Hello Lucas, No, the account is neither locked nor expired. That's the weird part. On other Centos7 / RHEL7 I can login without any issues.
[root@ipa2 ~]# ipa user-status nuno ----------------------- Account disabled: False ----------------------- Server: ipa1 Failed logins: 0 Last successful authentication: 20170214150453Z Last failed authentication: 20170213170252Z Time now: 2017-02-14T15:06:21Z Server: ipa2 Failed logins: 0 Last successful authentication: 20170214150047Z Last failed authentication: 20170214124638Z Time now: 2017-02-14T15:06:23Z ---------------------------- Number of entries returned 2 ---------------------------- I've also enabled the sssd. There is no evidence of where the problem is: (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: domain.com (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): user: [email protected] (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: 172.16.0.10 (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 9475 (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: nuno (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][domain.com] (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success. (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success. (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 68 (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering pam_cmd_acct_mgmt (Tue Feb 14 15:11:55 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'nuno' matched without domain, user is nuno (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): user: nuno (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: 172.16.0.10 (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 9475 (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: nuno (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [[email protected]] (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [[email protected]@domain.com] (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pd_set_primary_name] (0x0400): User's primary name is [email protected] (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: domain.com (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): user: [email protected] (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: 172.16.0.10 (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 9475 (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: nuno (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Tue Feb 14 15:11:56 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [4 (System error)][domain.com] (Tue Feb 14 15:11:56 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]: System error. (Tue Feb 14 15:11:56 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 25 (Tue Feb 14 15:11:56 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected! Also remember that this configuration works perfectly if it is a KVM or a LXC. Thanks. Nuno -----Original Message----- From: Lukas Slebodnik [mailto:[email protected]] Sent: terça-feira, 14 de fevereiro de 2017 14:55 To: Nuno Higgs Cc: [email protected] Subject: Re: [Freeipa-users] Cannot login after patching on LXC Container On (14/02/17 13:00), Nuno Higgs wrote: >Hello All, > > > >I have a LXC container running Centos7, fully patched that i can't >login into in a standard IPA usage configuration: > > >Feb 13 19:42:07 lxc1 sshd[1536]: pam_sss(sshd:account): Access denied >for user nuno 4 (System error) > System error means unexpected state for sssd. I would recommend to follow sssd troubleshooting wiki https://fedorahosted.org/sssd/wiki/Troubleshooting#TroubleshootingAuthenticationPasswordChangeandAccessControl >Feb 13 19:42:07 lxc1 sshd[1536]: Failed password for nuno from >172.16.0.10 port 54461 ssh2 > >Feb 13 19:42:07 lxc1 sshd[1536]: fatal: Access denied for user nuno by >PAM account configuration [preauth] > >Feb 13 19:43:42 lxc1 sshd[1553]: Connection closed by 172.16.3.253 >[preauth] > >Feb 13 19:53:04 lxc1 sshd[1635]: pam_sss(sshd:auth): authentication >success; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.3.253 >user=nuno > >Feb 13 19:53:04 lxc1 sshd[1632]: error: PAM: User account has expired >for nuno from 172.16.3.253 > This error is little bit later but I think it is clear enough. The account is expired. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
