[Freeipa-users] Re: Ipa user can't login via ssh

2019-10-28 Thread Rob Crittenden via FreeIPA-users 
Elhamsadat Azarian wrote:
> Hi.
> Which details do u need? I will send.

Adding freeipa-users yet again. I'll stop responding if this continues.

We'd need to see the active HBAC Rules, hbactest output at a minimum.
The sssd logs on the failing machine might be relevant too but you'll
probably need to enable debugging first to capture the right data. See
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html

rob

> 
> On Mon, 21 Oct 2019, 18:28 Rob Crittenden,  > wrote:
> 
> Elhamsadat Azarian wrote:
> > Hi Rob
> > Thank you for helping
> > I disabled default HBAC rule and add a new rule that user "elham"
> could
> > login and ssh on hosts "ipa-client and ipa-server" 
> > Now it can ssh to ipa-server but still it had problem with ipa-client.
> > So rules couldnt solve my problem.
> 
> I don't know what to tell you without more details.
> 
> rob
> 
> >
> > On Tue, 15 Oct 2019, 16:44 Rob Crittenden,  
> > >> wrote:
> >
> >     Please keep freeipa-users in the responses.
> >
> >     Elhamsadat Azarian wrote:
> >     > Hi Rob
> >     > I did it and i got this answer:
> >     >
> >     > Access granted : false
> >     >
> >     > What can i do now?
> >
> >     IPA ships with a default HBAC rule, allow_all, which allows
> all users to
> >     authenticate on all hosts. I can only assume you've deleted or
> disabled
> >     that, and that's fine.
> >
> >     But if you do then you need to create the set of rules to
> grant access
> >     to hosts for the appropriate users.
> >
> >     To provide specific assistance you'd need to share a bit of
> internal
> >     details, current HBAC rules, etc. It is understandable if you
> can't
> >     do that.
> >
> >     But basically you need to evaluate your HBAC rules to find out
> why this
> >     user can't log into hosts. The user may be missing from a
> group, for
> >     example.
> >
> >     rob
> >     >
> >     > On Mon, 14 Oct 2019, 18:07 Rob Crittenden,
> mailto:rcrit...@redhat.com>
> >     >
> >     > 
>  >     >
> >     >     Elhamsadat Azarian wrote:
> >     >     > I tryed to add HBAC rules to my user but it said : some
> >     operation
> >     >     > failed. Users cannot be added when user category = all
> >     >
> >     >     Adding list back.
> >     >
> >     >     Try something like:
> >     >
> >     >     ipa hbactest --user elham --service ssh --host 
> >     >
> >     >     There is an equivalent way to do it in the UI.
> >     >
> >     >     rob
> >     >
> >     >     >
> >     >     > On Wed, 9 Oct 2019, 17:19 Rob Crittenden,
> >     mailto:rcrit...@redhat.com>
> >
> >     >     
> >>
> >     >     >    >
> >     
>  wrote:
> >     >     >
> >     >     >     Kevin Vasko via FreeIPA-users wrote:
> >     >     >     > Have you made sure your “elham” user has the correct
> >     permissions
> >     >     >     to access the machines? Take a look in the UI at the
> >     >     >     groups/permissions that user elham has. Take a look at
> >     your HBAC
> >     >     >     rules as well. That would be my first
> recommendation to
> >     check
> >     >     if it
> >     >     >     was me.
> >     >     >
> >     >     >     Right, and the troubleshooting page suggests that (and
> >     >     increasing debug
> >     >     >     logging).
> >     >     >
> >     >     >     Please provide the output of the things you have
> already
> >     >     looked at.
> >     >     >
> >     >     >     rob
> >     >     >
> >     >     >     >
> >     >     >     > -Kevin
> >     >     >     >
> >     >     >     >> On Oct 9, 2019, at 7:23 AM, Elhamsadat Azarian via
> >     >     FreeIPA-users
> >     >     >      
> >      >
> >     >     

[Freeipa-users] Re: Ipa user can't login via ssh

2019-10-21 Thread Rob Crittenden via FreeIPA-users 
Elhamsadat Azarian wrote:
> Hi Rob
> Thank you for helping
> I disabled default HBAC rule and add a new rule that user "elham" could
> login and ssh on hosts "ipa-client and ipa-server" 
> Now it can ssh to ipa-server but still it had problem with ipa-client.
> So rules couldnt solve my problem.

I don't know what to tell you without more details.

rob

> 
> On Tue, 15 Oct 2019, 16:44 Rob Crittenden,  > wrote:
> 
> Please keep freeipa-users in the responses.
> 
> Elhamsadat Azarian wrote:
> > Hi Rob
> > I did it and i got this answer:
> >
> > Access granted : false
> >
> > What can i do now?
> 
> IPA ships with a default HBAC rule, allow_all, which allows all users to
> authenticate on all hosts. I can only assume you've deleted or disabled
> that, and that's fine.
> 
> But if you do then you need to create the set of rules to grant access
> to hosts for the appropriate users.
> 
> To provide specific assistance you'd need to share a bit of internal
> details, current HBAC rules, etc. It is understandable if you can't
> do that.
> 
> But basically you need to evaluate your HBAC rules to find out why this
> user can't log into hosts. The user may be missing from a group, for
> example.
> 
> rob
> >
> > On Mon, 14 Oct 2019, 18:07 Rob Crittenden,  
> > >> wrote:
> >
> >     Elhamsadat Azarian wrote:
> >     > I tryed to add HBAC rules to my user but it said : some
> operation
> >     > failed. Users cannot be added when user category = all
> >
> >     Adding list back.
> >
> >     Try something like:
> >
> >     ipa hbactest --user elham --service ssh --host 
> >
> >     There is an equivalent way to do it in the UI.
> >
> >     rob
> >
> >     >
> >     > On Wed, 9 Oct 2019, 17:19 Rob Crittenden,
> mailto:rcrit...@redhat.com>
> >     >
> >     > 
>  >     >
> >     >     Kevin Vasko via FreeIPA-users wrote:
> >     >     > Have you made sure your “elham” user has the correct
> permissions
> >     >     to access the machines? Take a look in the UI at the
> >     >     groups/permissions that user elham has. Take a look at
> your HBAC
> >     >     rules as well. That would be my first recommendation to
> check
> >     if it
> >     >     was me.
> >     >
> >     >     Right, and the troubleshooting page suggests that (and
> >     increasing debug
> >     >     logging).
> >     >
> >     >     Please provide the output of the things you have already
> >     looked at.
> >     >
> >     >     rob
> >     >
> >     >     >
> >     >     > -Kevin
> >     >     >
> >     >     >> On Oct 9, 2019, at 7:23 AM, Elhamsadat Azarian via
> >     FreeIPA-users
> >     >      
> >      >
> >     >      
> >       >     >     >>
> >     >     >> ### Request for enhancement
> >     >     >> as a Linux admin i want to login into my ipa client
> with a user
> >     >     that is defined in ipa-server UI.
> >     >     >>
> >     >     >> ### Issue
> >     >     >> I installed Ipa-server and an Ipa-client on CentOS7.6
> >     >     >> I defined Internal DNS on ipa-server and i defined A
> and PTR
> >     >     records for client on ipa-server.
> >     >     >> now i can see my client in ipa-UI and i defined a
> user with
> >     name
> >     >     "elham" and i expect that it can login into ipa-client.
> >     >     >> when i login with root in ipa-client and i do sudo
> elham, it
> >     >     works and kinit elham works too but
> >     >     >> when i do ssh into ipa-client with this user, it show
> >     "Access denied"
> >     >     >> i have errors with this context:
> >     >     >> pam_reply : authentication failure to the client
> >     >     >> pam_sss: authentication falure
> >     >     >>
> >     >     >> im tired of this issue. please help me if you know the
> >     solution.
> >     >     >>
> >     >     >>  Steps to Reproduce
> >     >     >> 1. define new user "elham" in ipa UI
> >     >     >> 2. SSH to ipa-client with elham
> >     >     >> 3. access

[Freeipa-users] Re: Ipa user can't login via ssh

2019-10-15 Thread Rob Crittenden via FreeIPA-users 
Please keep freeipa-users in the responses.

Elhamsadat Azarian wrote:
> Hi Rob
> I did it and i got this answer:
> 
> Access granted : false
> 
> What can i do now?

IPA ships with a default HBAC rule, allow_all, which allows all users to
authenticate on all hosts. I can only assume you've deleted or disabled
that, and that's fine.

But if you do then you need to create the set of rules to grant access
to hosts for the appropriate users.

To provide specific assistance you'd need to share a bit of internal
details, current HBAC rules, etc. It is understandable if you can't do that.

But basically you need to evaluate your HBAC rules to find out why this
user can't log into hosts. The user may be missing from a group, for
example.

rob
> 
> On Mon, 14 Oct 2019, 18:07 Rob Crittenden,  > wrote:
> 
> Elhamsadat Azarian wrote:
> > I tryed to add HBAC rules to my user but it said : some operation
> > failed. Users cannot be added when user category = all
> 
> Adding list back.
> 
> Try something like:
> 
> ipa hbactest --user elham --service ssh --host 
> 
> There is an equivalent way to do it in the UI.
> 
> rob
> 
> >
> > On Wed, 9 Oct 2019, 17:19 Rob Crittenden,  
> > >> wrote:
> >
> >     Kevin Vasko via FreeIPA-users wrote:
> >     > Have you made sure your “elham” user has the correct permissions
> >     to access the machines? Take a look in the UI at the
> >     groups/permissions that user elham has. Take a look at your HBAC
> >     rules as well. That would be my first recommendation to check
> if it
> >     was me.
> >
> >     Right, and the troubleshooting page suggests that (and
> increasing debug
> >     logging).
> >
> >     Please provide the output of the things you have already
> looked at.
> >
> >     rob
> >
> >     >
> >     > -Kevin
> >     >
> >     >> On Oct 9, 2019, at 7:23 AM, Elhamsadat Azarian via
> FreeIPA-users
> >      
> >      >> wrote:
> >     >>
> >     >> ### Request for enhancement
> >     >> as a Linux admin i want to login into my ipa client with a user
> >     that is defined in ipa-server UI.
> >     >>
> >     >> ### Issue
> >     >> I installed Ipa-server and an Ipa-client on CentOS7.6
> >     >> I defined Internal DNS on ipa-server and i defined A and PTR
> >     records for client on ipa-server.
> >     >> now i can see my client in ipa-UI and i defined a user with
> name
> >     "elham" and i expect that it can login into ipa-client.
> >     >> when i login with root in ipa-client and i do sudo elham, it
> >     works and kinit elham works too but
> >     >> when i do ssh into ipa-client with this user, it show
> "Access denied"
> >     >> i have errors with this context:
> >     >> pam_reply : authentication failure to the client
> >     >> pam_sss: authentication falure
> >     >>
> >     >> im tired of this issue. please help me if you know the
> solution.
> >     >>
> >     >>  Steps to Reproduce
> >     >> 1. define new user "elham" in ipa UI
> >     >> 2. SSH to ipa-client with elham
> >     >> 3. access denied
> >     >>
> >     >>  Actual behavior
> >     >> (what happens)
> >     >>
> >     >>  Expected behavior
> >     >> login into ipa-client successfully
> >     >>
> >     >>  Version/Release/Distribution
> >     >>   ipa-server 4.6.5-11.el7
> >     >>   ipa-client 4.6.4-10.el7.centos.3
> >     >> Log files and config files are added below:
> >     >>
> >     >>
> >     >>
> >     >> krb5.conf
> >     >> 
> >     >> #File modified by ipa-client-install
> >     >>
> >     >> includedir /etc/krb5.conf.d/
> >     >> includedir /var/lib/sss/pubconf/krb5.include.d/
> >     >>
> >     >>
> >     >> [logging]
> >     >> default = FILE:/var/log/krb5libs.log
> >     >> kdc = FILE:/var/log/krb5kdc.log
> >     >> admin_server = FILE:/var/log/kadmind.log
> >     >> [libdefaults]
> >     >> default_realm = LSHS.DC
> >     >> dns_lookup_realm = false
> >     >> dns_lookup_kdc = false
> >     >> rdns = false
> >     >> ticket_lifetime = 24h
> >     >> forwardable = yes
> >     >> allow_weak_crypto = true
> >     >> default_ccache_name = KEYRING:persistent:%{uid}
> >     >>
> >     >> [realms]
> >     >> LSHS.DC = {
> >     >> kdc = ipa-irvlt01.example.dc:88
> >     >> admin_server = ipa-irvlt01.example.dc:749
> >     >> default_domain = example.dc
> >     >> }
> >     

[Freeipa-users] Re: Ipa user can't login via ssh

2019-10-14 Thread Rob Crittenden via FreeIPA-users 
Elhamsadat Azarian wrote:
> I tryed to add HBAC rules to my user but it said : some operation
> failed. Users cannot be added when user category = all

Adding list back.

Try something like:

ipa hbactest --user elham --service ssh --host 

There is an equivalent way to do it in the UI.

rob

> 
> On Wed, 9 Oct 2019, 17:19 Rob Crittenden,  > wrote:
> 
> Kevin Vasko via FreeIPA-users wrote:
> > Have you made sure your “elham” user has the correct permissions
> to access the machines? Take a look in the UI at the
> groups/permissions that user elham has. Take a look at your HBAC
> rules as well. That would be my first recommendation to check if it
> was me.
> 
> Right, and the troubleshooting page suggests that (and increasing debug
> logging).
> 
> Please provide the output of the things you have already looked at.
> 
> rob
> 
> >
> > -Kevin
> >
> >> On Oct 9, 2019, at 7:23 AM, Elhamsadat Azarian via FreeIPA-users
>  > wrote:
> >>
> >> ### Request for enhancement
> >> as a Linux admin i want to login into my ipa client with a user
> that is defined in ipa-server UI.
> >>
> >> ### Issue
> >> I installed Ipa-server and an Ipa-client on CentOS7.6
> >> I defined Internal DNS on ipa-server and i defined A and PTR
> records for client on ipa-server.
> >> now i can see my client in ipa-UI and i defined a user with name
> "elham" and i expect that it can login into ipa-client.
> >> when i login with root in ipa-client and i do sudo elham, it
> works and kinit elham works too but
> >> when i do ssh into ipa-client with this user, it show "Access denied"
> >> i have errors with this context:
> >> pam_reply : authentication failure to the client
> >> pam_sss: authentication falure
> >>
> >> im tired of this issue. please help me if you know the solution.
> >>
> >>  Steps to Reproduce
> >> 1. define new user "elham" in ipa UI
> >> 2. SSH to ipa-client with elham
> >> 3. access denied
> >>
> >>  Actual behavior
> >> (what happens)
> >>
> >>  Expected behavior
> >> login into ipa-client successfully
> >>
> >>  Version/Release/Distribution
> >>   ipa-server 4.6.5-11.el7
> >>   ipa-client 4.6.4-10.el7.centos.3
> >> Log files and config files are added below:
> >>
> >>
> >>
> >> krb5.conf
> >> 
> >> #File modified by ipa-client-install
> >>
> >> includedir /etc/krb5.conf.d/
> >> includedir /var/lib/sss/pubconf/krb5.include.d/
> >>
> >>
> >> [logging]
> >> default = FILE:/var/log/krb5libs.log
> >> kdc = FILE:/var/log/krb5kdc.log
> >> admin_server = FILE:/var/log/kadmind.log
> >> [libdefaults]
> >> default_realm = LSHS.DC
> >> dns_lookup_realm = false
> >> dns_lookup_kdc = false
> >> rdns = false
> >> ticket_lifetime = 24h
> >> forwardable = yes
> >> allow_weak_crypto = true
> >> default_ccache_name = KEYRING:persistent:%{uid}
> >>
> >> [realms]
> >> LSHS.DC = {
> >> kdc = ipa-irvlt01.example.dc:88
> >> admin_server = ipa-irvlt01.example.dc:749
> >> default_domain = example.dc
> >> }
> >> [domain_realm]
> >> .example.com  = LSHS.DC
> >> example.com  = LSHS.DC
> >> 
> >>
> >>
> >> sssd.conf
> >> -
> >> [domain/example.dc]
> >>
> >> cache_credentials = True
> >> krb5_store_password_if_offline = True
> >> ipa_domain = example.dc
> >> id_provider = ipa
> >> auth_provider = ipa
> >> access_provider = ipa
> >> ldap_tls_cacert = /etc/ipa/ca.crt
> >> ipa_hostname = ipacli-irvlt01.example.dc
> >> chpass_provider = ipa
> >> dyndns_update = True
> >> ipa_server = _srv_, ipa-irvlt01.example.dc
> >> dyndns_iface = ens160
> >> dns_discovery_domain = example.dc
> >>
> >> debug_level = 10
> >> [sssd]
> >> ### AFTER IPA ###
> >> #services = nss, sudo, pam, ssh
> >> services = nss, pam
> >> config_file_version = 2
> >> #
> >> domains = example.dc
> >>
> >> debug_level = 10
> >> [nss]
> >> homedir_substring = /home
> >>
> >> [pam]
> >> debug_level = 10
> >>
> >> [sudo]
> >>
> >> [autofs]
> >>
> >> [ssh]
> >>
> >> [pac]
> >>
> >> [ifp]
> >>
> >> [secrets]
> >>
> >> [session_recording]
> >>
> >> ##
> >>
> >>
> >> ___
> >> FreeIPA-users mailing list --
> freeipa-users@lists.fedorahosted.org
> 
> >>

[Freeipa-users] Re: Ipa user can't login via ssh

2019-10-09 Thread Rob Crittenden via FreeIPA-users 
Kevin Vasko via FreeIPA-users wrote:
> Have you made sure your “elham” user has the correct permissions to access 
> the machines? Take a look in the UI at the groups/permissions that user elham 
> has. Take a look at your HBAC rules as well. That would be my first 
> recommendation to check if it was me. 

Right, and the troubleshooting page suggests that (and increasing debug
logging).

Please provide the output of the things you have already looked at.

rob

> 
> -Kevin
> 
>> On Oct 9, 2019, at 7:23 AM, Elhamsadat Azarian via FreeIPA-users 
>>  wrote:
>>
>> ### Request for enhancement
>> as a Linux admin i want to login into my ipa client with a user that is 
>> defined in ipa-server UI.
>>
>> ### Issue
>> I installed Ipa-server and an Ipa-client on CentOS7.6
>> I defined Internal DNS on ipa-server and i defined A and PTR records for 
>> client on ipa-server.
>> now i can see my client in ipa-UI and i defined a user with name "elham" and 
>> i expect that it can login into ipa-client.
>> when i login with root in ipa-client and i do sudo elham, it works and kinit 
>> elham works too but
>> when i do ssh into ipa-client with this user, it show "Access denied"
>> i have errors with this context:
>> pam_reply : authentication failure to the client
>> pam_sss: authentication falure
>>
>> im tired of this issue. please help me if you know the solution.
>>
>>  Steps to Reproduce
>> 1. define new user "elham" in ipa UI
>> 2. SSH to ipa-client with elham
>> 3. access denied
>>
>>  Actual behavior
>> (what happens)
>>
>>  Expected behavior
>> login into ipa-client successfully
>>
>>  Version/Release/Distribution
>>   ipa-server 4.6.5-11.el7
>>   ipa-client 4.6.4-10.el7.centos.3
>> Log files and config files are added below:
>>
>>
>>
>> krb5.conf
>> 
>> #File modified by ipa-client-install
>>
>> includedir /etc/krb5.conf.d/
>> includedir /var/lib/sss/pubconf/krb5.include.d/
>>
>>
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>> [libdefaults]
>> default_realm = LSHS.DC
>> dns_lookup_realm = false
>> dns_lookup_kdc = false
>> rdns = false
>> ticket_lifetime = 24h
>> forwardable = yes
>> allow_weak_crypto = true
>> default_ccache_name = KEYRING:persistent:%{uid}
>>
>> [realms]
>> LSHS.DC = {
>> kdc = ipa-irvlt01.example.dc:88
>> admin_server = ipa-irvlt01.example.dc:749
>> default_domain = example.dc
>> }
>> [domain_realm]
>> .example.com = LSHS.DC
>> example.com = LSHS.DC
>> 
>>
>>
>> sssd.conf
>> -
>> [domain/example.dc]
>>
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> ipa_domain = example.dc
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ldap_tls_cacert = /etc/ipa/ca.crt
>> ipa_hostname = ipacli-irvlt01.example.dc
>> chpass_provider = ipa
>> dyndns_update = True
>> ipa_server = _srv_, ipa-irvlt01.example.dc
>> dyndns_iface = ens160
>> dns_discovery_domain = example.dc
>>
>> debug_level = 10
>> [sssd]
>> ### AFTER IPA ###
>> #services = nss, sudo, pam, ssh
>> services = nss, pam
>> config_file_version = 2
>> #
>> domains = example.dc
>>
>> debug_level = 10
>> [nss]
>> homedir_substring = /home
>>
>> [pam]
>> debug_level = 10
>>
>> [sudo]
>>
>> [autofs]
>>
>> [ssh]
>>
>> [pac]
>>
>> [ifp]
>>
>> [secrets]
>>
>> [session_recording]
>>
>> ##
>>
>>
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct: 
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: 
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Ipa user can't login via ssh

2019-10-09 Thread Kevin Vasko via FreeIPA-users 
Have you made sure your “elham” user has the correct permissions to access the 
machines? Take a look in the UI at the groups/permissions that user elham has. 
Take a look at your HBAC rules as well. That would be my first recommendation 
to check if it was me. 

-Kevin

> On Oct 9, 2019, at 7:23 AM, Elhamsadat Azarian via FreeIPA-users 
>  wrote:
> 
> ### Request for enhancement
> as a Linux admin i want to login into my ipa client with a user that is 
> defined in ipa-server UI.
> 
> ### Issue
> I installed Ipa-server and an Ipa-client on CentOS7.6
> I defined Internal DNS on ipa-server and i defined A and PTR records for 
> client on ipa-server.
> now i can see my client in ipa-UI and i defined a user with name "elham" and 
> i expect that it can login into ipa-client.
> when i login with root in ipa-client and i do sudo elham, it works and kinit 
> elham works too but
> when i do ssh into ipa-client with this user, it show "Access denied"
> i have errors with this context:
> pam_reply : authentication failure to the client
> pam_sss: authentication falure
> 
> im tired of this issue. please help me if you know the solution.
> 
>  Steps to Reproduce
> 1. define new user "elham" in ipa UI
> 2. SSH to ipa-client with elham
> 3. access denied
> 
>  Actual behavior
> (what happens)
> 
>  Expected behavior
> login into ipa-client successfully
> 
>  Version/Release/Distribution
>   ipa-server 4.6.5-11.el7
>   ipa-client 4.6.4-10.el7.centos.3
> Log files and config files are added below:
> 
> 
> 
> krb5.conf
> 
> #File modified by ipa-client-install
> 
> includedir /etc/krb5.conf.d/
> includedir /var/lib/sss/pubconf/krb5.include.d/
> 
> 
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> [libdefaults]
> default_realm = LSHS.DC
> dns_lookup_realm = false
> dns_lookup_kdc = false
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
> allow_weak_crypto = true
> default_ccache_name = KEYRING:persistent:%{uid}
> 
> [realms]
> LSHS.DC = {
> kdc = ipa-irvlt01.example.dc:88
> admin_server = ipa-irvlt01.example.dc:749
> default_domain = example.dc
> }
> [domain_realm]
> .example.com = LSHS.DC
> example.com = LSHS.DC
> 
> 
> 
> sssd.conf
> -
> [domain/example.dc]
> 
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = example.dc
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ldap_tls_cacert = /etc/ipa/ca.crt
> ipa_hostname = ipacli-irvlt01.example.dc
> chpass_provider = ipa
> dyndns_update = True
> ipa_server = _srv_, ipa-irvlt01.example.dc
> dyndns_iface = ens160
> dns_discovery_domain = example.dc
> 
> debug_level = 10
> [sssd]
> ### AFTER IPA ###
> #services = nss, sudo, pam, ssh
> services = nss, pam
> config_file_version = 2
> #
> domains = example.dc
> 
> debug_level = 10
> [nss]
> homedir_substring = /home
> 
> [pam]
> debug_level = 10
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> [pac]
> 
> [ifp]
> 
> [secrets]
> 
> [session_recording]
> 
> ##
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Ipa user can't login via ssh

2019-10-09 Thread Elhamsadat Azarian via FreeIPA-users 
I checked it but i couldnt solve it

On Wed, 9 Oct 2019, 12:30 Jakub Hrozek via FreeIPA-users, <
freeipa-users@lists.fedorahosted.org> wrote:

> On Wed, Oct 09, 2019 at 08:45:16AM -, Elhamsadat Azarian via
> FreeIPA-users wrote:
> > ### Request for enhancement
> > as a Linux admin i want to login into my ipa client with a user that is
> defined in ipa-server UI.
> >
> > ### Issue
> > I installed Ipa-server and an Ipa-client on CentOS7.6
> > I defined Internal DNS on ipa-server and i defined A and PTR records for
> client on ipa-server.
> > now i can see my client in ipa-UI and i defined a user with name "elham"
> and i expect that it can login into ipa-client.
> > when i login with root in ipa-client and i do sudo elham, it works and
> kinit elham works too but
> > when i do ssh into ipa-client with this user, it show "Access denied"
> > i have errors with this context:
> > pam_reply : authentication failure to the client
> > pam_sss: authentication falure
> >
> > im tired of this issue. please help me if you know the solution.
>
> Please start here:
> https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
> >
> >  Steps to Reproduce
> > 1. define new user "elham" in ipa UI
> > 2. SSH to ipa-client with elham
> > 3. access denied
> >
> >  Actual behavior
> > (what happens)
> >
> >  Expected behavior
> > login into ipa-client successfully
> >
> >  Version/Release/Distribution
> >ipa-server 4.6.5-11.el7
> >ipa-client 4.6.4-10.el7.centos.3
> > Log files and config files are added below:
> >
> >
> >
> > krb5.conf
> > 
> > #File modified by ipa-client-install
> >
> > includedir /etc/krb5.conf.d/
> > includedir /var/lib/sss/pubconf/krb5.include.d/
> >
> >
> > [logging]
> > default = FILE:/var/log/krb5libs.log
> > kdc = FILE:/var/log/krb5kdc.log
> > admin_server = FILE:/var/log/kadmind.log
> > [libdefaults]
> > default_realm = LSHS.DC
> > dns_lookup_realm = false
> > dns_lookup_kdc = false
> > rdns = false
> > ticket_lifetime = 24h
> > forwardable = yes
> > allow_weak_crypto = true
> > default_ccache_name = KEYRING:persistent:%{uid}
> >
> > [realms]
> > LSHS.DC = {
> > kdc = ipa-irvlt01.example.dc:88
> > admin_server = ipa-irvlt01.example.dc:749
> > default_domain = example.dc
> > }
> > [domain_realm]
> > .example.com = LSHS.DC
> > example.com = LSHS.DC
> > 
> >
> >
> > sssd.conf
> > -
> > [domain/example.dc]
> >
> > cache_credentials = True
> > krb5_store_password_if_offline = True
> > ipa_domain = example.dc
> > id_provider = ipa
> > auth_provider = ipa
> > access_provider = ipa
> > ldap_tls_cacert = /etc/ipa/ca.crt
> > ipa_hostname = ipacli-irvlt01.example.dc
> > chpass_provider = ipa
> > dyndns_update = True
> > ipa_server = _srv_, ipa-irvlt01.example.dc
> > dyndns_iface = ens160
> > dns_discovery_domain = example.dc
> >
> > debug_level = 10
> > [sssd]
> > ### AFTER IPA ###
> > #services = nss, sudo, pam, ssh
> > services = nss, pam
> > config_file_version = 2
> > #
> > domains = example.dc
> >
> > debug_level = 10
> > [nss]
> > homedir_substring = /home
> >
> > [pam]
> > debug_level = 10
> >
> > [sudo]
> >
> > [autofs]
> >
> > [ssh]
> >
> > [pac]
> >
> > [ifp]
> >
> > [secrets]
> >
> > [session_recording]
> >
> > ##
> >
> >
> > ___
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Ipa user can't login via ssh

2019-10-09 Thread Jakub Hrozek via FreeIPA-users 
On Wed, Oct 09, 2019 at 08:45:16AM -, Elhamsadat Azarian via FreeIPA-users 
wrote:
> ### Request for enhancement
> as a Linux admin i want to login into my ipa client with a user that is 
> defined in ipa-server UI.
> 
> ### Issue
> I installed Ipa-server and an Ipa-client on CentOS7.6
> I defined Internal DNS on ipa-server and i defined A and PTR records for 
> client on ipa-server.
> now i can see my client in ipa-UI and i defined a user with name "elham" and 
> i expect that it can login into ipa-client.
> when i login with root in ipa-client and i do sudo elham, it works and kinit 
> elham works too but
> when i do ssh into ipa-client with this user, it show "Access denied"
> i have errors with this context:
> pam_reply : authentication failure to the client
> pam_sss: authentication falure
> 
> im tired of this issue. please help me if you know the solution.

Please start here:
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
> 
>  Steps to Reproduce
> 1. define new user "elham" in ipa UI
> 2. SSH to ipa-client with elham
> 3. access denied
> 
>  Actual behavior
> (what happens)
> 
>  Expected behavior
> login into ipa-client successfully
> 
>  Version/Release/Distribution
>ipa-server 4.6.5-11.el7
>ipa-client 4.6.4-10.el7.centos.3
> Log files and config files are added below:
> 
> 
> 
> krb5.conf
> 
> #File modified by ipa-client-install
> 
> includedir /etc/krb5.conf.d/
> includedir /var/lib/sss/pubconf/krb5.include.d/
> 
> 
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> [libdefaults]
> default_realm = LSHS.DC
> dns_lookup_realm = false
> dns_lookup_kdc = false
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
> allow_weak_crypto = true
> default_ccache_name = KEYRING:persistent:%{uid}
> 
> [realms]
> LSHS.DC = {
> kdc = ipa-irvlt01.example.dc:88
> admin_server = ipa-irvlt01.example.dc:749
> default_domain = example.dc
> }
> [domain_realm]
> .example.com = LSHS.DC
> example.com = LSHS.DC
> 
> 
> 
> sssd.conf
> -
> [domain/example.dc]
> 
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = example.dc
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ldap_tls_cacert = /etc/ipa/ca.crt
> ipa_hostname = ipacli-irvlt01.example.dc
> chpass_provider = ipa
> dyndns_update = True
> ipa_server = _srv_, ipa-irvlt01.example.dc
> dyndns_iface = ens160
> dns_discovery_domain = example.dc
> 
> debug_level = 10
> [sssd]
> ### AFTER IPA ###
> #services = nss, sudo, pam, ssh
> services = nss, pam
> config_file_version = 2
> #
> domains = example.dc
> 
> debug_level = 10
> [nss]
> homedir_substring = /home
> 
> [pam]
> debug_level = 10
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> [pac]
> 
> [ifp]
> 
> [secrets]
> 
> [session_recording]
> 
> ##
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org