=domain,dc=tld].
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_initgr_nested_search] (0x0040): Search for group
ipaUniqueID=5e66b39e-f8dc-11e4-b00c-525400bb2465,cn=hbac,dc=domain,dc=tld,
returned 0 results. Skipping
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=tacacs,cn=groups,cn=accounts,dc=domain,dc=tld].
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][ipaUniqueID=eb439cf0-4a90-11e4-9d94-525400e99b50,cn=hbac,dc=domain,dc=tld].
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_initgr_nested_search] (0x0040): Search for group
ipaUniqueID=eb439cf0-4a90-11e4-9d94-525400e99b50,cn=hbac,dc=domain,dc=tld,
returned 0 results. Skipping
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=tacacs_users,cn=groups,cn=accounts,dc=domain,dc=tld].
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][ipaUniqueID=50a61ece-4a8c-11e4-b5a2-525400e99b50,cn=sudorules,cn=sudo,dc=domain,dc=tld].
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_initgr_nested_search] (0x0040): Search for group
ipaUniqueID=50a61ece-4a8c-11e4-b5a2-525400e99b50,cn=sudorules,cn=sudo,dc=domain,dc=tld,
returned 0 results. Skipping
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=shell,cn=groups,cn=accounts,dc=domain,dc=tld].
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][ipaUniqueID=0d5e97e6-b98e-11e5-9d11-5254002ece04,cn=hbac,dc=domain,dc=tld].
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_initgr_nested_search] (0x0040): Search for group
ipaUniqueID=0d5e97e6-b98e-11e5-9d11-5254002ece04,cn=hbac,dc=domain,dc=tld,
returned 0 results. Skipping
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_get_primary_name] (0x0400): Processing object ipausers
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_get_primary_name] (0x0400): Processing object tacacs
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_get_primary_name] (0x0400): Processing object tacacs_users
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_get_primary_name] (0x0400): Processing object shell
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_get_initgr_done] (0x0400): Primary group already cached, nothing
to do.
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:domain.tld:60fdb0fa-b1d9-11e6-8e62-5254002ece04))][cn=Default
Trust View,cn=views,cn=accounts,dc=domain,dc=tld].
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[be_req_set_domain] (0x0400): Changing request domain from [domain.tld]
to [domain.tld]
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[be_pam_handler] (0x0100): Got request with the following data
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[pam_print_data] (0x0100): domain: domain.tld
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[pam_print_data] (0x0100): user: usermfa
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[pam_print_data] (0x0100): service: sshd
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[pam_print_data] (0x0100): tty: ssh
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[pam_print_data] (0x0100): ruser:
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[pam_print_data] (0x0100): rhost: dynd093.domain.tld
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[pam_print_data] (0x0100): authtok type: 1
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[pam_print_data] (0x0100): newauthtok type: 0
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[pam_print_data] (0x0100): priv: 1
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[pam_print_data] (0x0100): cli_pid: 21707
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[pam_print_data] (0x0100): logon name: not set
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[resolve_srv_send] (0x0200): The status of SRV lookup is resolved
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[be_resolve_server_process] (0x0200): Found address for server
tus-auth-2.domain.tld: [267.260.582.247] TTL 8801
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[ipa_resolve_callback] (0x0400): Constructed uri
'ldap://tus-auth-2.domain.tld'
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[write_pipe_handler] (0x0400): All data has been sent!
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[read_pipe_handler] (0x0400): EOF received, client finished
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=domain,dc=tld].
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[child_sig_handler] (0x0100): child [21713] finished successfully.
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[resolve_srv_send] (0x0200): The status of SRV lookup is resolved
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[be_resolve_server_process] (0x0200): Found address for server
tus-auth-2.domain.tld: [267.260.582.247] TTL 8801
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_sys_connect_done] (0x0100): Executing START TLS
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_connect_done] (0x0080): START TLS result: Success(0), Start TLS
request accepted.Server willing to negotiate SSL.
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[sdap_cli_auth_step] (0x0100): expire timeout is 900
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[fo_set_port_status] (0x0100): Marking port 389 of server
'tus-auth-2.domain.tld' as 'working'
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[set_server_common_status] (0x0100): Marking server
'tus-auth-2.domain.tld' as 'working'
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[fo_set_port_status] (0x0400): Marking port 389 of duplicate server
'tus-auth-2.domain.tld' as 'working'
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[ipa_migration_flag_connect_done] (0x0400): Assuming Kerberos password
is missing, starting password migration.
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[simple_bind_send] (0x0100): Executing simple bind as:
uid=usermfa,cn=users,cn=accounts,dc=domain,dc=tld
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[simple_bind_done] (0x0400): Bind result: Success(0), no errmsg set
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[ipa_auth_ldap_done] (0x0400): LDAP authentication succeded, trying
Kerberos authentication again.
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[resolve_srv_send] (0x0200): The status of SRV lookup is resolved
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[be_resolve_server_process] (0x0200): Found address for server
tus-auth-2.domain.tld: [267.260.582.247] TTL 8801
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[ipa_resolve_callback] (0x0400): Constructed uri
'ldap://tus-auth-2.domain.tld'
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[write_pipe_handler] (0x0400): All data has been sent!
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[read_pipe_handler] (0x0400): EOF received, client finished
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 17, <NULL>)
[Success]
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[be_pam_handler_callback] (0x0100): Sending result [17][domain.tld]
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[be_pam_handler_callback] (0x0100): Sent result [17][domain.tld]
sssd_domain.tld.log:(Tue Feb  7 16:27:36 2017) [sssd[be[domain.tld]]]
[child_sig_handler] (0x0100): child [21714] finished successfully.
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]] [accept_fd_handler]
(0x0400): Client connected to privileged pipe!
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]]
[sss_cmd_get_version] (0x0200): Received client version [3].
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]]
[sss_cmd_get_version] (0x0200): Offered version [3].
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]]
[pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]]
[sss_parse_name_for_domains] (0x0200): name 'usermfa' matched without
domain, user is usermfa
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]] [pam_print_data]
(0x0100): command: SSS_PAM_AUTHENTICATE
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]] [pam_print_data]
(0x0100): domain: not set
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]] [pam_print_data]
(0x0100): user: usermfa
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]] [pam_print_data]
(0x0100): service: sshd
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]] [pam_print_data]
(0x0100): tty: ssh
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]] [pam_print_data]
(0x0100): ruser: not set
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]] [pam_print_data]
(0x0100): rhost: dynd093.domain.tld
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]] [pam_print_data]
(0x0100): authtok type: 1
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]] [pam_print_data]
(0x0100): newauthtok type: 0
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]] [pam_print_data]
(0x0100): priv: 1
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]] [pam_print_data]
(0x0100): cli_pid: 21707
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]] [pam_print_data]
(0x0100): logon name: usermfa
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]]
[sss_dp_issue_request] (0x0400): Issuing request for
[0x410330:3:[email protected]]
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]]
[sss_dp_get_account_msg] (0x0400): Creating request for
[domain.tld][0x3][BE_REQ_INITGROUPS][1][name=usermfa]
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]]
[sss_dp_internal_get_send] (0x0400): Entering request
[0x410330:3:[email protected]]
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]]
[pam_check_user_search] (0x0100): Requesting info for [[email protected]]
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]]
[pam_check_user_search] (0x0400): Returning info for user
[[email protected]]
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]] [pam_dp_send_req]
(0x0100): Sending request with the following data:
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]] [pam_print_data]
(0x0100): command: SSS_PAM_AUTHENTICATE
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]] [pam_print_data]
(0x0100): domain: domain.tld
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]] [pam_print_data]
(0x0100): user: usermfa
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]] [pam_print_data]
(0x0100): service: sshd
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]] [pam_print_data]
(0x0100): tty: ssh
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]] [pam_print_data]
(0x0100): ruser: not set
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]] [pam_print_data]
(0x0100): rhost: dynd093.domain.tld
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]] [pam_print_data]
(0x0100): authtok type: 1
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]] [pam_print_data]
(0x0100): newauthtok type: 0
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]] [pam_print_data]
(0x0100): priv: 1
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]] [pam_print_data]
(0x0100): cli_pid: 21707
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]] [pam_print_data]
(0x0100): logon name: usermfa
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]] [pam_dom_forwarder]
(0x0100): pam_dp_send_req returned 0
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]]
[sss_dp_req_destructor] (0x0400): Deleting request:
[0x410330:3:[email protected]]
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]]
[pam_dp_process_reply] (0x0200): received: [17 (Failure setting user
credentials)][domain.tld]
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]] [pam_reply]
(0x0200): pam_reply called with result [17]: Failure setting user
credentials.
sssd_pam.log:(Tue Feb  7 16:27:36 2017) [sssd[pam]] [pam_reply]
(0x0200): blen: 26
sssd_pam.log:(Tue Feb  7 16:27:40 2017) [sssd[pam]] [client_recv]
(0x0200): Client disconnected!

signature.asc
Description: OpenPGP digital signature

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Issue with MFA in CentOS 6.8

Reply via email to