Am Sun, Jan 16, 2022 at 12:50:28PM +0000 schrieb lejeczek via FreeIPA-users: > Hi guys. > > This have puzzled my and left clueless. > It's a fresh new deployment and still only single master. > Very first & only user and I cannot 'ssh' with password - but krb ticket I > can obtain and 'ssh' with it successfully. > > ssh logs: > .. > pam_sss(sshd:auth): received for user bs58: 7 (Authentication failure) > .. > > with in: /etc/sssd/sssd.conf > [pam] > debug_level=9 > > only fail/error/warn in sssd_pam.log is: > .. > (2022-01-16 12:20:18): [pam] [pam_print_data] (0x0100): [CID #6] service: > sshd > (2022-01-16 12:20:18): [pam] [pam_print_data] (0x0100): [CID #6] tty: ssh > (2022-01-16 12:20:18): [pam] [pam_print_data] (0x0100): [CID #6] ruser: not > set > (2022-01-16 12:20:18): [pam] [pam_print_data] (0x0100): [CID #6] rhost: > 10.0.0.16 > (2022-01-16 12:20:18): [pam] [pam_print_data] (0x0100): [CID #6] authtok > type: 1 (Password) > (2022-01-16 12:20:18): [pam] [pam_print_data] (0x0100): [CID #6] newauthtok > type: 0 (No authentication token available) > (2022-01-16 12:20:18): [pam] [pam_print_data] (0x0100): [CID #6] priv: 1 > (2022-01-16 12:20:18): [pam] [pam_print_data] (0x0100): [CID #6] cli_pid: > 25363 > (2022-01-16 12:20:18): [pam] [pam_print_data] (0x0100): [CID #6] logon name: > bs583 > (2022-01-16 12:20:18): [pam] [pam_print_data] (0x0100): [CID #6] flags: 2 > (2022-01-16 12:20:18): [pam] [pam_dom_forwarder] (0x0100): pam_dp_send_req > returned 0 > (2022-01-16 12:20:18): [pam] [sbus_dispatch] (0x4000): Dispatching. > (2022-01-16 12:20:18): [pam] [pam_dp_send_req_done] (0x0200): received: [7 > (Authentication failure)][ccn.private.com][CID #6] > (2022-01-16 12:20:18): [pam] [pam_reply] (0x4000): pam_reply initially > called with result [7]: Authentication failure. this result might be changed > during processing
Hi, the above error is coming from the SSSD backend, please add 'debug_level=9' to the [domain/...] section in sssd.conf as well, restart SSSD and check the domain log file and krb5_child.log. HTH bye, Sumit > (2022-01-16 12:20:18): [pam] [pam_reply] (0x0200): blen: 43 > (2022-01-16 12:20:18): [pam] [pam_reply] (0x0200): Returning [7]: > Authentication failure to the client [CID #6] > (2022-01-16 12:20:20): [pam] [client_recv] (0x0200): Client disconnected! > ... > > It's on Centos 8 with: > ipa-server-4.9.6-10.module_el8.5.0+1055+c415bbe9.x86_64 > sssd-ipa-2.5.2-2.el8_5.3.x86_64 > krb5-libs-1.18.2-14.el8.x86_64 > > I've tried higher 'debug_level' for other bits in '/etc/sssd/sssd.conf' but > there it nothing 'abnormal' there - or I've gone blind. > > All & any suggestions on how to troubleshoot/fix this very much appreciated. > many thanks, L. > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure