Re: [Freeipa-users] freeipa permission denied for user
On Thu, May 05, 2016 at 08:13:00PM +0530, Rakesh Rajasekharan wrote: > (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281 [get_and_save_tgt] > (0x0020): 1000: [-1765328353][Decrypt integrity check failed] > (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281 [map_krb5_error] > (0x0020): 1069: [-1765328353][Decrypt integrity check failed] This seems like a wrong password.. Are you able to kinit with the same password using the user's principal? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa permission denied for user
>>Actually, it should be 1777 > sh$ ls -ld /tmp/ > drwxrwxrwt. 11 root root 260 Feb 19 10:27 /tmp/ ^ > This is important.> yes, I have now corrected them... Thanks... On Fri, Feb 19, 2016 at 2:59 PM, Lukas Slebodnik wrote: > On (19/02/16 14:54), Rakesh Rajasekharan wrote: > >> > >>This usually mean critical error in sssd. > >> Please provide log files (sssd_$domain.log and krb5_child.log) > > > >I found this in my sssd-$domain.log > > > > [krb5_auth_prepare_ccache_name] (0x1000): No ccache file for user > >[tempuser] found > > > >so searching around I found that the permissions for the /tmp directory > >should be 777.. > > > >setting it to 777 fixed the issue for me.. > > > Actually, it should be 1777 > > sh$ ls -ld /tmp/ > drwxrwxrwt. 11 root root 260 Feb 19 10:27 /tmp/ > ^ > This is important. > > LS > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa permission denied for user
On (19/02/16 14:54), Rakesh Rajasekharan wrote: >> >>This usually mean critical error in sssd. >> Please provide log files (sssd_$domain.log and krb5_child.log) > >I found this in my sssd-$domain.log > > [krb5_auth_prepare_ccache_name] (0x1000): No ccache file for user >[tempuser] found > >so searching around I found that the permissions for the /tmp directory >should be 777.. > >setting it to 777 fixed the issue for me.. > Actually, it should be 1777 sh$ ls -ld /tmp/ drwxrwxrwt. 11 root root 260 Feb 19 10:27 /tmp/ ^ This is important. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa permission denied for user
> >This usually mean critical error in sssd. > Please provide log files (sssd_$domain.log and krb5_child.log) I found this in my sssd-$domain.log [krb5_auth_prepare_ccache_name] (0x1000): No ccache file for user [tempuser] found so searching around I found that the permissions for the /tmp directory should be 777.. setting it to 777 fixed the issue for me.. Thanks, Rakesh On Fri, Feb 19, 2016 at 1:08 PM, Lukas Slebodnik wrote: > On (18/02/16 18:41), Rakesh Rajasekharan wrote: > >I set up freeipa on our environment and its works perfectly for most of > the > >hosts.. but on few I am getting a permission denied. > > > >[root@ipa-client-1c :~] ssh tempuser@localhost > >tempuser@localhost's password: > >Permission denied, please try again. > >tempuser@localhost's password: > > > > > > > > > >I checked the hbac, but that seems to be fine > > > >root@ipa-master-test-1b ] ipa hbactest --user=tempuser --host=x.x.x.x > >--service=sshd > > > >Access granted: True > > > > Matched rules: allow_all > > > > > >Another thing I noticed is the nsswitch.conf had the below entries after > >the freeipa installation > >passwd: files sss ldap > >shadow: files sss ldap > >group: files sss ldap > > > >hosts: files dns > > > > > >bootparams: nisplus [NOTFOUND=return] files > > > >ethers: files > >netmasks: files > >networks: files > >protocols: files > >rpc:files > >services: files sss > > > >netgroup: files sss ldap > > > >publickey: nisplus > > > >automount: files ldap > >aliases:files nisplus > > > >sudoers: files sss > > > > > >The ldap shouldn't be there above I guess.. > > > >and from the logs, i have the below errors > > > >==> /var/log/secure <== > >Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_unix(sshd:auth): > authentication > >failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser > >Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): authentication > >failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser > >Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): received for > >user tempuser: 4 (System error) > > This usually mean critical error in sssd. > Please provide log files (sssd_$domain.log and krb5_child.log) > with high debug level. > https://fedorahosted.org/sssd/wiki/Troubleshooting > > Whis version of sssd do you have? > > LS > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa permission denied for user
On (18/02/16 18:41), Rakesh Rajasekharan wrote: >I set up freeipa on our environment and its works perfectly for most of the >hosts.. but on few I am getting a permission denied. > >[root@ipa-client-1c :~] ssh tempuser@localhost >tempuser@localhost's password: >Permission denied, please try again. >tempuser@localhost's password: > > > > >I checked the hbac, but that seems to be fine > >root@ipa-master-test-1b ] ipa hbactest --user=tempuser --host=x.x.x.x >--service=sshd > >Access granted: True > > Matched rules: allow_all > > >Another thing I noticed is the nsswitch.conf had the below entries after >the freeipa installation >passwd: files sss ldap >shadow: files sss ldap >group: files sss ldap > >hosts: files dns > > >bootparams: nisplus [NOTFOUND=return] files > >ethers: files >netmasks: files >networks: files >protocols: files >rpc:files >services: files sss > >netgroup: files sss ldap > >publickey: nisplus > >automount: files ldap >aliases:files nisplus > >sudoers: files sss > > >The ldap shouldn't be there above I guess.. > >and from the logs, i have the below errors > >==> /var/log/secure <== >Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_unix(sshd:auth): authentication >failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser >Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): authentication >failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser >Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): received for >user tempuser: 4 (System error) This usually mean critical error in sssd. Please provide log files (sssd_$domain.log and krb5_child.log) with high debug level. https://fedorahosted.org/sssd/wiki/Troubleshooting Whis version of sssd do you have? LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa permission denied for user
The permission for /etc/krb5.conf was already set to 644. So, that aspect looks fine.. I think it might be something to do with the pam settings. here is my sssd.conf [root@ipa-client :/etc/sssd] cat sssd.con [domain/xyz.com] krb5_auth_timeout = 30 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = xyz.com id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = x.x.x.x chpass_provider = ipa ipa_server = _srv_, ipa-master.xyz.com dns_discovery_domain = xyz.com [domain/default] ldap_id_use_start_tls = True cache_credentials = True ldap_search_base = dc=ldap,dc=qa,dc=xyz,dc=com krb5_realm = xyz.com krb5_server = ipa-master.xyz.com:88 id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://ldap-int.xyz.com:636 ldap_tls_cacertdir = /etc/openldap/cacerts [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = default, xyz.com [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] Thanks, Rakesh On Thu, Feb 18, 2016 at 6:52 PM, Martin Kosek wrote: > On 02/18/2016 02:11 PM, Rakesh Rajasekharan wrote: > > I set up freeipa on our environment and its works perfectly for most of > the > > hosts.. but on few I am getting a permission denied. > > > > [root@ipa-client-1c :~] ssh tempuser@localhost > > tempuser@localhost's password: > > Permission denied, please try again. > > tempuser@localhost's password: > > > > > > > > > > I checked the hbac, but that seems to be fine > > > > root@ipa-master-test-1b ] ipa hbactest --user=tempuser --host=x.x.x.x > > --service=sshd > > > > Access granted: True > > > > Matched rules: allow_all > > > > > > Another thing I noticed is the nsswitch.conf had the below entries after > > the freeipa installation > > passwd: files sss ldap > > shadow: files sss ldap > > group: files sss ldap > > > > hosts: files dns > > > > > > bootparams: nisplus [NOTFOUND=return] files > > > > ethers: files > > netmasks: files > > networks: files > > protocols: files > > rpc:files > > services: files sss > > > > netgroup: files sss ldap > > > > publickey: nisplus > > > > automount: files ldap > > aliases:files nisplus > > > > sudoers: files sss > > > > > > The ldap shouldn't be there above I guess.. > > > > and from the logs, i have the below errors > > > > ==> /var/log/secure <== > > Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_unix(sshd:auth): > authentication > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x > user=tempuser > > Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): > authentication > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser > > Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): received for > > user tempuser: 4 (System error) > > Feb 18 03:29:35 ip-x-x-x-x sshd[24851]: Failed password for tempuser from > > x.x.x.x port 36687 ssh2 > > Feb 18 03:29:39 ip-x-x-x-x sshd[24853]: Connection closed by x.x.x.x > > Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_unix(sshd:auth): > authentication > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 > user=tempuser > > Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_sss(sshd:auth): > authentication > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 > user=tempuser > > Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_sss(sshd:auth): received for > > user tempuser: 4 (System error) > > Feb 18 03:34:19 ip-x-x-x-x sshd[25108]: Failed password for tempuser from > > 127.0.0.1 port 59870 ssh2 > > > > > > ==> /var/log/messages <== > > Feb 18 03:37:45 ip-x-x-x-x sssd[be[xyz.com]]: Shutting down > > Feb 18 03:37:45 ip-x-x-x-x sssd: Starting up > > Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: Starting up > > Feb 18 03:37:46 ip-x-x-x-x sssd[nss]: Starting up > > Feb 18 03:37:46 ip-x-x-x-x sssd[sudo]: Starting up > > Feb 18 03:37:46 ip-x-x-x-x sssd[pam]: Starting up > > Feb 18 03:37:46 ip-x-x-x-x sssd[pac]: Starting up > > Feb 18 03:37:46 ip-x-x-x-x sssd[ssh]: Starting up > > Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: dereference processing > failed > > : Input/output error > > Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: dereference processing > failed > > : Input/output error > > Feb 18 03:38:41 ip-x-x-x-x [sssd[krb5_child[25324]]]: Permission denied > > Feb 18 03:38:41 ip-x-x-x-x [sssd[krb5_child[25324]]]: Permission denied > > Could it be caused by /etc/krb5.conf permissions as here: > https://lists.fedorahosted.org/pipermail/sssd-users/2014-August/002103.html > ? > > Some advise is also here: > > http://serverfault.com/questions/697113/linux-ad-integration-unable-to-login-when-using-windows-server-2012-dc > > Martin > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa permission denied for user
On 02/18/2016 02:11 PM, Rakesh Rajasekharan wrote: > I set up freeipa on our environment and its works perfectly for most of the > hosts.. but on few I am getting a permission denied. > > [root@ipa-client-1c :~] ssh tempuser@localhost > tempuser@localhost's password: > Permission denied, please try again. > tempuser@localhost's password: > > > > > I checked the hbac, but that seems to be fine > > root@ipa-master-test-1b ] ipa hbactest --user=tempuser --host=x.x.x.x > --service=sshd > > Access granted: True > > Matched rules: allow_all > > > Another thing I noticed is the nsswitch.conf had the below entries after > the freeipa installation > passwd: files sss ldap > shadow: files sss ldap > group: files sss ldap > > hosts: files dns > > > bootparams: nisplus [NOTFOUND=return] files > > ethers: files > netmasks: files > networks: files > protocols: files > rpc:files > services: files sss > > netgroup: files sss ldap > > publickey: nisplus > > automount: files ldap > aliases:files nisplus > > sudoers: files sss > > > The ldap shouldn't be there above I guess.. > > and from the logs, i have the below errors > > ==> /var/log/secure <== > Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser > Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser > Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): received for > user tempuser: 4 (System error) > Feb 18 03:29:35 ip-x-x-x-x sshd[24851]: Failed password for tempuser from > x.x.x.x port 36687 ssh2 > Feb 18 03:29:39 ip-x-x-x-x sshd[24853]: Connection closed by x.x.x.x > Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=tempuser > Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=tempuser > Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_sss(sshd:auth): received for > user tempuser: 4 (System error) > Feb 18 03:34:19 ip-x-x-x-x sshd[25108]: Failed password for tempuser from > 127.0.0.1 port 59870 ssh2 > > > ==> /var/log/messages <== > Feb 18 03:37:45 ip-x-x-x-x sssd[be[xyz.com]]: Shutting down > Feb 18 03:37:45 ip-x-x-x-x sssd: Starting up > Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: Starting up > Feb 18 03:37:46 ip-x-x-x-x sssd[nss]: Starting up > Feb 18 03:37:46 ip-x-x-x-x sssd[sudo]: Starting up > Feb 18 03:37:46 ip-x-x-x-x sssd[pam]: Starting up > Feb 18 03:37:46 ip-x-x-x-x sssd[pac]: Starting up > Feb 18 03:37:46 ip-x-x-x-x sssd[ssh]: Starting up > Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: dereference processing failed > : Input/output error > Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: dereference processing failed > : Input/output error > Feb 18 03:38:41 ip-x-x-x-x [sssd[krb5_child[25324]]]: Permission denied > Feb 18 03:38:41 ip-x-x-x-x [sssd[krb5_child[25324]]]: Permission denied Could it be caused by /etc/krb5.conf permissions as here: https://lists.fedorahosted.org/pipermail/sssd-users/2014-August/002103.html ? Some advise is also here: http://serverfault.com/questions/697113/linux-ad-integration-unable-to-login-when-using-windows-server-2012-dc Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] freeipa permission denied for user
I set up freeipa on our environment and its works perfectly for most of the hosts.. but on few I am getting a permission denied. [root@ipa-client-1c :~] ssh tempuser@localhost tempuser@localhost's password: Permission denied, please try again. tempuser@localhost's password: I checked the hbac, but that seems to be fine root@ipa-master-test-1b ] ipa hbactest --user=tempuser --host=x.x.x.x --service=sshd Access granted: True Matched rules: allow_all Another thing I noticed is the nsswitch.conf had the below entries after the freeipa installation passwd: files sss ldap shadow: files sss ldap group: files sss ldap hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files sss netgroup: files sss ldap publickey: nisplus automount: files ldap aliases:files nisplus sudoers: files sss The ldap shouldn't be there above I guess.. and from the logs, i have the below errors ==> /var/log/secure <== Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser Feb 18 03:29:33 ip-x-x-x-x sshd[24851]: pam_sss(sshd:auth): received for user tempuser: 4 (System error) Feb 18 03:29:35 ip-x-x-x-x sshd[24851]: Failed password for tempuser from x.x.x.x port 36687 ssh2 Feb 18 03:29:39 ip-x-x-x-x sshd[24853]: Connection closed by x.x.x.x Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=tempuser Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=tempuser Feb 18 03:34:17 ip-x-x-x-x sshd[25108]: pam_sss(sshd:auth): received for user tempuser: 4 (System error) Feb 18 03:34:19 ip-x-x-x-x sshd[25108]: Failed password for tempuser from 127.0.0.1 port 59870 ssh2 ==> /var/log/messages <== Feb 18 03:37:45 ip-x-x-x-x sssd[be[xyz.com]]: Shutting down Feb 18 03:37:45 ip-x-x-x-x sssd: Starting up Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: Starting up Feb 18 03:37:46 ip-x-x-x-x sssd[nss]: Starting up Feb 18 03:37:46 ip-x-x-x-x sssd[sudo]: Starting up Feb 18 03:37:46 ip-x-x-x-x sssd[pam]: Starting up Feb 18 03:37:46 ip-x-x-x-x sssd[pac]: Starting up Feb 18 03:37:46 ip-x-x-x-x sssd[ssh]: Starting up Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: dereference processing failed : Input/output error Feb 18 03:37:46 ip-x-x-x-x sssd[be[xyz.com]]: dereference processing failed : Input/output error Feb 18 03:38:41 ip-x-x-x-x [sssd[krb5_child[25324]]]: Permission denied Feb 18 03:38:41 ip-x-x-x-x [sssd[krb5_child[25324]]]: Permission denied -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project